version-bump: Add version-bump reusable workflow

Automates version bump pull requests by detecting unreleased changes in
CHANGELOG.md, determining the next semantic version, updating the
changelog with the release date, and creating a PR from a fork to the
upstream repository.

Supports configurable release dates, custom git identity, and optional
update scripts for projects that maintain version numbers in multiple
files.

Updates release-version-extract action to expose unreleased_changes
output, making changelog entries available for use in commit messages
and PR bodies.

Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>

Author: linhcrl

.github/workflows/test.yml

@@ -7,5 +7,5 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - run: ./test.sh

.github/workflows/version-bump.yml

@@ -0,0 +1,227 @@
+name: Version Bump
+
+on:
+  workflow_call:
+    inputs:
+      fork_owner:
+        description: GitHub username or org that owns the fork
+        required: true
+        type: string
+      fork_repo:
+        description: Repository name of the fork
+        required: true
+        type: string
+      pr_base_branch:
+        description: Base branch for the PR. Defaults to repository default branch
+        required: false
+        type: string
+        default: ""
+      additional_update_script:
+        description: Optional path to a bash script file to execute during version bump. The VERSION environment variable will be available.
+        required: false
+        type: string
+        default: ""
+      release_date:
+        description: Release date in YYYY-MM-DD format. Defaults to current date
+        required: false
+        type: string
+        default: ""
+      git_user_name:
+        description: Git user name for commits. Defaults to github-actions[bot]
+        required: false
+        type: string
+        default: "github-actions[bot]"
+      git_user_email:
+        description: Git user email for commits. Defaults to github-actions[bot]@users.noreply.github.com
+        required: false
+        type: string
+        default: "github-actions[bot]@users.noreply.github.com"
+    secrets:
+      fork_push_token:
+        description: PAT with push access to the fork
+        required: true
+      pr_create_token:
+        description: PAT with permission to create PRs on the upstream repo
+        required: true
+    outputs:
+      pr_url:
+        description: URL of the created pull request (empty if no unreleased changes)
+        value: ${{ jobs.version-bump.outputs.pr_url }}
+
+jobs:
+  version-bump:
+    runs-on: ubuntu-latest
+    outputs:
+      pr_url: ${{ steps.create-pr.outputs.pr_url }}
+    steps:
+      - name: Get workflow ref
+        id: workflow-ref
+        uses: cockroachdb/actions/get-workflow-ref@v0
+        with:
+          workflow_name: cockroachdb/actions/.github/workflows/version-bump.yml
+
+      - name: Checkout actions repo
+        uses: actions/checkout@v6
+        with:
+          repository: cockroachdb/actions
+          ref: ${{ steps.workflow-ref.outputs.ref }}
+          path: actions-repo
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Extract release version
+        id: extract-version
+        uses: ./actions-repo/release-version-extract
+
+      - name: Set up fork remote and create branch
+        if: steps.extract-version.outputs.has_unreleased == 'true'
+        id: create-branch
+        run: |
+          source actions-repo/actions_helpers.sh
+
+          # Set up auto-fork remote
+          fork_url="https://github.com/${{ inputs.fork_owner }}/${{ inputs.fork_repo }}.git"
+
+          if git remote | grep --quiet --fixed-strings --line-regexp "auto-fork"; then
+            git remote set-url auto-fork "$fork_url"
+          else
+            git remote add auto-fork "$fork_url"
+          fi
+
+          # Create branch
+          branch_name="update-version-${{ steps.extract-version.outputs.next_version }}"
+          log_notice "Creating new branch $branch_name"
+          git checkout -b "$branch_name"
+          set_output "branch_name" "$branch_name"
+
+      - name: Update CHANGELOG with new version
+        if: steps.extract-version.outputs.has_unreleased == 'true'
+        run: |
+          source actions-repo/actions_helpers.sh
+
+          version="${{ steps.extract-version.outputs.next_version }}"
+
+          if [ -n "${{ inputs.release_date }}" ]; then
+            release_date="${{ inputs.release_date }}"
+          else
+            release_date=$(date +%Y-%m-%d)
+          fi
+
+          # Insert new version header under [Unreleased] header
+          awk -v version="$version" -v date="$release_date" '
+          /^## \[Unreleased\]/ {
+            print
+            print ""
+            print "## [" version "] - " date
+            next
+          }
+          { print }
+          ' CHANGELOG.md > CHANGELOG.md.tmp && mv CHANGELOG.md.tmp CHANGELOG.md
+
+          log_notice "Updated CHANGELOG.md with version $version dated $release_date"
+
+      - name: Run additional update script
+        if: steps.extract-version.outputs.has_unreleased == 'true' && inputs.additional_update_script != ''
+        env:
+          VERSION: ${{ steps.extract-version.outputs.next_version }}
+        run: |
+          source actions-repo/actions_helpers.sh
+
+          log_notice "Running additional update script: ${{ inputs.additional_update_script }}"
+          bash -e "${{ inputs.additional_update_script }}"
+
+      - name: Commit version bump changes
+        if: steps.extract-version.outputs.has_unreleased == 'true'
+        id: commit-changes
+        run: |
+          source actions-repo/actions_helpers.sh
+
+          # Configure git for commits
+          git config user.name "${{ inputs.git_user_name }}"
+          git config user.email "${{ inputs.git_user_email }}"
+
+          version="${{ steps.extract-version.outputs.next_version }}"
+
+          # Get all changed files (unstaged, staged, and untracked)
+          changed_files=$({ git diff --name-only; git diff --name-only --cached; git ls-files --others --exclude-standard; } | sort --unique)
+
+          if [ -z "$changed_files" ]; then
+            log_error "No changes to commit after version bump"
+            exit 1
+          fi
+
+          # Stage each changed file
+          echo "$changed_files" | while read -r file; do
+            if [ -n "$file" ]; then
+              git add "$file"
+            fi
+          done
+
+          git commit -m "Prepare release v${version}" \
+            -m "${{ steps.extract-version.outputs.unreleased_changes }}"
+
+          log_notice "Changes committed successfully"
+
+      - name: Push branch to auto-fork
+        if: steps.extract-version.outputs.has_unreleased == 'true'
+        env:
+          FORK_PUSH_TOKEN: ${{ secrets.fork_push_token }}
+        run: |
+          source actions-repo/actions_helpers.sh
+
+          # Configure git credentials for push
+          git config --local credential.helper "!f() { echo \"username=${{ inputs.fork_owner }}\"; echo \"password=\${FORK_PUSH_TOKEN}\"; }; f"
+
+          branch_name="${{ steps.create-branch.outputs.branch_name }}"
+          git push auto-fork "$branch_name"
+          log_notice "Pushed branch $branch_name to auto-fork"
+
+      - name: Create version bump pull request
+        if: steps.extract-version.outputs.has_unreleased == 'true'
+        id: create-pr
+        env:
+          GH_TOKEN: ${{ secrets.pr_create_token }}
+        run: |
+          source actions-repo/actions_helpers.sh
+
+          # Determine base branch
+          if [ -n "${{ inputs.pr_base_branch }}" ]; then
+            base_branch="${{ inputs.pr_base_branch }}"
+            log_notice "Using provided base branch: $base_branch"
+          else
+            base_branch=$(gh repo view --json defaultBranchRef --jq '.defaultBranchRef.name')
+            if [ -z "$base_branch" ]; then
+              base_branch="main"
+              log_warning "Could not determine default branch, falling back to 'main'"
+            else
+              log_notice "Using repository default branch: $base_branch"
+            fi
+          fi
+
+          # Build PR body
+          version="${{ steps.extract-version.outputs.next_version }}"
+          additional_changes=""
+          if [ -n "${{ inputs.additional_update_script }}" ]; then
+            additional_changes="
+          - Applied additional version bump updates"
+          fi
+
+          pr_body="## Summary
+
+          This PR updates the version to \`${version}\` in preparation for release.
+
+          ### Changes
+          - Updated CHANGELOG.md with release version and date${additional_changes}
+
+          ### Changelog Entries
+
+          ${{ steps.extract-version.outputs.unreleased_changes }}"
+
+          # Create pull request
+          pr_url=$(gh pr create --repo "${{ github.repository }}" --title "Release v${version}" --body "$pr_body" --base "$base_branch" --head "${{ inputs.fork_owner }}:${{ steps.create-branch.outputs.branch_name }}")
+
+          set_output "pr_url" "$pr_url"
+          log_notice "Pull request created successfully: $pr_url"

CHANGELOG.md

@@ -17,6 +17,10 @@ Breaking changes are prefixed with "Breaking Change: ".
 
 ### Added
 
+- `version-bump` reusable workflow: automates version bump PRs by checking for
+  unreleased changes in CHANGELOG, extracting the next version, updating
+  the CHANGELOG with new version and release date, optionally running custom update
+  scripts, and creating a PR from a fork to the upstream repository.
 - `autotag-from-changelog` now exposes `tag_created` and `tag` outputs so
   callers can react to whether a new tag was pushed.
 - `expect_step_output` test helper for asserting GitHub Actions step outputs.

README.md

@@ -92,12 +92,13 @@ determine whether a major, minor, or patch version bump is needed.
 
 **Outputs:**
 
-| Name              | Description                                                      |
-| ----------------- | ---------------------------------------------------------------- |
-| `current_version` | Current latest released version (empty if no releases)           |
-| `next_version`    | Suggested next version based on unreleased changes               |
-| `bump_type`       | Type of version bump (`major`/`minor`/`patch`/`initial`, or empty if no changes) |
-| `has_unreleased`  | Whether there are unreleased changes (`true`/`false`)            |
+| Name                 | Description                                                      |
+| -------------------- | ---------------------------------------------------------------- |
+| `current_version`    | Current latest released version (empty if no releases)           |
+| `next_version`       | Suggested next version based on unreleased changes               |
+| `bump_type`          | Type of version bump (`major`/`minor`/`patch`/`initial`, or empty if no changes) |
+| `has_unreleased`     | Whether there are unreleased changes (`true`/`false`)            |
+| `unreleased_changes` | Text content of unreleased changelog entries                     |
 
 **Features:**
 
@@ -107,6 +108,113 @@ determine whether a major, minor, or patch version bump is needed.
 - Returns empty `bump_type` when there are no unreleased changes
 - Follows semantic versioning principles
 
+### get-workflow-ref
+
+Resolves the git ref that a caller used to invoke a reusable workflow by parsing
+the caller's workflow file. Useful for reusable workflows that need to reference
+other resources (actions, scripts, etc.) at the same version they were invoked with.
+
+**Usage:**
+
+```yaml
+jobs:
+  my-job:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: cockroachdb/actions/get-workflow-ref@v1
+        id: ref
+      - run: echo "Workflow was called with ref ${{ steps.ref.outputs.ref }}"
+```
+
+**Outputs:**
+
+| Name  | Description                                                      |
+| ----- | ---------------------------------------------------------------- |
+| `ref` | Git ref used to invoke this workflow (e.g., `v1`, `main`, commit SHA) |
+
+**Features:**
+
+- No API calls or extra permissions needed
+- Works by parsing the caller's workflow file from the event payload
+- Returns the exact ref specified in the workflow call (tag, branch, or SHA)
+
+## Workflows
+
+### version-bump
+
+Reusable workflow that automates version bump pull requests. Checks for unreleased
+changes in CHANGELOG.md, extracts the next version, updates the changelog with the
+release date, optionally runs custom update scripts, and creates a PR from a fork
+to the upstream repository.
+
+**Usage:**
+
+```yaml
+name: Create Version Bump PR
+
+on:
+  workflow_dispatch:
+
+jobs:
+  version-bump:
+    uses: cockroachdb/actions/.github/workflows/version-bump.yml@v1
+    with:
+      fork_owner: my-release-bot
+      fork_repo: my-repo-fork
+      pr_base_branch: main
+      release_date: 2026-03-30
+      git_user_name: my-release-bot
+      git_user_email: my-release-bot@users.noreply.github.com
+      additional_update_script: .github/scripts/update-version.sh  # optional
+    secrets:
+      fork_push_token: ${{ secrets.FORK_PAT }}
+      pr_create_token: ${{ secrets.PR_PAT }}
+```
+
+**Inputs:**
+
+| Name                        | Required | Default | Description                                      |
+| --------------------------- | -------- | ------- | ------------------------------------------------ |
+| `fork_owner`                | Yes      |         | GitHub username or org that owns the fork        |
+| `fork_repo`                 | Yes      |         | Repository name of the fork                      |
+| `pr_base_branch`            | No       | `""`    | Base branch for the PR (defaults to repository default branch) |
+| `additional_update_script`  | No       | `""`    | Optional path to a bash script file to execute during version bump. The `VERSION` environment variable will be available. |
+| `release_date`              | No       | `""`    | Release date in YYYY-MM-DD format (defaults to current date) |
+| `git_user_name`             | No       | `github-actions[bot]` | Git user name for commits |
+| `git_user_email`            | No       | `github-actions[bot]@users.noreply.github.com` | Git user email for commits |
+
+**Secrets:**
+
+| Name               | Required | Description                                      |
+| ------------------ | -------- | ------------------------------------------------ |
+| `fork_push_token`  | Yes      | PAT with push access to the fork                 |
+| `pr_create_token`  | Yes      | PAT with permission to create PRs on the upstream repo |
+
+**Outputs:**
+
+| Name     | Description                                                      |
+| -------- | ---------------------------------------------------------------- |
+| `pr_url` | URL of the created pull request (empty if no unreleased changes) |
+
+**Features:**
+
+- Automatically detects unreleased changes in CHANGELOG.md
+- Determines next version using semver principles
+- Updates CHANGELOG.md with new version and customizable release date (defaults to current date)
+- Supports custom bash scripts for additional version updates (via `additional_update_script` file path)
+- Creates PR from fork to upstream repository
+- Exits gracefully when no unreleased changes exist
+
+**Required fork setup:**
+
+The workflow pushes to a fork rather than creating branches directly on the upstream
+repository.
+
+1. Create a fork of your repository under a service account or bot account
+2. Create a PAT for the fork owner with `repo` scope (for `fork_push_token`)
+3. Create a PAT with permission to create PRs on the upstream repo (for `pr_create_token`)
+4. Store both tokens as secrets in your repository
+
 ## Development
 
 Run all tests locally:

release-version-extract/action.yml

@@ -19,6 +19,9 @@ outputs:
   has_unreleased:
     description: Whether there are unreleased changes (true/false)
     value: ${{ steps.check-unreleased.outputs.has_changes }}
+  unreleased_changes:
+    description: Unreleased changelog entries text
+    value: ${{ steps.unreleased.outputs.changes }}
 
 runs:
   using: composite