From 38b02dc976c90704d1dbb0a45785e501917208c1 Mon Sep 17 00:00:00 2001
From: Tim Hsiung <bear890707@gmail.com>
Date: Sat, 9 May 2026 21:01:27 +0800
Subject: [PATCH 1/2] fix(bump): only consider commit titles when matching bump
 patterns

`find_increment` previously scanned every line of every commit message
when looking for the conventional-commits type token. Auto-generated
commit bodies (notably Dependabot PR descriptions that quote upstream
changelog lines like `fix: ...`) frequently contain text that matches
the bump pattern even though no in-repo change of that type happened.
The result was false-positive `PATCH` bumps on plain `ci:` commits
(#1772).

Restrict type-pattern matching to the commit title (the first line),
where the conventional-commits type lives. The body is still scanned,
but only for `BREAKING CHANGE:` / `BREAKING-CHANGE:` footers, which
the spec places there. Other body lines no longer drive the increment.

Closes #1772

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 commitizen/bump.py                | 15 +++++++++-
 tests/test_bump_find_increment.py | 48 +++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/commitizen/bump.py b/commitizen/bump.py
index 030c8f1e5..6100e2490 100644
--- a/commitizen/bump.py
+++ b/commitizen/bump.py
@@ -34,7 +34,20 @@ def find_increment(
     increment: str | None = None
 
     for commit in commits:
-        for message in commit.message.split("\n"):
+        # We only consider:
+        #   * the commit title (the first line, where the commit type lives), and
+        #   * lines in the body that are a ``BREAKING CHANGE:`` /
+        #     ``BREAKING-CHANGE:`` footer (per the Conventional Commits spec).
+        # Scanning every body line for type-prefixed text matches generated
+        # commit bodies (e.g. Dependabot quoting an upstream changelog with a
+        # ``fix:`` line) and produces false-positive bumps -- see #1772.
+        candidate_lines = [commit.title]
+        for body_line in commit.body.split("\n"):
+            stripped = body_line.lstrip()
+            if stripped.startswith(("BREAKING CHANGE:", "BREAKING-CHANGE:")):
+                candidate_lines.append(stripped)
+
+        for message in candidate_lines:
             result = select_pattern.search(message)
 
             if result:
diff --git a/tests/test_bump_find_increment.py b/tests/test_bump_find_increment.py
index 8209278ed..471e290eb 100644
--- a/tests/test_bump_find_increment.py
+++ b/tests/test_bump_find_increment.py
@@ -122,3 +122,51 @@ def test_find_increment_sve(messages, expected_type):
         commits, regex=semantic_version_pattern, increments_map=semantic_version_map
     )
     assert increment_type == expected_type
+
+
+# Mimics the dependabot pull request body that triggered #1772: a ``ci:``
+# title with a commit body that quotes upstream changelog lines, including
+# ``fix: ...`` text. None of the body lines should bump the version.
+DEPENDABOT_BODY = (
+    "Bumps actions/upload-artifact from 5 to 6.\n"
+    "<details>\n"
+    "<summary>Commits</summary>\n"
+    "<ul>\n"
+    '<li><a href="...">b5b1a91</a>\n'
+    "fix: update <code>@​actions/artifact</code> to ^5.0.0 for Node.js 24\n"
+    "punycode fix</li>\n"
+    '<li><a href="...">5f643d3</a>\n'
+    "chore: update license files</li>\n"
+    "</ul>\n"
+    "</details>\n"
+)
+
+
+def test_find_increment_ignores_type_tokens_in_commit_body():
+    """Regression test for #1772: a ``ci:`` commit whose body lists upstream
+    commit messages -- including ones that look like ``fix:`` -- must not
+    trigger a PATCH bump. Only the title's commit type counts."""
+    commit = GitCommit(rev="test", title="ci: bump dep", body=DEPENDABOT_BODY)
+    increment_type = bump.find_increment(
+        [commit],
+        regex=ConventionalCommitsCz.bump_pattern,
+        increments_map=ConventionalCommitsCz.bump_map,
+    )
+    assert increment_type is None
+
+
+def test_find_increment_still_honors_breaking_change_in_body():
+    """The ``BREAKING CHANGE:`` / ``BREAKING-CHANGE:`` footer in a commit body
+    must still trigger a MAJOR bump even after the #1772 fix; only commit
+    *types* are now restricted to the title."""
+    commit = GitCommit(
+        rev="test",
+        title="feat: new user interface",
+        body="some body content\n\nBREAKING CHANGE: age is no longer supported",
+    )
+    increment_type = bump.find_increment(
+        [commit],
+        regex=ConventionalCommitsCz.bump_pattern,
+        increments_map=ConventionalCommitsCz.bump_map,
+    )
+    assert increment_type == "MAJOR"

From 91cfb946f9b5fe8029fe3d5aadcb2ed333b7fb43 Mon Sep 17 00:00:00 2001
From: Tim Hsiung <26526132+bearomorphism@users.noreply.github.com>
Date: Sat, 9 May 2026 22:28:09 +0800
Subject: [PATCH 2/2] test(bump): remove zero-width space from DEPENDABOT_BODY
 fixture

Replaced the invisible U+200B in '@actions/artifact' with plain ASCII so the fixture is readable, greppable, and produces clean diffs. Test still asserts the regression (type tokens in commit body don't trigger a bump).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 tests/test_bump_find_increment.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test_bump_find_increment.py b/tests/test_bump_find_increment.py
index 471e290eb..aacafe65a 100644
--- a/tests/test_bump_find_increment.py
+++ b/tests/test_bump_find_increment.py
@@ -133,7 +133,7 @@ def test_find_increment_sve(messages, expected_type):
     "<summary>Commits</summary>\n"
     "<ul>\n"
     '<li><a href="...">b5b1a91</a>\n'
-    "fix: update <code>@​actions/artifact</code> to ^5.0.0 for Node.js 24\n"
+    "fix: update <code>@actions/artifact</code> to ^5.0.0 for Node.js 24\n"
     "punycode fix</li>\n"
     '<li><a href="...">5f643d3</a>\n'
     "chore: update license files</li>\n"