Comment changeset status in PRs

[bluwy]

You can test the action with uses: changesets/action/comment-pr-changeset@comment-pr-changeset-dist.

Example workflow setup

# .github/workflows/comment-changeset-pr-status.yml
name: Comment changeset status in PRs

on:
  pull_request_target:
    types: [opened, synchronize, reopened]

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  pr-status:
    runs-on: ubuntu-slim
    permissions:
      contents: read # to check out files in the repo
    outputs:
      commentBody: ${{ steps.pr-status.outputs.commentBody }}
    steps:
      - name: Check out repo
        uses: actions/checkout@v6

      - name: Generate status
        id: pr-status
        uses: changesets/action/pr-status@v1

  comment:
    needs: pr-status
    runs-on: ubuntu-slim
    permissions:
      pull-requests: write # to create and update comments on PRs
    steps:
      - name: Comment on PR
        uses: mshick/add-pr-comment@v3
        with:
          message-id: changeset-pr-status
          message: ${{ needs.pr-status.outputs.commentBody }}

See this action ... in action: bluwy/changesets-playground#1 (feel free to send PRs from forks for testing)

This actions focuses only on generating the comment, and defer the commenting to other actions. This is because we want to use reduced permissions for generating the comment to prevent risks of executing untrusted code and accessing the elevated github token. When changesets generate a release plan, we cannot guarantee in the future it will not execute code because of hooks/plugins or such.

---

When you have this workflow in your repo, you should disable the changeset bot for the repo so messages don't get reported twice. For this action, you should get the exact behaviour and messages from a bot. I didn't change the message for now.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7e0d0f5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	markdown-table@​3.0.4

View full report

[bluwy]

This is now ready again. The action now works slightly differently to prevent token leaks when generating the release plan. See the PR description and the added README for more info. I also renamed it as changesets/action/pr-status instead of pr-status-comment (maybe just check would be cool?)

I was also considering adding a simple comment action so we don't have to recommend a third-party action, but I don't want to widen the scope for now.

[mihkeleidast]

Hm. I like that this is split into two now security-wise, however... I was looking forward to using this new action at work in GHES, as we can't use the bot there. But we also have that nasty requirement that all third party actions must be from verified orgs on GitHub. Given this particular action is from an individual account, we definitely can't use it, so we'd still have to fork and own a copy.

Would be super nice if there was an alternative from a verified org, or if this was still provided as a changesets sub-action. Given all the supply chain security issues lately, I'd be much more comfortable using something directly from changesets and not bring in another variable.

[bluwy]

We could create a simple comment sub-action here but it'd be really simple and we can't commit to full-functionality like the other ones. IMO it's too strict to only limit to verified orgs, given pinning an action to a sha already saves you from attacks.

There's also https://github.com/marketplace/actions/create-or-update-comment by a github staff but setting up comment updates is slightly involved, but I guess that might not work for your setup too.

[mihkeleidast]

I totally agree that the verified org limitation is quite stupid and does not really protect against anything on it's own, but I don't make the rules :)