ci: changie-existence workflow

[ayeshurun]

📥 Pull Request

This pull request introduces a new GitHub Actions workflow to enforce the creation of changelog entries for pull requests, improving our release process and documentation.

✨ Description of new changes

A new GitHub Actions workflow, changelog-existence.yml, has been added to automate the validation of changelog entries.

• On every PR to main, the workflow checks for the existence of a changelog file in the .changes/unreleased/ directory.
• ✅ If a changelog entry is found, the workflow will post a comment on the PR with a preview of the release notes.
• 🛑 If a changelog entry is missing, the workflow will fail and post a comment instructing the author to add one using changie new.
• ⏭️ To bypass this check, apply the skip-changelog label to the pull request. The workflow will automatically delete its comment and pass. This bypass is allowed for Fabric CLI team only.

🔒 Security and Configuration

The workflow is configured with specific concurrency and permissions settings to ensure efficient and secure execution.

• Concurrency:

  • group: Ensures that only one instance of the workflow runs per pull request at any given time.
  • cancel-in-progress: true: If new commits are pushed to the PR, any previously running workflow for that PR is canceled. This prevents outdated checks from running and saves resources.

• Permissions:
  The permissions are scoped to the minimum required for the workflow to function, following the principle of least privilege:

  • pull-requests: write & issues: write: Required to post and update comments on the pull request (e.g., the changelog preview or missing entry warning). These permissions are confined to the PR that triggered the workflow.
  • contents: read: Required to check out the repository's code and read file diffs to check for a changelog entry. This is a read-only permission and does not allow for any modification of the code, making it safe.