From 0c1303e911a7010964affcf6afa9c1300c050b00 Mon Sep 17 00:00:00 2001 From: Elliot Winkler Date: Mon, 4 May 2026 11:15:42 -0600 Subject: [PATCH 1/7] Fix update-changelogs workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `update-changelogs` workflow is designed to run automatically and manually (in response to a `metamaskbot` comment). Currently, the manual run succeeds, but the automatic run does not. The reason is that this workflow uses the `default-branch` environment to push changes to a pull request branch, but the `default-branch` environment — which holds the `UPDATE_CHANGELOG_TOKEN` — is scoped only to the `main` branch. To fix this, we make two changes: - Instead of `pull_request`, use the `pull_request_target` event. This event runs against the default branch, and so it should match the same scope as the `default-branch` environment. - Adjust the setup steps so that we follow this plan: - Check out main - Install Yarn + dependencies - Check out _only the changelog files_ from the current PR --- .github/workflows/update-changelogs.yml | 28 ++++++++++++------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index ce30e277f9..31be27baa9 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -4,11 +4,11 @@ on: issue_comment: types: - created -# pull_request: -# branches: -# - main -# types: -# - opened + pull_request_target: + branches: + - main + types: + - opened permissions: contents: write @@ -17,7 +17,7 @@ permissions: jobs: is-fork: name: Determine whether this PR is from a fork - if: github.event_name == 'pull_request' || (github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-changelogs')) + if: github.event_name == 'pull_request_target' || (github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-changelogs')) runs-on: ubuntu-latest outputs: is-fork: ${{ steps.is-fork.outputs.is-fork }} @@ -115,24 +115,24 @@ jobs: env: PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} steps: - - name: Checkout repository + - name: Checkout main uses: actions/checkout@v6 with: token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} - - name: Checkout pull request + - name: Setup environment + uses: MetaMask/action-checkout-and-setup@v3 + with: + is-high-risk-environment: false + + - name: Overlay changelog files from current PR env: PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }} PR_BASE_REF: ${{ needs.is-release.outputs.base-ref }} run: | git fetch --no-tags origin "$PR_HEAD_SHA" git fetch --no-tags origin "$PR_BASE_REF" - git checkout --detach "$PR_HEAD_SHA" - - - name: Setup environment - uses: MetaMask/action-checkout-and-setup@v3 - with: - is-high-risk-environment: false + git checkout "$PR_HEAD_SHA" -- '**/CHANGELOG.md' - name: Ensure required dependency bump entries exist across all changelogs id: update-changelogs From 6e2fcc103f81c24d70fa4200f41cba3ef7db1022 Mon Sep 17 00:00:00 2001 From: Elliot Winkler Date: Tue, 5 May 2026 08:35:39 -0600 Subject: [PATCH 2/7] Revert partial checkout; detach HEAD --- .github/workflows/update-changelogs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 31be27baa9..6b68350636 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -132,7 +132,7 @@ jobs: run: | git fetch --no-tags origin "$PR_HEAD_SHA" git fetch --no-tags origin "$PR_BASE_REF" - git checkout "$PR_HEAD_SHA" -- '**/CHANGELOG.md' + git checkout --detach "$PR_HEAD_SHA" - name: Ensure required dependency bump entries exist across all changelogs id: update-changelogs From cd4d7069c02abdbf1cdbc51192a08b01e858b80b Mon Sep 17 00:00:00 2001 From: Elliot Winkler Date: Tue, 5 May 2026 09:40:41 -0600 Subject: [PATCH 3/7] Revert order --- .github/workflows/update-changelogs.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 6b68350636..6ffe060548 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -115,17 +115,12 @@ jobs: env: PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} steps: - - name: Checkout main + - name: Checkout repository uses: actions/checkout@v6 with: token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} - - name: Setup environment - uses: MetaMask/action-checkout-and-setup@v3 - with: - is-high-risk-environment: false - - - name: Overlay changelog files from current PR + - name: Checkout pull request env: PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }} PR_BASE_REF: ${{ needs.is-release.outputs.base-ref }} @@ -134,6 +129,11 @@ jobs: git fetch --no-tags origin "$PR_BASE_REF" git checkout --detach "$PR_HEAD_SHA" + - name: Setup environment + uses: MetaMask/action-checkout-and-setup@v3 + with: + is-high-risk-environment: false + - name: Ensure required dependency bump entries exist across all changelogs id: update-changelogs env: From 7e49895cd4fd712f23211c90ba9289307d5d8d1f Mon Sep 17 00:00:00 2001 From: Elliot Winkler Date: Tue, 5 May 2026 15:03:56 -0600 Subject: [PATCH 4/7] Rework to prevent command execution against PR branch --- .github/workflows/update-changelogs.yml | 86 ++++++++++++++++++------- 1 file changed, 62 insertions(+), 24 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 6ffe060548..b2e64740f1 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -112,53 +112,91 @@ jobs: if: ${{ needs.is-release.outputs.is-release == 'true' }} runs-on: ubuntu-latest environment: default-branch - env: - PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} steps: - - name: Checkout repository + - name: Check out the base ref uses: actions/checkout@v6 with: + ref: ${{ needs.is-release.outputs.base-ref }} token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} - - name: Checkout pull request - env: - PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }} - PR_BASE_REF: ${{ needs.is-release.outputs.base-ref }} - run: | - git fetch --no-tags origin "$PR_HEAD_SHA" - git fetch --no-tags origin "$PR_BASE_REF" - git checkout --detach "$PR_HEAD_SHA" + - name: Detach HEAD (to prevent accidental pushes) + run: git checkout --detach HEAD - name: Setup environment uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false + - name: Overlay changelogs from current pull request + env: + PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }} + PR_HEAD_REF: ${{ needs.is-release.outputs.head-ref }} + run: | + # These next two commands are also useful later when pushing + git fetch --no-tags origin "$PR_HEAD_SHA" + git fetch --no-tags origin "$PR_HEAD_REF" + git checkout "$PR_HEAD_SHA" -- '**/CHANGELOG.md' + shell: bash + + - name: Configure Git with name and email + run: | + # This is necessary to make a commit + # Passing `token` to the `checkout` action does not do this for us + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + shell: bash + + - name: Commit changelogs from current pull request + run: | + git add -- '**/CHANGELOG.md' + git commit -m "[Temporary] Add changelogs from current pull request" + shell: bash + - name: Ensure required dependency bump entries exist across all changelogs id: update-changelogs env: + PR_NUMBER: ${{ github.event.issue.number || github.event.pull_request.number }} MERGE_BASE: ${{ needs.is-release.outputs.merge-base }} - run: yarn changelog:validate --checkDeps --fix --currentPr "$PR_NUMBER" --fromRef "$MERGE_BASE" - continue-on-error: true - - - name: Commit and push updated changelogs - id: push-changes - env: - PR_HEAD_REF: ${{ needs.is-release.outputs.head-ref }} run: | + yarn changelog:validate --checkDeps --fix --currentPr "$PR_NUMBER" --fromRef "$MERGE_BASE" if git diff --quiet; then - echo "changes-pushed=false" >> "$GITHUB_OUTPUT" + echo "changelogs-updated=false" >> "$GITHUB_OUTPUT" exit 0 fi + echo "changelogs-updated=true" >> "$GITHUB_OUTPUT" + shell: bash - git diff --stat - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + - name: Commit updated changelogs + if: ${{ steps.update-changelogs.outputs.changelogs-updated == 'true' }} + id: commit-updated-changelogs + run: | git add -- '**/CHANGELOG.md' git commit -m "chore: Update dependency bump changelog entries" - git push origin "HEAD:$PR_HEAD_REF" + new_commit_id="$(git log -1 --pretty='format:%h')" + echo "new-commit-id=${new_commit_id}" >> "$GITHUB_OUTPUT" + shell: bash + + - name: Check out pull request completely + env: + PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }} + run: | + git checkout "$PR_HEAD_SHA" + shell: bash - echo "changes-pushed=true" >> "$GITHUB_OUTPUT" + - name: Cherry-pick new commit and push it + id: push-changes + env: + NEW_COMMIT_ID: ${{ steps.commit-updated-changelogs.outputs.new-commit-id }} + PR_HEAD_REF: ${{ needs.is-release.outputs.head-ref }} + run: | + if [[ -n "$NEW_COMMIT_ID" ]]; then + git cherry-pick "$NEW_COMMIT_ID" + git push origin "HEAD:$PR_HEAD_REF" + echo "changes-pushed=true" >> "$GITHUB_OUTPUT" + else + echo "changes-pushed=false" >> "$GITHUB_OUTPUT" + fi + shell: bash - name: Comment result if: always() From edf3f44f6949d3dcb5c2559576b38c0360acfe6a Mon Sep 17 00:00:00 2001 From: Elliot Winkler Date: Tue, 5 May 2026 16:01:17 -0600 Subject: [PATCH 5/7] Address Cursor comment --- .github/workflows/update-changelogs.yml | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index b2e64740f1..73a723ee7b 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -159,37 +159,34 @@ jobs: MERGE_BASE: ${{ needs.is-release.outputs.merge-base }} run: | yarn changelog:validate --checkDeps --fix --currentPr "$PR_NUMBER" --fromRef "$MERGE_BASE" - if git diff --quiet; then - echo "changelogs-updated=false" >> "$GITHUB_OUTPUT" - exit 0 - fi - echo "changelogs-updated=true" >> "$GITHUB_OUTPUT" shell: bash + # If changelogs were updated but there were other validation errors + # found, we need to still create a commit below + continue-on-error: true - name: Commit updated changelogs - if: ${{ steps.update-changelogs.outputs.changelogs-updated == 'true' }} id: commit-updated-changelogs run: | + if git diff --quiet; then + # Nothing to commit; no changelogs updated + exit 0 + fi + git add -- '**/CHANGELOG.md' git commit -m "chore: Update dependency bump changelog entries" + new_commit_id="$(git log -1 --pretty='format:%h')" echo "new-commit-id=${new_commit_id}" >> "$GITHUB_OUTPUT" shell: bash - - name: Check out pull request completely - env: - PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }} - run: | - git checkout "$PR_HEAD_SHA" - shell: bash - - - name: Cherry-pick new commit and push it + - name: Cherry-pick new commit on top of pull request branch and push it id: push-changes env: NEW_COMMIT_ID: ${{ steps.commit-updated-changelogs.outputs.new-commit-id }} PR_HEAD_REF: ${{ needs.is-release.outputs.head-ref }} run: | if [[ -n "$NEW_COMMIT_ID" ]]; then + git checkout "$PR_HEAD_SHA" git cherry-pick "$NEW_COMMIT_ID" git push origin "HEAD:$PR_HEAD_REF" echo "changes-pushed=true" >> "$GITHUB_OUTPUT" From a666e2bba53d79cb63c04f3cb808b932f030b304 Mon Sep 17 00:00:00 2001 From: Elliot Winkler Date: Tue, 5 May 2026 16:07:30 -0600 Subject: [PATCH 6/7] Address another Cursor comment --- .github/workflows/update-changelogs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index 73a723ee7b..cf41779f57 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -183,6 +183,7 @@ jobs: id: push-changes env: NEW_COMMIT_ID: ${{ steps.commit-updated-changelogs.outputs.new-commit-id }} + PR_HEAD_SHA: ${{ needs.is-release.outputs.head-sha }} PR_HEAD_REF: ${{ needs.is-release.outputs.head-ref }} run: | if [[ -n "$NEW_COMMIT_ID" ]]; then From 68a9155ac56ed6c62f5381bc4490600b1e54fc59 Mon Sep 17 00:00:00 2001 From: Elliot Winkler Date: Tue, 5 May 2026 16:15:59 -0600 Subject: [PATCH 7/7] Address GH Copilot comment --- .github/workflows/update-changelogs.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/update-changelogs.yml b/.github/workflows/update-changelogs.yml index cf41779f57..5586c1483a 100644 --- a/.github/workflows/update-changelogs.yml +++ b/.github/workflows/update-changelogs.yml @@ -113,16 +113,16 @@ jobs: runs-on: ubuntu-latest environment: default-branch steps: - - name: Check out the base ref + - name: Check out the base branch uses: actions/checkout@v6 with: - ref: ${{ needs.is-release.outputs.base-ref }} + ref: ${{ needs.is-release.outputs.merge-base }} token: ${{ secrets.UPDATE_CHANGELOG_TOKEN }} - name: Detach HEAD (to prevent accidental pushes) run: git checkout --detach HEAD - - name: Setup environment + - name: Set up environment uses: MetaMask/action-checkout-and-setup@v3 with: is-high-risk-environment: false