Add /chronus add slash-command auto-fix workflow

On chronus-verify failure, post a sticky PR comment instructing the
contributor to comment '/chronus add [kind]' for a one-click fix.

Add chronus-fix.yml: an issue_comment-triggered workflow that
verifies commenter permissions, rejects fork PRs (security), parses
the requested kind, runs 'chronus add <package> --kind X --message
<PR title>' for each missing package, and pushes the result back to
the PR branch.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Libba Lawrence

.github/workflows/chronus-fix.yml

@@ -0,0 +1,312 @@
+name: Chronus Fix (slash command)
+
+# Listens for `/chronus add [kind]` comments on PRs and commits a Chronus
+# change entry derived from the PR title back to the PR branch.
+#
+# Security note: this workflow runs in default-branch context with a
+# write-scoped GITHUB_TOKEN. Because we install the chronus tooling pinned
+# at .github/chronus/* from the PR head, we restrict execution to PRs that
+# originate from the same repository. Fork PRs receive a comment instructing
+# the contributor to run the command locally instead.
+
+on:
+  issue_comment:
+    types: [created]
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+concurrency:
+  group: chronus-fix-${{ github.event.issue.number }}
+  cancel-in-progress: false
+
+jobs:
+  chronus-fix:
+    name: Apply chronus add via slash command
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.issue.pull_request != null &&
+      startsWith(github.event.comment.body, '/chronus add')
+    steps:
+      - name: Verify commenter has write permission
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data } = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: context.payload.comment.user.login,
+            });
+            if (!['admin', 'maintain', 'write'].includes(data.permission)) {
+              core.setFailed(
+                `User ${context.payload.comment.user.login} lacks write permission ` +
+                `(has: ${data.permission}).`
+              );
+            }
+
+      - name: React 👀 to the comment
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.reactions.createForIssueComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: context.payload.comment.id,
+              content: 'eyes',
+            });
+
+      - name: Get PR metadata and reject fork PRs
+        id: pr
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data: pr } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.issue.number,
+            });
+
+            const isFork = pr.head.repo.full_name !== pr.base.repo.full_name;
+            if (isFork) {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.issue.number,
+                body: [
+                  '⚠️ `/chronus add` cannot push to fork PR branches.',
+                  '',
+                  'Please run the following locally and push the resulting file:',
+                  '',
+                  '```bash',
+                  'azpysdk changelog add',
+                  '```',
+                ].join('\n'),
+              });
+              core.setFailed('Fork PRs are not supported by /chronus add.');
+              return;
+            }
+
+            // Validate ref shape (defensive — refs come from the API but we
+            // pass them to git below). Allow standard branch characters only.
+            if (!/^[A-Za-z0-9._/\-]+$/.test(pr.head.ref) ||
+                !/^[A-Za-z0-9._/\-]+$/.test(pr.base.ref)) {
+              core.setFailed(`Refusing unusual ref name. head=${pr.head.ref} base=${pr.base.ref}`);
+              return;
+            }
+
+            core.setOutput('head_ref', pr.head.ref);
+            core.setOutput('head_sha', pr.head.sha);
+            core.setOutput('base_ref', pr.base.ref);
+            core.setOutput('title', pr.title);
+
+      - name: Parse requested kind from comment
+        id: kind
+        env:
+          BODY: ${{ github.event.comment.body }}
+        run: |
+          set -euo pipefail
+          # Extract the third whitespace-separated token: "/chronus add <kind>".
+          token="$(printf '%s' "$BODY" | awk '{print $3}' | tr -d '\r')"
+          case "${token,,}" in
+            ""|internal)            kind="internal" ;;
+            fix|bug)                kind="fix" ;;
+            feature|features)       kind="feature" ;;
+            breaking)               kind="breaking" ;;
+            deprecation|deprecated) kind="deprecation" ;;
+            dependencies|deps)      kind="dependencies" ;;
+            *)
+              echo "::error::Unknown kind '$token'. Allowed: internal, fix, feature, breaking, deprecation, dependencies."
+              exit 1
+              ;;
+          esac
+          echo "kind=$kind" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout PR head
+        uses: actions/checkout@v4
+        with:
+          # We're already restricted to same-repo PRs above, so the default
+          # repository (github.repository) is the right source.
+          ref: ${{ steps.pr.outputs.head_sha }}
+          fetch-depth: 0
+          persist-credentials: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Fetch base branch for chronus diff
+        env:
+          BASE_REF: ${{ steps.pr.outputs.base_ref }}
+        run: |
+          set -euo pipefail
+          # Chronus reads `baseBranch` from .chronus/config.yaml (currently
+          # "main") and diffs against it via git. Make sure that branch ref
+          # exists locally.
+          git fetch origin "$BASE_REF:$BASE_REF" || git fetch origin "$BASE_REF"
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          cache: npm
+          cache-dependency-path: .github/chronus/package-lock.json
+
+      - name: Install pinned chronus
+        run: npm ci
+        working-directory: .github/chronus
+
+      - name: Determine packages missing a change entry
+        id: missing
+        run: |
+          set -uo pipefail
+          # `chronus verify` exits non-zero when entries are missing. Capture
+          # output and parse the package list. Don't fail this step on
+          # non-zero exit because the missing-entries case is exactly what
+          # we want to handle.
+          out="$(.github/chronus/node_modules/.bin/chronus verify 2>&1)" || true
+          printf '%s\n' "$out"
+
+          # Extract anything that looks like sdk/<service>/<package>.
+          pkgs="$(printf '%s\n' "$out" | grep -oE 'sdk/[A-Za-z0-9._-]+/[A-Za-z0-9._-]+' | sort -u || true)"
+          if [ -z "$pkgs" ]; then
+            echo "found=0" >> "$GITHUB_OUTPUT"
+          else
+            echo "found=1" >> "$GITHUB_OUTPUT"
+            {
+              echo 'packages<<CHRONUS_EOF'
+              printf '%s\n' "$pkgs"
+              echo 'CHRONUS_EOF'
+            } >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Add chronus entry per package
+        if: steps.missing.outputs.found == '1'
+        env:
+          KIND: ${{ steps.kind.outputs.kind }}
+          MESSAGE: ${{ steps.pr.outputs.title }}
+          PACKAGES: ${{ steps.missing.outputs.packages }}
+        run: |
+          set -euo pipefail
+          while IFS= read -r pkg_path; do
+            [ -z "$pkg_path" ] && continue
+            pkg_name="$(basename "$pkg_path")"
+            echo "::group::chronus add $pkg_name ($KIND)"
+            # `chronus add` takes the package name as a positional argument.
+            .github/chronus/node_modules/.bin/chronus add \
+              "$pkg_name" \
+              --kind "$KIND" \
+              --message "$MESSAGE"
+            echo "::endgroup::"
+          done <<< "$PACKAGES"
+
+      - name: Commit and push
+        id: push
+        if: steps.missing.outputs.found == '1'
+        env:
+          HEAD_REF: ${{ steps.pr.outputs.head_ref }}
+          ACTOR: ${{ github.event.comment.user.login }}
+          ACTOR_ID: ${{ github.event.comment.user.id }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+        run: |
+          set -euo pipefail
+          # Defensive validation — reject unusual branch names.
+          git check-ref-format --branch "$HEAD_REF"
+
+          git config user.name 'github-actions[bot]'
+          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
+          git add .chronus/changes/
+          if git diff --cached --quiet; then
+            echo "Nothing staged — chronus add did not produce a file."
+            echo "pushed=0" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          msg="$(printf 'Add chronus changelog entry [skip ci]\n\nTriggered by /chronus add comment on PR #%s.\n\nCo-authored-by: %s <%s+%s@users.noreply.github.com>' \
+            "$PR_NUMBER" "$ACTOR" "$ACTOR_ID" "$ACTOR")"
+          git commit -m "$msg"
+
+          if git push origin "HEAD:refs/heads/$HEAD_REF"; then
+            echo "pushed=1" >> "$GITHUB_OUTPUT"
+          else
+            echo "pushed=0" >> "$GITHUB_OUTPUT"
+            echo "::warning::Push failed. The PR branch may have moved; ask the user to retry."
+          fi
+
+      - name: React 🚀 and reply on success
+        if: success() && steps.push.outputs.pushed == '1'
+        uses: actions/github-script@v7
+        env:
+          KIND: ${{ steps.kind.outputs.kind }}
+          TITLE: ${{ steps.pr.outputs.title }}
+        with:
+          script: |
+            await github.rest.reactions.createForIssueComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: context.payload.comment.id,
+              content: 'rocket',
+            });
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.issue.number,
+              body: [
+                '✅ Pushed a Chronus change entry to this PR.',
+                '',
+                '- **Kind:** `' + process.env.KIND + '`',
+                '- **Description:** _' + process.env.TITLE + '_',
+                '',
+                'Edit the file under `.chronus/changes/` if you\'d like to refine the description.',
+              ].join('\n'),
+            });
+
+      - name: Reply on no-op
+        if: success() && steps.missing.outputs.found != '1'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.issue.number,
+              body: [
+                'ℹ️ Could not detect any packages missing a Chronus change entry.',
+                '',
+                'Either every changed package already has an entry, or `chronus verify`',
+                'failed for an unrelated reason — check the workflow run for details.',
+              ].join('\n'),
+            });
+
+      - name: Reply on push failure
+        if: success() && steps.missing.outputs.found == '1' && steps.push.outputs.pushed != '1'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.reactions.createForIssueComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: context.payload.comment.id,
+              content: 'confused',
+            });
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.issue.number,
+              body: [
+                '⚠️ Could not push a Chronus entry to this PR branch.',
+                '',
+                'The branch may have moved while the bot was working. Please',
+                'comment `/chronus add` again, or run `azpysdk changelog add` locally.',
+              ].join('\n'),
+            });
+
+      - name: React 👎 on failure
+        if: failure()
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.reactions.createForIssueComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: context.payload.comment.id,
+              content: '-1',
+            });

.github/workflows/chronus-verify.yml

@@ -14,6 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -30,10 +31,70 @@ jobs:
         working-directory: .github/chronus
 
       - name: Run chronus verify
+        id: verify
         run: .github/chronus/node_modules/.bin/chronus verify
 
-      - name: Chronus verification failed – see docs
-        if: failure()
+      - name: Post sticky PR comment with one-click fix instructions
+        if: failure() && steps.verify.conclusion == 'failure' && github.event.pull_request.head.repo.full_name == github.repository
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const HEADER = '<!-- chronus-verify-sticky -->';
+            const body = [
+              HEADER,
+              '### 📝 Missing changelog entry',
+              '',
+              'This PR touches package source under `sdk/*/*/**` but no Chronus',
+              'change description was found. CI requires every user-affecting',
+              'change to have one.',
+              '',
+              '#### ⚡ One-click fix',
+              '',
+              '**Comment `/chronus add` on this PR** and a bot will commit a',
+              'changelog entry for you, derived from your PR title.',
+              '',
+              'Customise the entry kind by appending it to the command:',
+              '',
+              '- `/chronus add` &nbsp;→&nbsp; defaults to `internal`',
+              '- `/chronus add fix` &nbsp;→&nbsp; bug fix',
+              '- `/chronus add feature` &nbsp;→&nbsp; new feature',
+              '- `/chronus add breaking` &nbsp;→&nbsp; breaking change',
+              '- `/chronus add deprecation` &nbsp;→&nbsp; deprecation',
+              '- `/chronus add dependencies` &nbsp;→&nbsp; dependency bump',
+              '',
+              '> ℹ️ For PRs from forks, run the command locally instead:',
+              '>',
+              '> ```bash',
+              '> azpysdk changelog add',
+              '> ```',
+              '>',
+              'See [`doc/dev/changelog_updates.md`](https://github.com/Azure/azure-sdk-for-python/blob/main/doc/dev/changelog_updates.md) for full instructions.',
+            ].join('\n');
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+            });
+            const existing = comments.find(c => c.body && c.body.startsWith(HEADER));
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body,
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.pull_request.number,
+                body,
+              });
+            }
+
+      - name: Emit annotation on failure
+        if: failure() && steps.verify.conclusion == 'failure'
         run: |
-          echo "::error::Chronus verification failed. Add a change description with 'azpysdk changelog add' (or 'npx chronus add' if you prefer raw Chronus)."
+          echo "::error::Chronus verification failed. Comment '/chronus add' on this PR for an automated fix, or run 'azpysdk changelog add' locally."
           echo "::error::See https://github.com/Azure/azure-sdk-for-python/blob/main/doc/dev/changelog_updates.md for instructions."