From 31abbbfb189f9841a3c110cd934e44836a6cc275 Mon Sep 17 00:00:00 2001 From: Felipe Cotti Date: Thu, 4 Jun 2026 21:29:16 -0300 Subject: [PATCH 1/3] changelog: fetch scrubbed bundle from the CDN for the bundle PR flow Make changelog-bundle-pr.yml fetch-only: instead of regenerating the bundle locally, download the already-uploaded, scrubbed copy from the public CDN and open a PR with it, so the committed file matches what was published to S3 (private references removed). - Add the changelog/bundle-fetch composite action: resolve the plan (output_path + cdn_url), poll the CDN with exponential backoff to absorb scrubbing/CloudFront propagation latency, and upload the bundle artifact. - Split changelog-bundle-pr.yml into a read-only fetch job and a write create-pr job. - bundle-pr: make the artifact source description action-agnostic. - Document CDN entry sourcing (bundle.use_local_changelogs) and the fetch-only PR flow in the changelog READMEs. Requires the matching docs-builder change (cdn_url plan output + entry registry); the fetch action fails clearly until that ships to edge. Co-authored-by: Cursor --- .github/workflows/changelog-bundle-pr.yml | 10 +- changelog/README.md | 31 ++- changelog/bundle-create/README.md | 8 +- changelog/bundle-fetch/README.md | 51 +++++ changelog/bundle-fetch/action.yml | 254 ++++++++++++++++++++++ changelog/bundle-pr/README.md | 12 +- changelog/bundle-pr/action.yml | 4 +- 7 files changed, 351 insertions(+), 19 deletions(-) create mode 100644 changelog/bundle-fetch/README.md create mode 100644 changelog/bundle-fetch/action.yml diff --git a/.github/workflows/changelog-bundle-pr.yml b/.github/workflows/changelog-bundle-pr.yml index 73a4e39..4d8b51b 100644 --- a/.github/workflows/changelog-bundle-pr.yml +++ b/.github/workflows/changelog-bundle-pr.yml @@ -60,7 +60,7 @@ concurrency: cancel-in-progress: false jobs: - generate: + fetch: runs-on: ubuntu-latest permissions: contents: read @@ -68,8 +68,10 @@ jobs: outputs: output: ${{ steps.bundle.outputs.output }} steps: + # Resolve the plan and download the already generated and scrubbed bundle from the public CDN + # (it must have been uploaded first by the changelog-bundle workflow). No regeneration, no S3 auth. - id: bundle - uses: elastic/docs-actions/changelog/bundle-create@v1 + uses: elastic/docs-actions/changelog/bundle-fetch@v1 with: config: ${{ inputs.config }} profile: ${{ inputs.profile }} @@ -84,7 +86,7 @@ jobs: github-token: ${{ github.token }} create-pr: - needs: generate + needs: fetch runs-on: ubuntu-latest permissions: contents: write @@ -92,6 +94,6 @@ jobs: steps: - uses: elastic/docs-actions/changelog/bundle-pr@v1 with: - output: ${{ needs.generate.outputs.output }} + output: ${{ needs.fetch.outputs.output }} base-branch: ${{ inputs.base-branch }} github-token: ${{ github.token }} diff --git a/changelog/README.md b/changelog/README.md index 182e671..59ae41b 100644 --- a/changelog/README.md +++ b/changelog/README.md @@ -267,10 +267,25 @@ Individual changelog files accumulate on the default branch as PRs merge. The bu Two reusable workflows are available: - **`changelog-bundle.yml`** (primary) — generates a bundle and uploads it to S3. Used for release-triggered workflows. -- **`changelog-bundle-pr.yml`** (opt-in) — generates a bundle and opens a pull request. Used for teams that need a committed bundle before a tag exists. +- **`changelog-bundle-pr.yml`** (opt-in) — fetches the already-uploaded, scrubbed bundle from the public CDN and opens a pull request. Used for teams that need a committed bundle in the repository. It does **not** regenerate the bundle, so `changelog-bundle.yml` must have uploaded it first. The bundle always includes the full content of each matching entry, so downstream consumers can render changelogs without access to the original files. +### Where bundle entries come from + +By default, the bundle command sources the individual changelog entries from the **public CDN**, scoped to the bundle's product(s), rather than from the local `bundle.directory`. This means a bundle reflects the same sanitized entries that have been published to S3, and a repository can produce a bundle without keeping every entry file checked out locally. + +CDN sourcing requires a resolvable product (from a profile's `products`/`output_products`, or `--input-products`) so the per-product registry (`{product}/changelog/registry.json`) can be located. When no product can be resolved (e.g. an option-mode PR/issue-only filter), the command automatically falls back to local sourcing. + +To always source entries from the local `bundle.directory` instead, set `use_local_changelogs: true` in the `bundle` section of your `docs/changelog.yml`. Passing an explicit `--directory`/`output` also forces local sourcing. + +```yaml +bundle: + directory: docs/changelog + output_directory: docs/releases + use_local_changelogs: true # opt out of CDN sourcing; use local entry files +``` + ### Prerequisites Your `docs/changelog.yml` must include a `bundle` section so docs-builder knows where to find changelog files. Setting `bundle.repo` and `bundle.owner` ensures PR and issue links are generated correctly in the bundle output. @@ -435,7 +450,9 @@ The primary workflow (`changelog-bundle.yml`) uploads the bundle to the `elastic ### Bundle PR workflow (opt-in) -For teams that need a committed bundle file before a tag exists (e.g. feature-freeze branches), use the PR workflow instead. This generates the bundle and opens a pull request. +For teams that need the bundle committed into the repository, use the PR workflow. Unlike the primary workflow, it does **not** generate the bundle: it downloads the already-uploaded, scrubbed copy from the public CDN and opens a pull request with it. This guarantees the committed file matches what was published to S3 (private references removed), rather than a freshly-regenerated local copy. + +Because it is fetch-only, `changelog-bundle.yml` must have run and uploaded the bundle first. The fetch step polls the CDN with exponential backoff (up to ~10 minutes) to absorb scrubbing and CloudFront propagation latency, failing the job if the bundle never appears. **`.github/workflows/changelog-bundle-pr.yml`** @@ -452,17 +469,19 @@ on: permissions: {} jobs: - bundle: + bundle-pr: permissions: contents: write # commit the bundle file and push the branch pull-requests: write # open or update the bundle PR - packages: read # pull the docs-builder image from GHCR + packages: read # pull the docs-builder image from GHCR (plan step) uses: elastic/docs-actions/.github/workflows/changelog-bundle-pr.yml@v1 with: profile: my-release version: ${{ inputs.version }} ``` -The PR workflow opens a pull request on a branch named `changelog-bundle/` (e.g. `changelog-bundle/v9.2.0`). If a PR already exists for that branch, the bundle is updated in place. If the generated bundle is identical to what's already in the repository, no commit or PR is created. +The PR workflow opens a pull request on a branch named `changelog-bundle/` (e.g. `changelog-bundle/v9.2.0`). If a PR already exists for that branch, the bundle is updated in place. If the fetched bundle is identical to what's already in the repository, no commit or PR is created. + +> **Note:** Locating the bundle on the CDN requires a resolvable product, so the PR workflow only supports profile (or product-scoped option) mode — the same constraint as CDN entry sourcing above. PR/issue-only filters that resolve no product cannot be fetched from the CDN. -> **Note:** The PR workflow does not upload to S3. If you need both S3 upload and a PR, run both workflows or use the composite actions (`bundle-create`, `bundle-upload`, `bundle-pr`) directly. +> **Note:** The PR workflow does not upload to S3; it consumes what `changelog-bundle.yml` already uploaded. If you need both S3 upload and a PR, run the primary workflow first, then this one. To compose the steps yourself, use the composite actions (`bundle-fetch` then `bundle-pr`) directly. diff --git a/changelog/bundle-create/README.md b/changelog/bundle-create/README.md index 0fe5613..fd673b1 100644 --- a/changelog/bundle-create/README.md +++ b/changelog/bundle-create/README.md @@ -4,9 +4,15 @@ Checks out the repository, runs docs-builder in Docker to generate a fully-resol ## Modes -- **`bundle`** (default) — runs `docs-builder changelog bundle` with profile or option-based filtering. Requires changelogs to already exist in the repository. +- **`bundle`** (default) — runs `docs-builder changelog bundle` with profile or option-based filtering. - **`gh-release`** — runs `docs-builder changelog gh-release` to create changelogs directly from a GitHub release's notes. Requires `repo` and optionally `version` (defaults to `latest`). +## Entry sourcing + +In `bundle` mode, the individual changelog entries are sourced from the **public CDN** by default (scoped to the bundle's product), so the local entry files don't need to be checked out. The Docker run enables network access only when the `--plan` step reports `needs_network: true`; otherwise it runs with `--network none`. + +CDN sourcing requires a resolvable product. When none can be resolved (e.g. an option-mode PR/issue-only filter) the command falls back to the local `bundle.directory`, which must then contain the entries. To force local sourcing, set `use_local_changelogs: true` in `changelog.yml` or pass an explicit `output` path. + ## Inputs | Name | Description | Required | Default | diff --git a/changelog/bundle-fetch/README.md b/changelog/bundle-fetch/README.md new file mode 100644 index 0000000..e2d9330 --- /dev/null +++ b/changelog/bundle-fetch/README.md @@ -0,0 +1,51 @@ + +# Changelog bundle fetch + +Resolves the bundle plan with docs-builder, then downloads the already generated and scrubbed bundle from the public CDN (rather than regenerating it locally) and uploads it as an artifact for the bundle-pr action. Polls the CDN with exponential backoff to absorb scrubbing/CloudFront propagation latency. The bundle must already have been uploaded by the changelog-bundle workflow; this action never contacts the private S3 bucket. + + +This action is the read-only first half of the `changelog-bundle-pr` workflow: it fetches the +sanitized bundle that the `changelog-bundle` workflow previously uploaded to S3 (and the scrubber +Lambda mirrored to the public CDN), so the resulting PR carries the scrubbed copy rather than a raw, +locally-generated one. Pair it with [`bundle-pr`](../bundle-pr) which opens the pull request. + +Fetching from the CDN requires a resolvable product to scope the URL (`{base}/{product}/bundle/{file}`), +so use a profile with `products`/`output_products`. PR/issue-only option-mode bundles cannot be located +on the CDN — use the [`changelog-bundle`](../README.md) workflow for those. + +## Inputs + +| Name | Description | Required | Default | +|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-----------------------| +| `config` | Path to changelog.yml configuration file | `false` | `docs/changelog.yml` | +| `profile` | Bundle profile name from bundle.profiles in changelog.yml. Mutually exclusive with release-version and prs.
| `false` | ` ` | +| `version` | Version string for profile mode (e.g. 9.2.0, 2026-03). Used for {version} substitution in profile patterns.
| `false` | ` ` | +| `release-version` | GitHub release tag used as the PR filter source (e.g. v9.2.0). Mutually exclusive with profile, report, and prs.
| `false` | ` ` | +| `report` | Buildkite promotion report URL or local file path used as the PR filter source. Local paths must be relative to the repo root.
| `false` | ` ` | +| `prs` | Comma-separated PR URLs or numbers, or a path to a newline-delimited file. Mutually exclusive with profile, release-version, and report.
| `false` | ` ` | +| `output` | Output file path for the bundle, relative to the repo root. Optional; when omitted the path is resolved from the config (bundle.output_directory) by the plan.
| `false` | ` ` | +| `repo` | GitHub repository name. Falls back to bundle.repo in changelog.yml. | `false` | ` ` | +| `owner` | GitHub repository owner. Falls back to bundle.owner in changelog.yml, then elastic. | `false` | ` ` | +| `docs-builder-version` | docs-builder version to use (e.g. 0.1.100, latest, edge). Non-edge versions are attestation-verified by the setup action.
| `false` | `edge` | +| `artifact-name` | Name for the uploaded artifact (must match bundle-pr artifact-name) | `false` | `changelog-bundle` | +| `cdn-base-url` | Override the public changelog CDN base URL (for staging/testing). When set, it is passed to docs-builder via DOCS_BUILDER_CHANGELOG_CDN so the resolved cdn_url and the poll target stay in sync. Must be an absolute HTTPS URL.
| `false` | ` ` | +| `github-token` | GitHub token (used by docs-builder setup). | `false` | `${{ github.token }}` | + + +## Outputs + +| Name | Description | +|----------|----------------------------------------------------------| +| `output` | Resolved output file path for the bundle (repo-relative) | + + +## Usage + +```yaml +steps: + - uses: elastic/docs-actions/changelog/bundle-fetch@v1 + with: + profile: elasticsearch-release + version: 9.2.0 +``` + diff --git a/changelog/bundle-fetch/action.yml b/changelog/bundle-fetch/action.yml new file mode 100644 index 0000000..006c189 --- /dev/null +++ b/changelog/bundle-fetch/action.yml @@ -0,0 +1,254 @@ +name: Changelog bundle fetch +description: > + Resolves the bundle plan with docs-builder, then downloads the already + generated and scrubbed bundle from the public CDN (rather than regenerating + it locally) and uploads it as an artifact for the bundle-pr action. Polls the + CDN with exponential backoff to absorb scrubbing/CloudFront propagation + latency. The bundle must already have been uploaded by the changelog-bundle + workflow; this action never contacts the private S3 bucket. + +inputs: + config: + description: 'Path to changelog.yml configuration file' + default: 'docs/changelog.yml' + profile: + description: > + Bundle profile name from bundle.profiles in changelog.yml. + Mutually exclusive with release-version and prs. + version: + description: > + Version string for profile mode (e.g. 9.2.0, 2026-03). + Used for {version} substitution in profile patterns. + release-version: + description: > + GitHub release tag used as the PR filter source (e.g. v9.2.0). + Mutually exclusive with profile, report, and prs. + report: + description: > + Buildkite promotion report URL or local file path used as the + PR filter source. Local paths must be relative to the repo root. + prs: + description: > + Comma-separated PR URLs or numbers, or a path to a newline-delimited file. + Mutually exclusive with profile, release-version, and report. + output: + description: > + Output file path for the bundle, relative to the repo root. Optional; + when omitted the path is resolved from the config (bundle.output_directory) + by the plan. + repo: + description: 'GitHub repository name. Falls back to bundle.repo in changelog.yml.' + owner: + description: 'GitHub repository owner. Falls back to bundle.owner in changelog.yml, then elastic.' + docs-builder-version: + description: > + docs-builder version to use (e.g. 0.1.100, latest, edge). + Non-edge versions are attestation-verified by the setup action. + default: 'edge' + artifact-name: + description: 'Name for the uploaded artifact (must match bundle-pr artifact-name)' + default: 'changelog-bundle' + cdn-base-url: + description: > + Override the public changelog CDN base URL (for staging/testing). When set, + it is passed to docs-builder via DOCS_BUILDER_CHANGELOG_CDN so the resolved + cdn_url and the poll target stay in sync. Must be an absolute HTTPS URL. + default: '' + github-token: + description: 'GitHub token (used by docs-builder setup).' + default: '${{ github.token }}' + +outputs: + output: + description: 'Resolved output file path for the bundle (repo-relative)' + value: ${{ steps.plan.outputs.output_path }} + +runs: + using: composite + steps: + - name: Validate inputs + shell: bash + env: + CONFIG: ${{ inputs.config }} + PROFILE: ${{ inputs.profile }} + VERSION: ${{ inputs.version }} + RELEASE_VERSION: ${{ inputs.release-version }} + OUTPUT: ${{ inputs.output }} + REPORT: ${{ inputs.report }} + PRS: ${{ inputs.prs }} + REPO: ${{ inputs.repo }} + OWNER: ${{ inputs.owner }} + ARTIFACT_NAME: ${{ inputs.artifact-name }} + CDN_BASE_URL: ${{ inputs.cdn-base-url }} + run: | + validate_path() { + local value="$1" name="$2" + [ -z "$value" ] && return + if [[ "$value" == /* ]]; then + echo "::error::${name} must be a relative path: ${value}"; exit 1 + fi + if [[ "$value" == *..* ]]; then + echo "::error::${name} must not contain '..': ${value}"; exit 1 + fi + if [[ "$value" == *$'\n'* || "$value" == *$'\r'* ]]; then + echo "::error::${name} must not contain newlines"; exit 1 + fi + } + + validate_identifier() { + local value="$1" name="$2" pattern="$3" + [ -z "$value" ] && return + if [[ ! "$value" =~ $pattern ]]; then + echo "::error::${name} contains disallowed characters: ${value}"; exit 1 + fi + } + + validate_path "$CONFIG" "config" + validate_path "$OUTPUT" "output" + + if [ -n "$REPORT" ] && [[ "$REPORT" != https://* ]] && [[ "$REPORT" != http://* ]]; then + validate_path "$REPORT" "report" + fi + if [ -n "$PRS" ] && { [[ "$PRS" == */* ]] || [[ "$PRS" == *.txt ]]; }; then + validate_path "$PRS" "prs" + fi + + validate_identifier "$PROFILE" "profile" '^[a-zA-Z0-9._-]+$' + validate_identifier "$VERSION" "version" '^[a-zA-Z0-9._+-]+$' + validate_identifier "$RELEASE_VERSION" "release-version" '^[a-zA-Z0-9._+-]+$' + validate_identifier "$REPO" "repo" '^[a-zA-Z0-9._-]+$' + validate_identifier "$OWNER" "owner" '^[a-zA-Z0-9._-]+$' + validate_identifier "$ARTIFACT_NAME" "artifact-name" '^[a-zA-Z0-9._-]+$' + + if [ -n "$REPORT" ] && [[ "$REPORT" == http://* ]]; then + echo "::error::Report URL must use HTTPS: ${REPORT}"; exit 1 + fi + if [ -n "$CDN_BASE_URL" ] && [[ "$CDN_BASE_URL" != https://* ]]; then + echo "::error::cdn-base-url must be an absolute HTTPS URL: ${CDN_BASE_URL}"; exit 1 + fi + + - name: Checkout + uses: actions/checkout@v6 + with: + persist-credentials: false + + - name: Setup docs-builder + uses: elastic/docs-actions/docs-builder/setup@v1 + with: + version: ${{ inputs.docs-builder-version }} + github-token: ${{ inputs.github-token }} + + - name: Resolve bundle plan + id: plan + shell: bash + env: + CONFIG: ${{ inputs.config }} + PROFILE: ${{ inputs.profile }} + VERSION: ${{ inputs.version }} + RELEASE_VERSION: ${{ inputs.release-version }} + REPORT: ${{ inputs.report }} + PRS: ${{ inputs.prs }} + OUTPUT: ${{ inputs.output }} + REPO: ${{ inputs.repo }} + OWNER: ${{ inputs.owner }} + DOCS_BUILDER_CHANGELOG_CDN: ${{ inputs.cdn-base-url }} + run: | + ARGS=() + ARGS+=(changelog bundle --plan) + if [ -n "$PROFILE" ]; then + ARGS+=("$PROFILE") + [ -n "$VERSION" ] && ARGS+=("$VERSION") + [ -n "$REPORT" ] && ARGS+=("$REPORT") + else + ARGS+=(--config "$CONFIG" --resolve) + [ -n "$RELEASE_VERSION" ] && ARGS+=(--release-version "$RELEASE_VERSION") + [ -n "$REPORT" ] && ARGS+=(--report "$REPORT") + [ -n "$PRS" ] && ARGS+=(--prs "$PRS") + [ -n "$OUTPUT" ] && ARGS+=(--output "$OUTPUT") + [ -n "$REPO" ] && ARGS+=(--repo "$REPO") + [ -n "$OWNER" ] && ARGS+=(--owner "$OWNER") + fi + + docs-builder "${ARGS[@]}" + + - name: Verify plan output + shell: bash + env: + OUTPUT_PATH: ${{ steps.plan.outputs.output_path }} + CDN_URL: ${{ steps.plan.outputs.cdn_url }} + run: | + if [ -z "$OUTPUT_PATH" ]; then + echo "::error::Plan did not resolve an output path. Set 'output' or configure bundle.output_directory in changelog.yml." + exit 1 + fi + if [ -z "$CDN_URL" ]; then + echo "::error::Plan did not resolve a CDN URL. Fetching the scrubbed bundle from the CDN requires a resolvable product (use a profile with products/output_products). For PR/issue-only option-mode bundles, use the changelog-bundle workflow instead." + exit 1 + fi + # The bundle file committed to the repo must live inside it. + if [[ "$OUTPUT_PATH" == /* || "$OUTPUT_PATH" == *..* ]]; then + echo "::error::Resolved output path must be a relative in-repo path: ${OUTPUT_PATH}" + exit 1 + fi + if [[ "$CDN_URL" != https://* ]]; then + echo "::error::Resolved CDN URL must be HTTPS: ${CDN_URL}" + exit 1 + fi + + - name: Fetch scrubbed bundle from CDN + shell: bash + env: + OUTPUT_PATH: ${{ steps.plan.outputs.output_path }} + CDN_URL: ${{ steps.plan.outputs.cdn_url }} + run: | + # Poll the public CDN until the scrubbed bundle is available. The scrubber Lambda + CloudFront + # propagation can lag the upload by tens of seconds, and CloudFront may briefly negative-cache a + # 404, so we retry with exponential backoff (5s -> 60s cap) for up to 10 minutes and bust the + # cache on each attempt. + mkdir -p "$(dirname "$OUTPUT_PATH")" + DEST="$OUTPUT_PATH" + + MAX_TOTAL=600 + DELAY=5 + ELAPSED=0 + ATTEMPT=0 + + while :; do + ATTEMPT=$((ATTEMPT + 1)) + CACHE_BUSTER="cb=$(date +%s%N)" + if [[ "$CDN_URL" == *\?* ]]; then + POLL_URL="${CDN_URL}&${CACHE_BUSTER}" + else + POLL_URL="${CDN_URL}?${CACHE_BUSTER}" + fi + + HTTP_CODE=$(curl --silent --show-error --location --max-redirs 3 --max-time 30 \ + -H 'Cache-Control: no-cache' \ + -o "$DEST" -w '%{http_code}' "$POLL_URL") || HTTP_CODE="000" + + if [ "$HTTP_CODE" = "200" ] && [ -s "$DEST" ]; then + echo "::notice title=Bundle fetched::Downloaded scrubbed bundle from CDN after ${ATTEMPT} attempt(s) (${ELAPSED}s)" + break + fi + + rm -f "$DEST" + + if [ "$ELAPSED" -ge "$MAX_TOTAL" ]; then + echo "::error::Timed out after ${ELAPSED}s waiting for the scrubbed bundle at ${CDN_URL} (last HTTP ${HTTP_CODE}). Ensure the changelog-bundle workflow uploaded it first." + exit 1 + fi + + echo "Attempt ${ATTEMPT}: bundle not ready (HTTP ${HTTP_CODE}); retrying in ${DELAY}s (elapsed ${ELAPSED}s)" + sleep "$DELAY" + ELAPSED=$((ELAPSED + DELAY)) + DELAY=$((DELAY * 2)) + [ "$DELAY" -gt 60 ] && DELAY=60 + done + + - name: Upload bundle artifact + uses: actions/upload-artifact@v7 + with: + name: ${{ inputs.artifact-name }} + path: ${{ steps.plan.outputs.output_path }} + if-no-files-found: error + retention-days: 1 diff --git a/changelog/bundle-pr/README.md b/changelog/bundle-pr/README.md index 8ec07da..e2adb81 100644 --- a/changelog/bundle-pr/README.md +++ b/changelog/bundle-pr/README.md @@ -6,12 +6,12 @@ Downloads a changelog bundle artifact and opens a pull request to add it to the ## Inputs -| Name | Description | Required | Default | -|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-----------------------| -| `output` | Output file path for the bundle, relative to the repo root (e.g. docs/releases/v9.2.0.yaml). Must match the path used by the bundle-create action.
| `true` | ` ` | -| `base-branch` | Base branch for the pull request (defaults to repository default branch) | `false` | ` ` | -| `artifact-name` | Name of the artifact uploaded by bundle-create | `false` | `changelog-bundle` | -| `github-token` | GitHub token with contents:write and pull-requests:write permissions | `false` | `${{ github.token }}` | +| Name | Description | Required | Default | +|-----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-----------------------| +| `output` | Output file path for the bundle, relative to the repo root (e.g. docs/releases/v9.2.0.yaml). Must match the path used by the bundle-create or bundle-fetch action.
| `true` | ` ` | +| `base-branch` | Base branch for the pull request (defaults to repository default branch) | `false` | ` ` | +| `artifact-name` | Name of the artifact uploaded by bundle-create or bundle-fetch | `false` | `changelog-bundle` | +| `github-token` | GitHub token with contents:write and pull-requests:write permissions | `false` | `${{ github.token }}` | ## Outputs diff --git a/changelog/bundle-pr/action.yml b/changelog/bundle-pr/action.yml index b3fed5f..32b1cf6 100644 --- a/changelog/bundle-pr/action.yml +++ b/changelog/bundle-pr/action.yml @@ -9,13 +9,13 @@ inputs: description: > Output file path for the bundle, relative to the repo root (e.g. docs/releases/v9.2.0.yaml). Must match the path used - by the bundle-create action. + by the bundle-create or bundle-fetch action. required: true base-branch: description: 'Base branch for the pull request (defaults to repository default branch)' default: '' artifact-name: - description: 'Name of the artifact uploaded by bundle-create' + description: 'Name of the artifact uploaded by bundle-create or bundle-fetch' default: 'changelog-bundle' github-token: description: 'GitHub token with contents:write and pull-requests:write permissions' From 46b0619e0cf4e16142eeaf79149b317c69184ca0 Mon Sep 17 00:00:00 2001 From: Felipe Cotti Date: Thu, 4 Jun 2026 21:37:51 -0300 Subject: [PATCH 2/3] docs: front-load bundling README with delivery/selection decision tables Make it easier to pick how to create a bundle: open the section with two choices (how the bundle is delivered, how its entries are selected) as scannable tables that link to the matching recipe, instead of inferring them from prose. Co-authored-by: Cursor --- changelog/README.md | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/changelog/README.md b/changelog/README.md index 59ae41b..c88d08f 100644 --- a/changelog/README.md +++ b/changelog/README.md @@ -262,14 +262,33 @@ The entry is always regenerated from the *current* PR state at merge time, so an ## Bundling changelogs -Individual changelog files accumulate on the default branch as PRs merge. The bundle action generates a fully-resolved YAML file containing only the changelog entries that match a given filter, then uploads it to the `elastic-docs-v3-changelog-bundles` S3 bucket. +As PRs merge, individual changelog entries pile up on your default branch (and, once uploaded, in S3). A **bundle** is a single, fully-resolved YAML file that collects the entries matching a filter — a release version, a promotion report, or an explicit list of PRs — with each entry's full content inlined. Downstream tooling renders a release changelog from the bundle alone, without needing the original entry files. -Two reusable workflows are available: +Setting up bundling comes down to two choices: **how the bundle is delivered** and **how its entries are selected**. Pick one row from each table below, then follow the matching recipe. -- **`changelog-bundle.yml`** (primary) — generates a bundle and uploads it to S3. Used for release-triggered workflows. -- **`changelog-bundle-pr.yml`** (opt-in) — fetches the already-uploaded, scrubbed bundle from the public CDN and opens a pull request. Used for teams that need a committed bundle in the repository. It does **not** regenerate the bundle, so `changelog-bundle.yml` must have uploaded it first. +### 1. Choose how the bundle is delivered -The bundle always includes the full content of each matching entry, so downstream consumers can render changelogs without access to the original files. +| Your goal | Workflow | What you get | +| --- | --- | --- | +| Make the bundle available to docs rendering | [`changelog-bundle.yml`](#setup-1) | Uploads the bundle to S3 (`{product}/bundle/{file}`) | +| Commit the bundle into your repository | [`changelog-bundle-pr.yml`](#bundle-pr-workflow-opt-in) | Opens a PR with the scrubbed bundle fetched from the CDN | +| Both | run `changelog-bundle.yml`, then `changelog-bundle-pr.yml` | Upload first, then open the PR | + +The PR workflow is **fetch-only**: it downloads the already-uploaded, scrubbed bundle instead of regenerating it, so the committed file is exactly what was published (private references removed). It therefore requires `changelog-bundle.yml` to have uploaded the bundle first. + +### 2. Choose how entries are selected + +Pick exactly one — `profile`, `release-version`, `report`, and `prs` are mutually exclusive. + +| Situation | Mode | Key inputs | +| --- | --- | --- | +| You accumulate entry files and tag releases (most teams) | **Profile** _(recommended)_ | `profile` + `version` | +| You build changelogs from a GitHub release's notes rather than entry files | **gh-release** | `mode: gh-release` + `repo` + `version` | +| You want everything in a given release tag | **Option** | `release-version` (+ `output`) | +| You want everything in a Buildkite promotion report | **Option** | `report` (+ `output`) | +| You want a specific set of PRs | **Option** | `prs` (+ `output`) | + +Each mode has a complete, copy-pasteable workflow file under [Setup](#setup-1). ### Where bundle entries come from @@ -302,6 +321,8 @@ Your repository must also be listed in the `elastic-docs-v3-changelog-bundles` i ### Setup +Each recipe below is a complete `changelog-bundle.yml` caller for one selection mode (S3-upload delivery). To also commit the bundle to your repo, add the [Bundle PR workflow](#bundle-pr-workflow-opt-in) afterwards. + #### Profile-based bundling with S3 upload (`on: release`) The recommended setup for stack and product releases. The caller triggers on `release`, passes a profile and version, and the bundle is uploaded to S3 automatically. From d3bcd7c624079a6bc8a8d2e626e4bcef30963e74 Mon Sep 17 00:00:00 2001 From: Felipe Cotti Date: Thu, 4 Jun 2026 21:43:55 -0300 Subject: [PATCH 3/3] Fix pre-commit --- .github/aw/actions-lock.json | 5 +++++ .github/workflows/gh-aw-docs-applies-to-sweep.lock.yml | 6 +++--- .github/workflows/gh-aw-docs-coherence-sweep.lock.yml | 6 +++--- .github/workflows/gh-aw-docs-frontmatter-sweep.lock.yml | 6 +++--- .github/workflows/gh-aw-docs-openings-sweep.lock.yml | 6 +++--- .github/workflows/gh-aw-docs-staleness-sweep.lock.yml | 6 +++--- .github/workflows/gh-aw-docs-style-sweep.lock.yml | 6 +++--- .github/workflows/gh-aw-docs-typos-sweep.lock.yml | 6 +++--- 8 files changed, 26 insertions(+), 21 deletions(-) diff --git a/.github/aw/actions-lock.json b/.github/aw/actions-lock.json index 82e4910..91373f4 100644 --- a/.github/aw/actions-lock.json +++ b/.github/aw/actions-lock.json @@ -10,6 +10,11 @@ "version": "v5.0.5", "sha": "27d5ce7f107fe9357f9df03efb73ab90386fccae" }, + "actions/checkout@v6": { + "repo": "actions/checkout", + "version": "v6", + "sha": "df4cb1c069e1874edd31b4311f1884172cec0e10" + }, "actions/checkout@v6.0.2": { "repo": "actions/checkout", "version": "v6.0.2", diff --git a/.github/workflows/gh-aw-docs-applies-to-sweep.lock.yml b/.github/workflows/gh-aw-docs-applies-to-sweep.lock.yml index 899750b..48d27c9 100644 --- a/.github/workflows/gh-aw-docs-applies-to-sweep.lock.yml +++ b/.github/workflows/gh-aw-docs-applies-to-sweep.lock.yml @@ -1,5 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"0fed7cba1098883ebd07c37ad7926ab3adc379e9f9577fcbf70a99c024c5a5a5","compiler_version":"v0.75.0","agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -43,7 +43,7 @@ # # Custom actions used: # - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 -# - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) +# - actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -628,7 +628,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Checkout source docs repo - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 30 persist-credentials: false diff --git a/.github/workflows/gh-aw-docs-coherence-sweep.lock.yml b/.github/workflows/gh-aw-docs-coherence-sweep.lock.yml index 4c257ec..e3ae6ed 100644 --- a/.github/workflows/gh-aw-docs-coherence-sweep.lock.yml +++ b/.github/workflows/gh-aw-docs-coherence-sweep.lock.yml @@ -1,5 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"da184731259d4126ad359ba043c1c4730c4ef2437f3364fe0336575e32c82368","compiler_version":"v0.75.0","agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -44,7 +44,7 @@ # # Custom actions used: # - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 -# - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) +# - actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -643,7 +643,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Checkout source docs repo - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 30 persist-credentials: false diff --git a/.github/workflows/gh-aw-docs-frontmatter-sweep.lock.yml b/.github/workflows/gh-aw-docs-frontmatter-sweep.lock.yml index 125f908..748c5d1 100644 --- a/.github/workflows/gh-aw-docs-frontmatter-sweep.lock.yml +++ b/.github/workflows/gh-aw-docs-frontmatter-sweep.lock.yml @@ -1,5 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"0092af990d55dc70c7e1d94ccbd243fefa27c2f8e2be5042f7659897b24b6c31","compiler_version":"v0.75.0","agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -44,7 +44,7 @@ # # Custom actions used: # - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 -# - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) +# - actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -631,7 +631,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Checkout source docs repo - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 30 persist-credentials: false diff --git a/.github/workflows/gh-aw-docs-openings-sweep.lock.yml b/.github/workflows/gh-aw-docs-openings-sweep.lock.yml index 2499bb2..cf9a7de 100644 --- a/.github/workflows/gh-aw-docs-openings-sweep.lock.yml +++ b/.github/workflows/gh-aw-docs-openings-sweep.lock.yml @@ -1,5 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"6f92b7dd643845ebdd84409b45c39f5eba3493453cabd41e9fe06738576586d8","compiler_version":"v0.75.0","agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -43,7 +43,7 @@ # # Custom actions used: # - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 -# - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) +# - actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -639,7 +639,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Checkout source docs repo - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 30 persist-credentials: false diff --git a/.github/workflows/gh-aw-docs-staleness-sweep.lock.yml b/.github/workflows/gh-aw-docs-staleness-sweep.lock.yml index 1ad4cc3..0777e4f 100644 --- a/.github/workflows/gh-aw-docs-staleness-sweep.lock.yml +++ b/.github/workflows/gh-aw-docs-staleness-sweep.lock.yml @@ -1,5 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"83730e892c4686ac69269d501b9fd18336ef3252ddd9da9245805b0dfcf2b865","compiler_version":"v0.75.0","agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -44,7 +44,7 @@ # # Custom actions used: # - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 -# - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) +# - actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -650,7 +650,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Checkout source docs repo - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 persist-credentials: false diff --git a/.github/workflows/gh-aw-docs-style-sweep.lock.yml b/.github/workflows/gh-aw-docs-style-sweep.lock.yml index ce2c2bc..a1c3ef6 100644 --- a/.github/workflows/gh-aw-docs-style-sweep.lock.yml +++ b/.github/workflows/gh-aw-docs-style-sweep.lock.yml @@ -1,5 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"3a87b6e135615b0fde1701690ded47f089dd65413730cf7dc8118c04758314d0","compiler_version":"v0.75.0","agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -43,7 +43,7 @@ # # Custom actions used: # - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 -# - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) +# - actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -631,7 +631,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Checkout source docs repo - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 30 persist-credentials: false diff --git a/.github/workflows/gh-aw-docs-typos-sweep.lock.yml b/.github/workflows/gh-aw-docs-typos-sweep.lock.yml index c79391c..5d23879 100644 --- a/.github/workflows/gh-aw-docs-typos-sweep.lock.yml +++ b/.github/workflows/gh-aw-docs-typos-sweep.lock.yml @@ -1,5 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"3be42550899dd610111872c641e30947ba676b126cb692bf2bdb7d8e0ce5cf12","compiler_version":"v0.75.0","agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/setup-python","sha":"a309ff8b426b58ec0e2a45f0f869d46889d02405","version":"v6.2.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"f889c9c3c06adeaabccefc06e29c42733ee05dff","version":"v0.75.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.51"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.17"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -42,7 +42,7 @@ # # Custom actions used: # - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 -# - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) +# - actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 # - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 # - actions/github-script@373c709c69115d41ff229c7e5df9f8788daa9553 # v9 # - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -593,7 +593,7 @@ jobs: env: GH_TOKEN: ${{ github.token }} - name: Checkout source docs repo - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (source v6) + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 1 persist-credentials: false