From 7f51fd8ef7c79d81c3c42c1863606011cc9e3cbb Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 2 Jan 2026 12:29:34 -0500 Subject: [PATCH] Create a simple check for suggesting NEWS/CHANGES additions During a release cycle we always wind up going through our git history to try make sure we caught all the stuff that needed a CHANGES/NEWS entry. Lets try make that at least a little more automated here. PR's that reference CVEs, come from feature branches or impact public apis generally need a NEWS/CHANGES entry, so lets flag those during CI. It should serve as a reminder to add entries to NEWS/CHANGES to prs meeting the above criteria, and can be ignored via the application of the no_news_changes_needed label to the PR. Reviewed-by: Paul Dale Reviewed-by: Norbert Pocs MergeDate: Tue Jan 13 19:17:37 2026 (Merged from https://github.com/openssl/openssl/pull/29536) --- .github/workflows/check-news-changes.yml | 82 ++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 .github/workflows/check-news-changes.yml diff --git a/.github/workflows/check-news-changes.yml b/.github/workflows/check-news-changes.yml new file mode 100644 index 0000000000..a4bb905fa1 --- /dev/null +++ b/.github/workflows/check-news-changes.yml @@ -0,0 +1,82 @@ +name: "Scan to check for NEWS/CHANGES suggestions" + +on: pull_request +env: + NEED_NEWS_CHANGES: "no" +permissions: {} + +jobs: + scan_for_news_changes: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + with: + persist-credentials: false + fetch-depth: 2 + - name: "Check if we already have a NEWS/CHANGES entry" + run: | + git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} > ./names.txt + set +e + grep -q "NEWS\.md" names.txt + if [ $? -eq 0 ]; then + echo "FOUND_NEWS_CHANGES_ADDITION=yes" >> $GITHUB_ENV + else + grep -q "CHANGES\.md" names.txt + if [ $? -eq 0 ]; then + echo "FOUND_NEWS_CHANGES_ADDITION=yes" >> $GITHUB_ENV + else + echo "FOUND_NEWS_CHANGES_ADDITION=no" >> $GITHUB_ENV + fi + fi + - name: "Check if this PR affects a CVE" + if: ${{ env.FOUND_NEWS_CHANGES_ADDITION == 'no' }} + run: | + git log ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} > ./log.txt + set +e + grep -q "CVE-" ./log.txt + if [ $? -eq 0 ]; then + echo "Changes in this PR reference a CVE" + echo "NEED_NEWS_CHANGES=yes" >> $GITHUB_ENV + fi + - name: "Check if this PR impacts a public API" + if: ${{ env.FOUND_NEWS_CHANGES_ADDITION == 'no' }} + run: | + set +e + grep -q "include\/crypto" ./names.txt + if [ $? -eq 0 ]; then + echo "Changes in this PR may impact public APIS's" + echo "NEED_NEWS_CHANGES=yes" >> $GITHUB_ENV + fi + - name: "Check if this is a feature branch merge" + if: ${{ env.FOUND_NEWS_CHANGES_ADDITION == 'no' }} + run: | + set +e + echo ${{ github.head_ref }} | grep -q "feature" + if [ $? -eq 0 ]; then + echo "Feature branch found" + echo "NEED_NEWS_CHANGES=yes" >> $GITHUB_ENV + fi + - name: "Check if configuration options have changed" + if: ${{ env.FOUND_NEWS_CHANGES_ADDITION == 'no' }} + run: | + git checkout ${{ github.event.pull_request.base.sha }} + set +e + ./Configure --help > ./before.txt 2>&1 + git checkout ${{ github.event.pull_request.head.sha }} + ./Configure --help > ./after.txt 2>&1 + set -e + CONF_CHANGE=$(diff ./before.txt ./after.txt | wc -l) + if [ $CONF_CHANGE -ne 0 ]; then + echo "Configuration options changes" + echo "NEED_NEWS_CHANGES=yes" >> $GITHUB_ENV + fi + - name: "Report Results" + if: ${{ !(contains(github.event.pull_request.labels.*.name, 'no_news_changes_needed')) }} + run: | + if [ "${{ env.NEED_NEWS_CHANGES }}" == "yes" ]; then + echo "Suggest that you add a NEWS/CHANGES entry for this PR" + echo "Alternatively, quiet this suggestion by applying the no_news_changes_needed label" + exit 1 + fi + +