chore(release): scope per-package CHANGELOG via GIT_CHANGELOG_PATH#116
Merged
Conversation
- Bump `@oorabona/release-it-preset` 0.9.0 → 0.11.0 to enable `GIT_CHANGELOG_PATH` environment variable for scoping `git log` to package subtrees in `release.yml` workspace-bump step. - Each package's CHANGELOG now contains only commits whose diffs touched that package's directory, preventing unrelated commits from polluting per-package release notes. - Remove dormant changesets pipeline: `.changeset/` directory, `@changesets/cli` and `@changesets/changelog-github` devDeps, and `changesets.yml` workflow that had been opening unused "Version Packages" PRs. - Clean up TODO.md entries for completed cleanup work.
There was a problem hiding this comment.
Pull request overview
This PR updates the repo’s release automation so workspace-package releases (tar-xz, nxz-cli) generate CHANGELOG entries scoped to commits that touched only that package’s subtree, and removes the dormant Changesets-based versioning pipeline.
Changes:
- Bump
@oorabona/release-it-presetto^0.11.0(introducesGIT_CHANGELOG_PATHscoping support). - Set
GIT_CHANGELOG_PATH=.in the workspace-package release step aftercd "$PKG_DIR"to scopegit logto the package subtree. - Remove the unused Changesets workflow and
.changeset/artifacts, and drop@changesets/*devDependencies (lockfile pruned accordingly).
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pnpm-lock.yaml | Removes Changesets dependency graph; updates @oorabona/release-it-preset lock entry. |
| package.json | Drops Changesets devDeps; bumps @oorabona/release-it-preset version range. |
| TODO.md | Updates release backlog notes to reflect the new CHANGELOG scoping work and follow-ups. |
| .github/workflows/release.yml | Exports GIT_CHANGELOG_PATH=. for workspace package releases to scope changelog generation. |
| .github/workflows/changesets.yml | Deletes unused Changesets “Version Packages” workflow. |
| .changeset/config.json | Deletes Changesets configuration (pipeline removal). |
| .changeset/README.md | Deletes Changesets folder documentation (pipeline removal). |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@changesets/changelog-github": "^0.6.0", | ||
| "@changesets/cli": "^2.31.0", | ||
| "@oorabona/release-it-preset": "^0.9.0", | ||
| "@oorabona/release-it-preset": "^0.11.0", |
Comment on lines
+505
to
+509
| resolution: {integrity: sha512-2fEd4v0rGX7VBhOZ7gnrDk7NUxa2XOeo9hU11vlZR/hVt5iuK+nQYdsnKv1kYTtTI12KL9kLm6cleoaK0hGXMQ==} | ||
| engines: {node: '>=18.0.0'} | ||
| hasBin: true | ||
| peerDependencies: | ||
| release-it: ^19.0.0 | ||
| release-it: ^20.0.0 |
| _None_ | ||
| - [ ] 🟡 [Release] **#25 — Per-package CHANGELOG scoping (release-it)** (2026-04-29). Pollution observed in `packages/tar-xz/CHANGELOG.md` v6.1.0: node-liblzma commits leak (#111 wasm, #112 native), ~30 Dependabot lockfile refreshes, repo-wide CI tweaks, commit-body fragments parsed as entries. Root cause: `populate-unreleased-changelog.ts` git log has no path filter. Decision 2026-04-29: opt-in env var in `@oorabona/release-it-preset` (single source of truth, ~5 LOC upstream + ~15 LOC test). Resolves "changesets vs release-it" architecture question (originally raised 2026-04-27 commit `adfbc99` → cleanup `4d24fde` left the noise problem unsolved). | ||
| - [x] ✅ **Phase 1** — `oorabona/release-it-preset` v0.11.0 shipped (2026-04-29, upstream commit `0b4f857` tag `v0.11.0`, npm published). `GIT_CHANGELOG_PATH` env var wired in `dist/scripts/populate-unreleased-changelog.js:184` via existing `deps.getEnv()` DI pattern. 9 vitest cases covering path scoping + security validation (rejects `../` traversal + absolute paths — bonus security hardening not in original spec). Multi-line commit body parser issue tracked separately as v0.11+ "Out-of-scope follow-up" in preset's TODO. | ||
| - [ ] 🟡 **Phase 2** — node-liblzma (this repo): bump `@oorabona/release-it-preset` 0.9.0 → 0.11.0, set `GIT_CHANGELOG_PATH=packages/tar-xz` env in tar-xz release flow (workflow step OR `.release-it.json` hook — TBD during /workflow), idem `packages/nxz` with `packages/nxz`. Remove dormant changesets pipeline: `.github/workflows/changesets.yml` (62 LOC), `.changeset/` dir (config.json + README.md only post-cleanup), `@changesets/cli`+`@changesets/changelog-github` devDeps (~90 transitive lockfile entries). Dry-run `release.yml` for tar-xz to verify CHANGELOG no longer captures node-liblzma/Dependabot commits before merge. |
- `@oorabona/release-it-preset@0.11.0` declares a peerDep on `release-it ^20`; install was resolving against `release-it@19.2.4` causing a peer mismatch that could surface as warnings or release-time inconsistencies. - Bump pinned `release-it` from `^19.2.4` to `^20.0.0`; lockfile now resolves preset@0.11.0 against release-it@20.0.1 cleanly with no peer warnings. - Cite `GIT_CHANGELOG_PATH` env var explicitly in the release.yml comment so future grep-by-name lands the rationale. - Sync TODO Phase 2 wording with the shipped placement form (`GIT_CHANGELOG_PATH=.` after `cd "$PKG_DIR"`).
There was a problem hiding this comment.
Pull request overview
Updates the release tooling so workspace package releases generate per-package scoped CHANGELOG entries (based on commits touching only that package subtree), and removes the unused Changesets-based versioning pipeline.
Changes:
- Bump
@oorabona/release-it-presetto^0.11.0(andrelease-itto^20.0.0) and drop@changesets/*dev deps. - Scope workspace package CHANGELOG generation in
release.ymlviaGIT_CHANGELOG_PATH=.. - Remove the dormant Changesets workflow and
.changeset/directory artifacts.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
pnpm-lock.yaml |
Reflects dependency bumps (release-it, preset) and removal of Changesets transitive deps. |
package.json |
Drops Changesets devDeps; bumps release preset and release-it major. |
TODO.md |
Updates backlog/status notes for the release-it scoping work and follow-ups. |
.github/workflows/release.yml |
Sets GIT_CHANGELOG_PATH=. for workspace package release step to scope CHANGELOG commits. |
.github/workflows/changesets.yml |
Removes unused Changesets “Version Packages” PR automation workflow. |
.changeset/config.json |
Deletes Changesets configuration (no longer used). |
.changeset/README.md |
Deletes Changesets README (no longer used). |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
77
to
81
| "nano-staged": "^0.9.0", | ||
| "prebuildify": "^6.0.1", | ||
| "release-it": "^19.2.4", | ||
| "release-it": "^20.0.0", | ||
| "simple-git-hooks": "^2.13.1", | ||
| "tsd": "^0.33.0", |
Owner
Author
There was a problem hiding this comment.
Acknowledged but classified L (not addressed in this PR) — rationale :
engines.node describes the library's RUNTIME requirement for consumers, who don't run release-it. The library itself works on Node 22.0+ (no v22.13 syntax/API dependencies). The release-it@20 engine stricter range applies only to maintainers running release commands.
Concrete impact :
- Library users at Node 22.0–22.12 → unaffected (engines is checked at install against
>=22.0.0, which is still satisfied; release-it isn't a runtime dep). - Contributors at Node 22.0–22.12 → pnpm warning at install (no
engine-strictin.npmrc), andpnpm release*would fail to start. Affects only the release flow, not normal development. - CI →
NODE_VERSION: 22resolves to latest 22.x (≥22.18 today) → fine.
Bumping engines.node to >=22.13.0 would be a soft-breaking change for library consumers on older 22.x with no actual library-side benefit. Tracked in TODO under "[Release] Consider engines.node bump when 22.0–22.12 usage drops" for a future minor.
oorabona
added a commit
that referenced
this pull request
Apr 29, 2026
Mark Phase 1 + Phase 2 ✅ with merging SHA `68d6d91`. Move closed story to Completed section. Add LOW follow-ups: #26 nxz-cli visibility bump (now ready), `engines.node` bump consideration (Copilot R2 finding rejected with rationale).
This was referenced Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Future workspace-package releases (
tar-xz,nxz-cli) now produce CHANGELOGs containing only commits whose diffs touched their own package subtree.Why
packages/tar-xz/CHANGELOG.mdv6.1.0 captured commits that did not belong totar-xz:(native)and(wasm)entries (e.g. PR feat(wasm): wire memlimit option through unxzAsync/unxz #111 wasm memlimit, PR feat(native): wire memlimit through N-API decoder #112 native memlimit)chore(deps): refresh lockfilerepo-root entriespin pnpm/action-setup,regenerate pnpm-lock.yaml,use squash merge in Dependabot auto-merge, etc.)Root cause : the
populate-unreleased-changelog.jsscript (run viabefore:bumphook) rangit logrepo-wide regardless of cwd. The recent cleanup commit4d24fdeonly deleted stale.changeset/*.mdartifacts ; the underlying scoping bug remained.How
@oorabona/release-it-presetv0.11.0 (published upstream 2026-04-29, commit0b4f857) introduces an opt-inGIT_CHANGELOG_PATHenv var that scopes the script'sgit logto a subtree (with security validation : rejects absolute paths,..traversal, shell metacharacters).This PR :
@oorabona/release-it-preset^0.9.0→^0.11.0..github/workflows/release.yml, setsGIT_CHANGELOG_PATH=.on the workspace-bump step (aftercd "$PKG_DIR", the.resolves to the package's own subtree). Rootnode-liblzmastep is unchanged — the root release captures the whole repo by design..github/workflows/changesets.yml(62 LOC, was opening unused "Version Packages" PRs),.changeset/directory (onlyconfig.json+README.mdleft after4d24fde), and the@changesets/cli+@changesets/changelog-githubdevDeps. ~90 transitive lockfile entries are dropped as a side-effect.Net diff : 7 files, +15/-606 (
pnpm-lock.yamlaccounts for -519 of those deletions).Testing
Locally on the branch :
pnpm install --frozen-lockfile→ EXIT 0pnpm type-check→ EXIT 0pnpm lint→ EXIT 0pnpm test→ EXIT 0 (489 root + 158 tar-xz + 27 nxz = 674 tests, 3 pre-existing skips in tar-xz)populate-unreleased-changelog.jswithGIT_CHANGELOG_PATH=.frompackages/tar-xz/cwd : EXIT 0, zero diff produced (consistent with the fact that no commit sincetar-xz@6.1.0touchespackages/tar-xz/). The env var is honored by the published preset ; the scoping logic itself is verified by the preset's own 9 vitest cases (incl. security validation).Out-of-scope
### Changedentries) — tracked upstream inrelease-it-presetTODO as a v0.11+ "Out-of-scope follow-up" ; not addressed by path scoping.packages/tar-xz/CHANGELOG.mdv6.1.0 entry still contains the legacy leakage. We do not rewrite shipped release notes ; the fix only affects future releases.Test plan
tar-xzproduces a CHANGELOG entry scoped topackages/tar-xz/commits onlynode-liblzmarelease path (workspace-bump step is the only step touched)