CI: Automatic changelog generation#156
Conversation
thomasttvo
force-pushed
the
thomas/changelog
branch
5 times, most recently
from
7ad51f4 to
8a6cc8b
Compare
thomasttvo
force-pushed
the
thomas/changelog
branch
from
8a6cc8b to
db264ae
Compare
thomasttvo
force-pushed
the
thomas/changelog
branch
from
b249d80 to
fc95161
Compare
- Extracts valid labels from release.yml using github-script - Requires at least one changelog label on PRs - Runs on label changes (labeled/unlabeled events)
thomasttvo
force-pushed
the
thomas/changelog
branch
from
fc95161 to
47556ee
Compare
- yq is pre-installed on GitHub runners - no need to install dependencies on every run
|
@claude please review this PR |
|
@claude review |
|
lib seems to be accidentally committed |
- Remove lib/commonjs/, lib/module/, lib/typescript/ from git tracking - Add lib/ to .gitignore - Remove bob build and git add lib from pre-commit hook (lib/ is built at publish time via react-native-builder-bob, not needed in repo) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
WalkthroughThis pull request removes the compiled library code from the repository, including all CommonJS and ES module implementations in Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
.github/workflows/pr-labels.yml (1)
3-5: Consider removingsynchronizetrigger.Label checks don't need to re-run on every push—only when labels change (
labeled,unlabeled) or PR opens/reopens. Thesynchronizetrigger causes unnecessary workflow runs on each commit.⚡ Reduce workflow runs
on: pull_request: - types: [opened, synchronize, reopened, labeled, unlabeled] + types: [opened, reopened, labeled, unlabeled]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr-labels.yml around lines 3 - 5, The pull_request trigger currently includes "synchronize", causing runs on every push; remove "synchronize" from the types array in the workflow so it only triggers on "opened", "reopened", "labeled", and "unlabeled" (update the types list in the top-level `on: pull_request:` block to exclude "synchronize").CONTRIBUTING.md (1)
91-102: Clarify that labels categorize release notes, not auto-bump versions.Lines 95-97 state labels trigger "major/minor/patch version bump," but these labels only categorize release notes—they don't automatically bump semver. The maintainer still chooses the version during
yarn release. Consider rewording to avoid confusion.📝 Suggested rewording
Release notes are automatically generated from merged pull requests. Please label your PRs with: -- `breaking`: Breaking changes (major version bump) -- `enhancement`: New features (minor version bump) -- `bug`: Bug fixes (patch version bump) +- `breaking`: Breaking changes +- `enhancement`: New features +- `bug`: Bug fixes - `documentation`: Documentation updates🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@CONTRIBUTING.md` around lines 91 - 102, Update the "Changelog and Release Notes" section so it's clear that PR labels (`breaking`, `enhancement`, `bug`, `documentation`, `dependencies`) are used only to categorize release notes and do not automatically bump semver; explicitly state that the maintainer selects the version during the release process (e.g., when running `yarn release`) and that `.github/release.yml` controls note organization, not automatic versioning.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr-labels.yml:
- Around line 7-27: The check-labels job currently enforces labels for all PRs
and will block Dependabot PRs; update the workflow to skip this job or the
"Extract valid labels from release.yml" step when the actor is Dependabot by
adding an if condition that checks github.actor != 'dependabot[bot]' (reference
the job name check-labels and the step id extract-labels), so Dependabot PRs
bypass the labels requirement; alternatively, if you prefer allowing Dependabot
to be validated, include 'dependencies' in the labels set, but the recommended
quick fix is to add the if guard to skip the job/step for Dependabot.
In `@package.json`:
- Around line 116-119: The package.json is missing a "prepare" script so
release-it's npm publish may run without building lib/; add a "prepare" script
that runs the bob build step (e.g., set "prepare": "bob build") to ensure
react-native-builder-bob generates the lib/ directory before publishing—update
package.json's scripts section to include the prepare entry so the package is
built prior to npm publish triggered by the "github" / release-it configuration.
---
Nitpick comments:
In @.github/workflows/pr-labels.yml:
- Around line 3-5: The pull_request trigger currently includes "synchronize",
causing runs on every push; remove "synchronize" from the types array in the
workflow so it only triggers on "opened", "reopened", "labeled", and "unlabeled"
(update the types list in the top-level `on: pull_request:` block to exclude
"synchronize").
In `@CONTRIBUTING.md`:
- Around line 91-102: Update the "Changelog and Release Notes" section so it's
clear that PR labels (`breaking`, `enhancement`, `bug`, `documentation`,
`dependencies`) are used only to categorize release notes and do not
automatically bump semver; explicitly state that the maintainer selects the
version during the release process (e.g., when running `yarn release`) and that
`.github/release.yml` controls note organization, not automatic versioning.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ee2e1582-fb27-407e-8396-8be57e3d0def
⛔ Files ignored due to path filters (27)
lib/commonjs/ReactNativeZoomableView.js.mapis excluded by!**/*.maplib/commonjs/animations/index.js.mapis excluded by!**/*.maplib/commonjs/assets/pin.pngis excluded by!**/*.png,!**/*.pnglib/commonjs/components/AnimatedTouchFeedback.js.mapis excluded by!**/*.maplib/commonjs/components/StaticPin.js.mapis excluded by!**/*.maplib/commonjs/components/index.js.mapis excluded by!**/*.maplib/commonjs/debugHelper/index.js.mapis excluded by!**/*.maplib/commonjs/helper/applyPanBoundariesToOffset.js.mapis excluded by!**/*.maplib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js.mapis excluded by!**/*.maplib/commonjs/helper/coordinateConversion.js.mapis excluded by!**/*.maplib/commonjs/helper/index.js.mapis excluded by!**/*.maplib/commonjs/index.js.mapis excluded by!**/*.maplib/commonjs/typings/index.js.mapis excluded by!**/*.maplib/module/ReactNativeZoomableView.js.mapis excluded by!**/*.maplib/module/animations/index.js.mapis excluded by!**/*.maplib/module/assets/pin.pngis excluded by!**/*.png,!**/*.pnglib/module/components/AnimatedTouchFeedback.js.mapis excluded by!**/*.maplib/module/components/StaticPin.js.mapis excluded by!**/*.maplib/module/components/index.js.mapis excluded by!**/*.maplib/module/debugHelper/index.js.mapis excluded by!**/*.maplib/module/helper/applyPanBoundariesToOffset.js.mapis excluded by!**/*.maplib/module/helper/calcNewScaledOffsetForZoomCentering.js.mapis excluded by!**/*.maplib/module/helper/coordinateConversion.js.mapis excluded by!**/*.maplib/module/helper/index.js.mapis excluded by!**/*.maplib/module/index.js.mapis excluded by!**/*.maplib/module/typings/index.js.mapis excluded by!**/*.mapyarn.lockis excluded by!**/yarn.lock,!**/*.lock,!**/yarn.lock
📒 Files selected for processing (43)
.github/release.yml.github/workflows/pr-labels.yml.gitignoreCONTRIBUTING.mdREADME.mdlib/commonjs/ReactNativeZoomableView.jslib/commonjs/animations/index.jslib/commonjs/components/AnimatedTouchFeedback.jslib/commonjs/components/StaticPin.jslib/commonjs/components/index.jslib/commonjs/debugHelper/index.jslib/commonjs/helper/applyPanBoundariesToOffset.jslib/commonjs/helper/calcNewScaledOffsetForZoomCentering.jslib/commonjs/helper/coordinateConversion.jslib/commonjs/helper/index.jslib/commonjs/index.jslib/commonjs/typings/index.jslib/module/ReactNativeZoomableView.jslib/module/animations/index.jslib/module/components/AnimatedTouchFeedback.jslib/module/components/StaticPin.jslib/module/components/index.jslib/module/debugHelper/index.jslib/module/helper/applyPanBoundariesToOffset.jslib/module/helper/calcNewScaledOffsetForZoomCentering.jslib/module/helper/coordinateConversion.jslib/module/helper/index.jslib/module/index.jslib/module/typings/index.jslib/typescript/ReactNativeZoomableView.d.tslib/typescript/__tests__/index.test.d.tslib/typescript/animations/index.d.tslib/typescript/components/AnimatedTouchFeedback.d.tslib/typescript/components/StaticPin.d.tslib/typescript/components/index.d.tslib/typescript/debugHelper/index.d.tslib/typescript/helper/applyPanBoundariesToOffset.d.tslib/typescript/helper/calcNewScaledOffsetForZoomCentering.d.tslib/typescript/helper/coordinateConversion.d.tslib/typescript/helper/index.d.tslib/typescript/index.d.tslib/typescript/typings/index.d.tspackage.json
💤 Files with no reviewable changes (36)
- lib/module/components/index.js
- lib/commonjs/components/index.js
- lib/typescript/components/AnimatedTouchFeedback.d.ts
- lib/typescript/helper/applyPanBoundariesToOffset.d.ts
- lib/module/animations/index.js
- lib/commonjs/typings/index.js
- lib/typescript/index.d.ts
- lib/typescript/helper/index.d.ts
- lib/commonjs/helper/applyPanBoundariesToOffset.js
- lib/commonjs/index.js
- lib/commonjs/animations/index.js
- lib/typescript/helper/calcNewScaledOffsetForZoomCentering.d.ts
- lib/module/components/AnimatedTouchFeedback.js
- lib/commonjs/debugHelper/index.js
- lib/module/components/StaticPin.js
- lib/module/ReactNativeZoomableView.js
- lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js
- lib/module/helper/index.js
- lib/commonjs/components/AnimatedTouchFeedback.js
- lib/commonjs/helper/index.js
- lib/commonjs/components/StaticPin.js
- lib/typescript/typings/index.d.ts
- lib/module/index.js
- lib/typescript/ReactNativeZoomableView.d.ts
- lib/module/helper/coordinateConversion.js
- lib/typescript/components/index.d.ts
- lib/typescript/helper/coordinateConversion.d.ts
- lib/typescript/components/StaticPin.d.ts
- lib/commonjs/helper/coordinateConversion.js
- lib/typescript/debugHelper/index.d.ts
- lib/module/typings/index.js
- lib/module/debugHelper/index.js
- lib/typescript/animations/index.d.ts
- lib/commonjs/ReactNativeZoomableView.js
- lib/module/helper/calcNewScaledOffsetForZoomCentering.js
- lib/module/helper/applyPanBoundariesToOffset.js
- Add prepare script (bob build) so lib/ is built before npm publish - Skip pr-labels check for dependabot[bot] actor Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ependabot" This reverts commit db49218.
This reverts commit ae88a40.
Dependabot PRs are excluded from release notes via release.yml authors field, so they don't need changelog labels. Without this, Dependabot PRs would be blocked by the required-labels check. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
# Conflicts: # lib/commonjs/ReactNativeZoomableView.js # lib/commonjs/ReactNativeZoomableView.js.map # lib/commonjs/animations/index.js # lib/commonjs/animations/index.js.map # lib/commonjs/components/AnimatedTouchFeedback.js # lib/commonjs/components/AnimatedTouchFeedback.js.map # lib/commonjs/components/StaticPin.js # lib/commonjs/components/StaticPin.js.map # lib/commonjs/components/index.js # lib/commonjs/components/index.js.map # lib/commonjs/debugHelper/index.js # lib/commonjs/debugHelper/index.js.map # lib/commonjs/helper/applyPanBoundariesToOffset.js # lib/commonjs/helper/applyPanBoundariesToOffset.js.map # lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js # lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js.map # lib/commonjs/helper/coordinateConversion.js # lib/commonjs/helper/coordinateConversion.js.map # lib/commonjs/helper/index.js # lib/commonjs/helper/index.js.map # lib/commonjs/index.js # lib/commonjs/index.js.map # lib/commonjs/typings/index.js # lib/commonjs/typings/index.js.map # lib/module/ReactNativeZoomableView.js # lib/module/ReactNativeZoomableView.js.map # lib/module/animations/index.js # lib/module/animations/index.js.map # lib/module/components/AnimatedTouchFeedback.js # lib/module/components/AnimatedTouchFeedback.js.map # lib/module/components/StaticPin.js # lib/module/components/StaticPin.js.map # lib/module/components/index.js # lib/module/components/index.js.map # lib/module/debugHelper/index.js # lib/module/debugHelper/index.js.map # lib/module/helper/applyPanBoundariesToOffset.js # lib/module/helper/applyPanBoundariesToOffset.js.map # lib/module/helper/calcNewScaledOffsetForZoomCentering.js # lib/module/helper/calcNewScaledOffsetForZoomCentering.js.map # lib/module/helper/coordinateConversion.js # lib/module/helper/coordinateConversion.js.map # lib/module/helper/index.js # lib/module/helper/index.js.map # lib/module/index.js # lib/module/index.js.map # lib/module/typings/index.js # lib/module/typings/index.js.map # lib/typescript/ReactNativeZoomableView.d.ts # lib/typescript/animations/index.d.ts # lib/typescript/components/AnimatedTouchFeedback.d.ts # lib/typescript/components/StaticPin.d.ts # lib/typescript/components/index.d.ts # lib/typescript/debugHelper/index.d.ts # lib/typescript/helper/applyPanBoundariesToOffset.d.ts # lib/typescript/helper/calcNewScaledOffsetForZoomCentering.d.ts # lib/typescript/helper/coordinateConversion.d.ts # lib/typescript/helper/index.d.ts # lib/typescript/index.d.ts # lib/typescript/typings/index.d.ts
PR #158 removed checked-in lib/ and added it to .gitignore. These remaining tracked files are now redundant.
|
@claude review |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
…exclude labels in PR check - Upgrade release-it from ^14.2.2 to ^15.0.0 so the autoGenerate option is recognized and passes generate_release_notes to the GitHub API - Extract exclude labels (ignore-for-release, dependencies) in pr-labels workflow so PRs with those labels pass the required-labels check Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
LGTM — the two functional issues from the previous review (release-it version, label extraction) have been addressed. The remaining inline comments are documentation nits.
Extended reasoning...
Overview
This PR sets up automatic changelog generation via GitHub Releases' native PR-based notes, adds a required-labels workflow for PRs, upgrades release-it from v14 to v15, and removes the now-redundant @release-it/conventional-changelog plugin. Changes touch .github/release.yml, .github/workflows/pr-labels.yml, package.json, CONTRIBUTING.md, and README.md.
Security risks
None. This is a CI/CD configuration change with no auth, crypto, or permissions-sensitive code.
Level of scrutiny
Low-to-medium. The changes are CI infrastructure — workflow files and tooling config. The logic is straightforward and the critical correctness issues (version compatibility, label coverage) have been resolved in prior iterations.
Other factors
Both bugs I flagged in the previous review were promptly addressed: release-it was upgraded to ^15.0.0 (so autoGenerate: true is now recognized) and the label-extraction script was updated to include exclude labels. The outstanding inline comments in this pass are documentation nits in CONTRIBUTING.md with no functional impact.
…sion bumps - Remove parenthetical version bump claims from label descriptions since version is chosen interactively by maintainer during yarn release - Add ignore-for-release to the list of excluded labels alongside dependencies Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
# Conflicts: # yarn.lock
- package.json: add `prepare: bob build` so git URL installs (e.g. `npm install github:openspacelabs/react-native-zoomable-view`) build `lib/` themselves. Without it, gitignored `lib/` leaves a broken package after install — `main`/`module`/`types` all point into a directory that no lifecycle hook creates (`prepublishOnly` only runs on `npm publish`/`pack`, not git installs). - .github/release.yml: `dependabot` → `dependabot[bot]` so the exclude-authors filter actually matches Dependabot's real bot login and stays consistent with pr-labels.yml. - .github/workflows/pr-labels.yml: pin `mheap/github-action-required-labels` to its v5 commit SHA instead of the mutable `@v5` tag (GitHub security hardening guide for Actions). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
All four previously-flagged issues are fixed in 69f9ef1; this is a CI/docs-only PR with no production code changes.
Extended reasoning...
Overview
This PR introduces automatic changelog generation via GitHub's release notes feature. It adds .github/release.yml defining changelog categories, a .github/workflows/pr-labels.yml workflow enforcing at least one valid label per PR, and updates CONTRIBUTING.md / README.md. package.json swaps @release-it/conventional-changelog for autoGenerate: true and bumps release-it from ^14 → ^15. A prepare": "bob build" script was added since lib/ is now gitignored.
Security risks
Minimal. The mheap/github-action-required-labels action is now pinned to a full commit SHA (0ac283b4e65c1fb28ce6079dea5546ceca98ccbe), eliminating the mutable-tag supply-chain concern I previously raised. The workflow runs on pull_request (not pull_request_target), so the GITHUB_TOKEN is read-only and has no secret access. No auth/crypto/permission changes.
Level of scrutiny
Low. This is CI/config + documentation only — no runtime/library code is touched. The blast radius if something breaks is limited to release tooling, which is exercised manually by maintainers running yarn release and is easy to roll back.
Other factors
All four issues I previously flagged (missing prepare script, dependabot vs dependabot[bot], mutable action tag, plus the earlier release-it v14 autoGenerate no-op caught in this same review series) have been verified fixed in 69f9ef1. CodeRabbit's earlier concerns were also addressed. Nothing new came up in this round.
The previous instructions said to run `yarn release` end-to-end, but in practice releases since v2.3.0 have been cut via `gh release create --generate-notes` against a manual `chore: release X.Y.Z` bump commit — release-it's `github.release` step isn't used. Document the real flow: bump on master, `gh release create --generate-notes` (which now reads the categorized `.github/release.yml` introduced in this PR), and let the release workflow publish to npm via OIDC + `--provenance`. Also call out the pr-labels enforcement workflow and clarify how pre-releases skip the publish step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Previous commit bc6d812 wrongly documented `gh release create --generate-notes` as the manual entry point, based on misreading release-it's defaults: release-it's default `releaseName` is `Release ${version}` (matches the observed "Release X.Y.Z" titles), and `github.autoGenerate: true` asks GitHub to render the body from `.github/release.yml` — producing the same `## What's Changed` shape that `--generate-notes` does. The intended flow is the one already encoded in the release-it config: `yarn release` bumps + commits + tags + pushes + creates the GitHub Release in one pass, and the release-published workflow handles npm. Keeping the OIDC / --provenance / pre-release skip / label-enforcement details that were correct. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The previous version only said "release-it prompts for the version" without telling the maintainer how to answer. Add a semver decision table tied to the PR labels we already use for changelog categorization: `breaking` → major, `enhancement` → minor, otherwise → patch. Include the non-interactive `yarn release patch|minor|major` form and a one-liner for listing PRs in the unreleased range. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Was a wall of tables, OIDC explanations, and step-by-step prose. Now: run `yarn release`, pick the bump per three bullets, done. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Dropped this in the trim — useful for someone setting up the repo fresh or wondering why their publish failed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
All prior feedback addressed in 69f9ef1; CI/docs-only change with low risk.
Extended reasoning...
Overview
This PR sets up automated changelog generation by adding .github/release.yml (defining changelog categories driven by PR labels), .github/workflows/pr-labels.yml (enforcing at least one valid label per PR), README/CONTRIBUTING doc updates, and package.json changes (added prepare: bob build, removed @release-it/conventional-changelog, bumped release-it to ^15.0.0, switched to autoGenerate: true for GitHub release notes).
Security risks
Limited. The only supply-chain concern raised earlier — an unpinned third-party action — has been resolved: mheap/github-action-required-labels is now pinned to commit SHA 0ac283b4e65c1fb28ce6079dea5546ceca98ccbe. The workflow triggers on pull_request (not pull_request_target), so secrets are not exposed to fork PRs. actions/checkout@v4 is a first-party action.
Level of scrutiny
Medium-low. These are CI/config/docs changes — no runtime library code touched. The blast radius is the release pipeline and PR-gating: a bug here could block PRs from merging or produce malformed release notes, but it cannot affect consumers of the published package at runtime. The prepare: bob build addition is the highest-impact change (it affects git-URL installs and npm publish), but it follows the standard react-native-builder-bob pattern and is the documented fix.
Other factors
The PR has been through several review rounds. Every previously raised issue — Dependabot bypass, missing prepare script, release-it version compatibility with autoGenerate, exclude-label extraction in the workflow, inaccurate version-bump documentation, dependabot vs dependabot[bot] author filter, and action SHA pinning — has been verified as addressed in the current revision (commit 69f9ef1 in particular). The bug hunting system found no new issues this round.
1 participant
Summary by CodeRabbit
Documentation
Chores