From 75fe51102bbcb5853d9032dfa15c364e9bd30c4e Mon Sep 17 00:00:00 2001 From: Ash Shaw Date: Thu, 28 May 2026 07:49:46 +0200 Subject: [PATCH 1/2] policy(changelog): restrict and harden meta:no-changelog usage --- .github/pull_request_template.md | 5 +++-- .github/workflows/changelog-validate.yml | 10 ++++++++++ docs/AUTOMATION_GOVERNANCE.md | 4 +++- docs/PR_LABELS.md | 5 ++++- 4 files changed, 20 insertions(+), 4 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index c72f693f..d7e50085 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -24,7 +24,7 @@ Closes # Required for release automation. Format: Keep a Changelog. Categories: Added, Changed, Fixed, Removed. -User-facing notes only. Internal-only PRs (rare) may use the skip-changelog label. +User-facing notes only. Internal-only PRs (rare) may use `meta:no-changelog`. Example: ### Changed - Switched to action/cache@v3 for build speedup. (Relates to #789) @@ -55,7 +55,8 @@ Example: --> --- diff --git a/.github/workflows/changelog-validate.yml b/.github/workflows/changelog-validate.yml index 6beb5fe7..bf592b76 100644 --- a/.github/workflows/changelog-validate.yml +++ b/.github/workflows/changelog-validate.yml @@ -33,6 +33,16 @@ jobs: BASE_SHA: ${{ github.event.pull_request.base.sha }} HEAD_SHA: ${{ github.event.pull_request.head.sha }} run: | + if echo "${PR_LABELS}" | grep -q '"meta:needs-changelog"' && echo "${PR_LABELS}" | grep -q '"meta:no-changelog"'; then + echo "::error::PR cannot include both meta:needs-changelog and meta:no-changelog." + exit 1 + fi + + if echo "${PR_LABELS}" | grep -q '"meta:no-changelog"' && echo "${PR_LABELS}" | grep -Eq '"type:(feature|bug|performance|security|release|hotfix)"'; then + echo "::error::meta:no-changelog is not allowed for type:feature, type:bug, type:performance, type:security, type:release, or type:hotfix." + exit 1 + fi + if git diff --name-only "${BASE_SHA}" "${HEAD_SHA}" | grep -q "^CHANGELOG.md$"; then echo "CHANGELOG.md updated in PR diff." echo "run_validation=true" >> "$GITHUB_OUTPUT" diff --git a/docs/AUTOMATION_GOVERNANCE.md b/docs/AUTOMATION_GOVERNANCE.md index 3227c19c..8418da97 100644 --- a/docs/AUTOMATION_GOVERNANCE.md +++ b/docs/AUTOMATION_GOVERNANCE.md @@ -244,12 +244,14 @@ Opt-outs: use `` (legacy ``) for body-le - Deprecated or removed features. - + ``` **Guidelines:** - Changelog entries are for end-users, not just developers. +- `meta:needs-changelog` and `meta:no-changelog` are mutually exclusive. +- `meta:no-changelog` is allowed only for internal-only work and must not be used on feature, bugfix, performance, security, release, or hotfix PRs. - The release agent extracts changelog notes from PR bodies and labels automatically. **Release Triggers:** diff --git a/docs/PR_LABELS.md b/docs/PR_LABELS.md index 047c6373..df3d3bf0 100644 --- a/docs/PR_LABELS.md +++ b/docs/PR_LABELS.md @@ -80,7 +80,10 @@ Every PR should use a standard branch prefix for correct label and template auto ## Release & Changelog Process -- All PRs affecting user-facing features/fixes must include a valid changelog label; if missing, the agent will add `meta:needs-changelog`. +- Changelog labels are mutually exclusive: never apply both `meta:needs-changelog` and `meta:no-changelog`. +- Use `meta:no-changelog` only for internal-only changes (for example docs, refactor, chore, or test work with no user-facing impact). +- Do not use `meta:no-changelog` on `type:feature`, `type:bug`, `type:performance`, `type:security`, `type:release`, or `type:hotfix` PRs. +- PRs affecting user-facing features/fixes must carry changelog content and should not use `meta:no-changelog`. - Only one `status:*` and one `release:*` label per PR. - See [labels.yml](../.github/labels.yml) for the current canonical options. From 927cddc901deeb0171997ac9f02d8c60f51e3620 Mon Sep 17 00:00:00 2001 From: Ash Shaw Date: Thu, 28 May 2026 08:13:35 +0200 Subject: [PATCH 2/2] chore(ci): retrigger checks for updated label state