feat(ci): add PR bump preview workflow#1957
feat(ci): add PR bump preview workflow#1957bearomorphism wants to merge 2 commits intocommitizen-tools:masterfrom
Conversation
Adds a workflow that runs cz bump --dry-run on incoming pull requests and posts (or updates) a sticky comment summarising the would-be version bump and changelog entries. This makes unexpected version bumps visible to reviewers before merging, addressing commitizen-tools#1510. The pattern is documented in docs/tutorials/github_actions.md so other projects can copy/paste the same workflow. Closes commitizen-tools#1510 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions
Bot
added
pr-status: wait-for-review
type: feature
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1957 +/- ##
=======================================
Coverage 98.23% 98.23%
=======================================
Files 61 61
Lines 2779 2779
=======================================
Hits 2730 2730
Misses 49 49 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to comment a “bump preview” on pull requests, and documents the pattern so downstream users can reuse it.
Changes:
- Add
.github/workflows/pr-bump-preview.ymlto runcz bump --dry-runon PRs and post/update a sticky comment. - Document the new PR bump preview workflow in
docs/tutorials/github_actions.md.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| docs/tutorials/github_actions.md | Documents a reusable “PR bump preview” workflow and explains how it works. |
| .github/workflows/pr-bump-preview.yml | New workflow that runs Commitizen in CI for PRs and posts/updates a sticky PR comment. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if: ${{ github.event.pull_request.draft == false }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| # Using pull_request_target means GITHUB_TOKEN has write access to PR | ||
| # comments even for fork PRs. We deliberately only run `cz bump --dry-run` | ||
| # against the checked-out PR commits — no PR-controlled scripts are | ||
| # executed, so this is safe. |
There was a problem hiding this comment.
Addressed in 52530b0: gated the job to same-repo PRs by comparing head.repo.full_name to base.repo.full_name. Fork PRs are now skipped entirely, so cz bump is never run against fork-controlled files. Same-repo PRs are written by collaborators who already have push access, so the Jinja-template execution path doesn't cross a trust boundary.
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
| fetch-depth: 0 | ||
| fetch-tags: true |
There was a problem hiding this comment.
Addressed in 52530b0: added persist-credentials: false on actions/checkout.
|
|
||
| To help reviewers spot unexpected version bumps before merging, you can run | ||
| `cz bump --dry-run` on every pull request and post (or update) a sticky | ||
| comment summarizing the would-be version bump and changelog entries. |
There was a problem hiding this comment.
Addressed in 52530b0: dropped the and changelog entries wording from the docs intro, and clarified in the How it works section that changelog entries only appear when update_changelog_on_bump is set in the project's commitizen config.
| - **Trigger**: `pull_request_target` runs in the context of the base | ||
| repository, which gives the workflow `pull-requests: write` permission | ||
| even for PRs from forks. The job only runs `cz bump --dry-run`, a | ||
| read-only command, so it does not execute any PR-controlled scripts. | ||
| - **Setup**: [`commitizen-tools/setup-cz`](https://github.com/commitizen-tools/setup-cz) |
There was a problem hiding this comment.
Addressed in 52530b0: rewrote the safety explanation in the How it works section. The job now gates to same-repo PRs only, and the docs spell out why (cz bump's non-sandboxed Jinja renderer + update_changelog_on_bump would otherwise let a fork PR run arbitrary code under the write token). Also added persist-credentials: false as defense in depth.
Address Copilot review feedback on commitizen-tools#1957: * `cz bump` renders Jinja templates from the working directory whenever `update_changelog_on_bump` is set in config, using a non-sandboxed `FileSystemLoader('.')`. Under `pull_request_target` with a write token, executing those templates against fork-controlled files would risk RCE / token exfiltration. Gate the job to same-repo PRs by comparing `head.repo.full_name` to `base.repo.full_name`. * Set `persist-credentials: false` on `actions/checkout` as defense in depth, so the workflow token is not written to `.git/config`. * Adjust docs to drop the misleading `and changelog entries` claim (the dry-run only shows changelog entries when `update_changelog_on_bump` is enabled), and rewrite the safety explanation to reflect the real threat model. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Mirrors the security fix on commitizen-tools/commitizen#1957: * `cz bump` can render Jinja templates from the working directory when `update_changelog_on_bump` is set in config, using a non-sandboxed loader. Under `pull_request_target` this would let a fork PR execute arbitrary code with a write token, so gate the job to same-repo PRs only (`head.repo == base.repo`). * Add `persist-credentials: false` on `actions/checkout` as defense in depth. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Mirrors the security fix on commitizen-tools/commitizen#1957: * `cz bump` can render Jinja templates from the working directory when `update_changelog_on_bump` is set in config, using a non-sandboxed loader. Under `pull_request_target` this would let a fork PR execute arbitrary code with a write token, so gate the job to same-repo PRs only (`head.repo == base.repo`). * Add `persist-credentials: false` on `actions/checkout` as defense in depth. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Note for reviewers: the duplication across this repo, |
Description
Adds a GitHub Actions workflow that runs
cz bump --dry-runagainst every incoming pull request and posts (or updates) a sticky comment summarising the would-be version bump and changelog entries. Reviewers can spot unexpected version bumps before merging.The pattern is also documented in
docs/tutorials/github_actions.mdso other projects can copy/paste the same workflow.How it works
pull_request_target(matcheslabel_pr.yml) so the workflow haspull-requests: writeeven for fork PRs. The job only runscz bump --dry-run, a read-only command, so PR-controlled scripts are not executed.commitizen-tools/setup-cz— no language-specific toolchain required.cz bump --dry-run --yesoutput and exit status. Exit code21(NoneIncrementExit) is treated as "no eligible bump" instead of an error; other non-zero codes are surfaced in the comment.<!-- commitizen-bump-preview -->marker letspeter-evans/create-or-update-commentedit the previous preview in place on every push instead of stacking comments.Companion changes are being prepared for
commitizen-tools/commitizen-action(replaces the draft #102 attempt) andcommitizen-tools/setup-cz(examples/) so the same pattern is available to consumers of either action.Closes #1510
Type of changes
Steps to Test This Pull Request
The workflow self-tests once it lands on
master: open a follow-up PR and confirm a🔍 Commitizen bump previewcomment appears and updates as you push commits.Expected output
The workflow posts (and replaces on every push) a single sticky comment whose body depends on the dry-run exit code.
cz bump --dry-run --yessucceeds (status 0) — eligible bump:Rendered comment
NoneIncrementExit(status 21) — no eligible commits:Any other non-zero status — error surfaced inside the comment:
The status-0 example above is the literal output of
cz bump --dry-run --yesagainst the currentmasterof this repository (verified locally).Checklist