From 6b56b6225387a175680b534d87fb174bf50744a9 Mon Sep 17 00:00:00 2001 From: "Jeromy Statia (from Dev Box)" Date: Fri, 3 Apr 2026 22:21:46 -0700 Subject: [PATCH] fix: generate changelog at release time via artifact instead of direct push The org-level branch protection ruleset (microsoft-production-ruleset) blocks direct pushes to main, even from GITHUB_TOKEN. This caused create_changelog to fail on every push to main. Changes: - create_changelog now generates CHANGELOG.md and uploads it as a workflow artifact (no git commit/push). - create_release downloads the changelog artifact and uses it for the release body (body_path: ./CHANGELOG.md). - Upgraded checkout to v4 with fetch-depth: 0 for full tag history. - Removed the separate fetch-and-checkout-main step (redundant with checkout@v4 ref: main + fetch-depth: 0). - Reduced create_changelog permissions to contents: read. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/dotnet.yml | 61 +++++++++++++----------------------- 1 file changed, 22 insertions(+), 39 deletions(-) diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml index 63e3f01e..f00b62fd 100644 --- a/.github/workflows/dotnet.yml +++ b/.github/workflows/dotnet.yml @@ -81,31 +81,22 @@ jobs: - name: List working directory run: ${{ matrix.dir_command }} - # Generate and commit a changelog on every push to main. - # On pull requests this job passes without committing because: - # - Fork PRs cannot receive pushes via GITHUB_TOKEN (GitHub security boundary). - # - The changelog is auto-generated from merged PRs, so it only needs to be - # up-to-date on main, not in every PR branch. - # Commits made with GITHUB_TOKEN do not trigger new workflow runs, so there is - # no risk of an infinite loop. + # Changelog generation. + # On pull requests: passes without action — changelog is generated at release time. + # On push to main: generates the changelog as an artifact for the create_release job. + # The changelog is NOT committed to the repo because the org-level branch protection + # ruleset blocks direct pushes to main (even from GITHUB_TOKEN). create_changelog: runs-on: ubuntu-latest permissions: - contents: write + contents: read steps: - #### PUSH TO MAIN — generate, commit, and push the changelog #### - - name: Checkout main + - name: Checkout code if: ${{ github.event_name == 'push' }} uses: actions/checkout@v4 with: ref: main - - name: Configure git - if: ${{ github.event_name == 'push' }} - run: | - git config --local user.email "action@github.com" - git config --local user.name "GitHub Action" - - name: Generate changelog if: ${{ github.event_name == 'push' }} uses: tj-actions/github-changelog-generator@v1.19 @@ -113,24 +104,16 @@ jobs: output: CHANGELOG.md token: ${{ secrets.GITHUB_TOKEN }} - - name: Commit changelog + - name: Upload changelog artifact if: ${{ github.event_name == 'push' }} - run: | - git add CHANGELOG.md - if git diff-index --quiet HEAD; then - echo "No changelog changes to commit." - else - git commit -m "Update changelog" - git push - fi - - #### PULL REQUEST — nothing to commit; just pass #### + uses: actions/upload-artifact@v4 + with: + name: changelog + path: CHANGELOG.md - - name: Skip changelog commit for PRs + - name: Skip for PRs if: ${{ github.event_name == 'pull_request' }} - run: echo "Changelog will be updated automatically when this PR is merged to main." - - #### OTHER EVENTS — nothing to do #### + run: echo "Changelog will be generated at release time when this PR is merged to main." - name: No-op for other events if: ${{ github.event_name != 'push' && github.event_name != 'pull_request' }} @@ -162,16 +145,16 @@ jobs: # Checkout the main branch and fetch tags. - name: Checkout code if: ${{ github.event_name == 'push' }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Full history needed for tag discovery. - # Checkout the main branch so we can see the correct tag set. - - name: Fetch and checkout main + # Download the changelog generated by the create_changelog job. + - name: Download changelog if: ${{ github.event_name == 'push' }} - run: | - git config --local user.email "action@github.com" - git config --local user.name "GitHub Action" - git fetch - git checkout main + uses: actions/download-artifact@v4 + with: + name: changelog # Create a semantically versioned tag that increments the last release. # If the last release is a pre-release, increment the pre-release number, so v1.2.3-pre4 becomes v1.2.3-pre5.