Add automation to enforce releaseChannel annotation on new proto fields

[gabriel9895]

Fixes #3147

Problem

Per GUIDELINES.md, new fields added to Istio
API protos must include a // +cue-gen::releaseChannel:extended comment annotation to indicate
they belong to the extended release channel before being promoted to stable. Currently this relies
entirely on reviewer memory — there is no automated enforcement.

Solution

A new lint script (scripts/check-release-channel.sh) that:

1. Diffs proto files against the base branch to identify newly added lines
2. Detects proto field definitions (string, repeated, map<K,V>, qualified types like
   google.protobuf.Duration)
3. For each new field, walks upward through the contiguous comment block looking for the releaseChannel
   annotation
4. Exits non-zero with clear error messages if any new field is missing the annotation

The check is diff-based rather than static because the vast majority of existing fields are already stable
and intentionally lack the annotation — only newly added fields require it.

Reason to write shell script

The annotation lives in proto comments, which are not preserved in compiled protobuf descriptors. A Go-
based approach would require a new source-level proto parser dependency. Shell is consistent with the
existing lint scripts in scripts/ (check-operator-proto.sh, check-imports.sh).

Integration

Added to local-lint-protos in Makefile.core.mk, so it runs automatically as part of make lint →
make presubmit in Prow CI.

Testing

Includes scripts/check-release-channel_test.sh with 8 test cases:

Test	Expected
No proto changes	Pass
New field without annotation	Fail
New field with annotation	Pass
repeated field without annotation	Fail
map<K,V> field without annotation	Fail
Enum values (not fields)	Pass — ignored
Mix of annotated + unannotated fields	Fail — catches only the bad one
Changes in common-protos/	Pass — excluded

Files changed

• scripts/check-release-channel.sh — the lint script
• scripts/check-release-channel_test.sh — test suite
• Makefile.core.mk — one line added to local-lint-protos

[istio-policy-bot]

😊 Welcome @caoyukun0430! This is either your first contribution to the Istio api repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: gabriel9895 / name: Gabriel Cao (bcc4746)

[istio-testing]

Hi @caoyukun0430. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[keithmattix]

/ok-to-test

[gabriel9895]

This PR adds internal CI tooling (lint script + tests) with no user-facing changes — no API, proto, or behavior modifications.

/release-notes-none

[keithmattix]

/retest