Skip to content

Add API changelog check workflow #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jonathan343 wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Add API changelog check workflow #47

jonathan343 wants to merge 1 commit into from

Conversation

@jonathan343
Copy link
Contributor

@jonathan343 jonathan343 commented Jan 6, 2026

Summary

Add a GitHub Actions workflow to ensure changelog entries are added when manually updating AWS models. When a PR modifies files in codegen/aws-models/, this workflow verifies that a corresponding changelog entry exists in clients/aws-sdk-<service>/.changes/next-release/.

Workflow Behavior

Trigger Action
PR modifies codegen/aws-models/*.json Checks for valid changelog entry
skip-changelog label present Skips the check
Label added/removed Re-runs to evaluate current state

Validation Requirements

A valid changelog entry must:

  • Be a JSON file in clients/aws-sdk-/.changes/next-release/
  • Contain "type": "api-change" and a "description" field

Test plan

  • Open a PR that modifies a model file without a changelog entry → check fails
  • Add a valid changelog entry → check passes
  • Add skip-changelog label to a failing PR → check skips
  • Remove skip-changelog label → check re-runs and validates

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@jonathan343 jonathan343 requested a review from a team as a code owner January 6, 2026 03:33
@jonathan343 jonathan343 changed the title Add workflow to ensure changelog entries are added when manually upda… Add API changelog check workflow Jan 6, 2026
@jonathan343 jonathan343 requested a review from arandito January 6, 2026 19:27
SamRemis
SamRemis reviewed Jan 8, 2026
View reviewed changes
.github/workflows/api-changelog-check.yml
- name: Checkout repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
with:
fetch-depth: 0
Copy link
Contributor

@SamRemis SamRemis Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
fetch-depth: 0
fetch-depth: 0
persist-credentials: false

Suggestion 1 from zizmor -

This is for removing the git credentials after the git checkout. It prevents later steps from maliciously sending/using the credentials.

.github/workflows/api-changelog-check.yml
- name: Get changed model files
id: changed-models
run: |
changed_models=$(git diff --name-only origin/${{ github.base_ref }}...HEAD -- 'codegen/aws-models/*.json' | xargs -I {} basename {} .json)
Copy link
Contributor

@SamRemis SamRemis Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
changed_models=$(git diff --name-only origin/${{ github.base_ref }}...HEAD -- 'codegen/aws-models/*.json' | xargs -I {} basename {} .json)
changed_models=$(git diff --name-only origin/${GITHUB_BASE_REF}...HEAD -- 'codegen/aws-models/*.json' | xargs -I {} basename {} .json)

Suggestion 2 from zizmor -

Again, not a major concern since running PRs from untrusted actors is turned off by default, but better safe than sorry.

This uses the builtin GitHub environment variable of GITHUB_BASE_REF to prevent malicious branch names from being executed. Example CVE.

.github/workflows/api-changelog-check.yml
exit 1
fi

echo "All modified models have corresponding changelog entries."
Copy link
Contributor

@SamRemis SamRemis Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
echo "All modified models have corresponding changelog entries."
echo "All modified models have corresponding changelog entries."
env:
STEPS_CHANGED_MODELS_OUTPUTS_MODELS: ${{ steps.changed-models.outputs.models }}

Continuation of the above

.github/workflows/api-changelog-check.yml
if [ "$valid_entry_found" = false ]; then
missing_changelogs="${missing_changelogs}\n - ${service} (no valid changelog entry in ${changelog_dir})"
fi
done <<< "${{ steps.changed-models.outputs.models }}"
Copy link
Contributor

@SamRemis SamRemis Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
done <<< "${{ steps.changed-models.outputs.models }}"
done <<< "${STEPS_CHANGED_MODELS_OUTPUTS_MODELS}"

Same as above comment

@SamRemis
Copy link
Contributor

SamRemis commented Jan 8, 2026

Looks good over all - added some suggestions from Zizmor, which we should add to this repo to run over all GH actions to run by default in the long run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SamRemis SamRemis SamRemis left review comments

@arandito arandito Awaiting requested review from arandito

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathan343 @SamRemis