Skip to content

Add CI guard to prevent direct CHANGELOG.md modifications#4713

Merged
shreyas-goenka merged 1 commit intomainfrom
changelog-guard
Mar 12, 2026
Merged

Add CI guard to prevent direct CHANGELOG.md modifications#4713
shreyas-goenka merged 1 commit intomainfrom
changelog-guard

Conversation

@shreyas-goenka
Copy link
Contributor

@shreyas-goenka shreyas-goenka commented Mar 11, 2026

Summary

  • Add a GitHub Actions workflow that fails PRs which modify CHANGELOG.md directly
  • Provides a break-glass override via the override-changelog-guard label

Problem

PR #4675 directly modified CHANGELOG.md, which caused the release tagging workflow (tagging.py) to incorrectly detect a pending release. This resulted in a broken v0.293.0 release where recovery mode tagged the wrong commit.

The root cause is that tagging.py uses CHANGELOG.md entries to detect pending releases. When a PR adds a release entry directly to CHANGELOG.md (rather than going through the standard release flow via NEXT_CHANGELOG.md), the tagging logic gets confused.

Solution

A lightweight CI guard that:

  1. Triggers only on PRs that touch CHANGELOG.md
  2. Fails with a clear error message explaining that CHANGELOG.md is managed by the release workflow
  3. Can be overridden by adding the override-changelog-guard label to the PR

Test plan

  • Verify the workflow triggers on a PR that modifies CHANGELOG.md
  • Verify the workflow does not trigger on PRs that don't touch CHANGELOG.md
  • Verify adding the override-changelog-guard label allows the PR to pass

🤖 Generated with Claude Code

@eng-dev-ecosystem-bot
Copy link
Collaborator

eng-dev-ecosystem-bot commented Mar 12, 2026
edited
Loading

Commit: ca6cdde

Run: 22980737767

Env 🔄​flaky 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
💚​ aws linux 8 7 268 781 7:04
💚​ aws windows 8 7 270 779 5:27
🔄​ aws-ucws linux 2 7 7 364 696 8:03
🔄​ aws-ucws windows 2 7 7 366 694 7:12
💚​ azure linux 2 9 271 779 6:24
💚​ azure windows 2 9 273 777 5:11
🔄​ azure-ucws linux 2 1 9 369 692 7:06
🔄​ azure-ucws windows 2 1 9 371 690 5:39
💚​ gcp linux 2 9 267 782 5:59
💚​ gcp windows 2 9 269 780 4:31
16 interesting tests: 7 SKIP, 6 RECOVERED, 3 flaky
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
🔄​ TestAccept 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 🔄​f 🔄​f 💚​R 💚​R
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
💚​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 💚​R 💚​R 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
💚​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 💚​R 💚​R 💚​R 💚​R
💚​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 💚​R 💚​R 💚​R 💚​R
💚​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 💚​R 💚​R 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
💚​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 💚​R 💚​R 💚​R 💚​R
💚​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🔄​ TestAccept/ssh/connect-serverless-gpu 🙈​s 🙈​s 🔄​f 🔄​f 🙈​s 🙈​s 🔄​f 🔄​f 🙈​s 🙈​s
🔄​ TestAccept/ssh/connection 💚​R 💚​R 🔄​f 🔄​f 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
Top 20 slowest tests (at least 2 minutes):
duration env testname
4:12 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
4:01 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:48 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:45 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:43 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:19 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:18 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:15 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:15 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:15 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:08 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:06 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:05 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:04 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:02 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:46 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:38 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:17 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:12 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:12 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct

@shreyas-goenka @claude
Add CI guard to prevent direct CHANGELOG.md modifications
ca6cdde 
The release tagging workflow (tagging.py) uses CHANGELOG.md entries to
detect pending releases. If a PR adds a release entry directly to
CHANGELOG.md, recovery mode incorrectly tags the wrong commit.

This guard fails PRs that modify CHANGELOG.md, with a break-glass
override via the 'override-changelog-guard' label.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@shreyas-goenka shreyas-goenka marked this pull request as ready for review March 12, 2026 00:27
pietern
pietern approved these changes Mar 12, 2026
View reviewed changes
Copy link
Contributor

@pietern pietern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you confirm the tests in the PR summary?

@shreyas-goenka shreyas-goenka added this pull request to the merge queue Mar 12, 2026
Merged via the queue into main with commit 5687f25 Mar 12, 2026
18 checks passed
@shreyas-goenka shreyas-goenka deleted the changelog-guard branch March 12, 2026 08:30
@shreyas-goenka
Copy link
Contributor Author

shreyas-goenka commented Mar 12, 2026

The workflow worked as expected on this PR: #4717.

We don't need to test that this workflow does NOT trigger on releases, since it's trigger is defined to be PR only.

pietern
pietern reviewed Mar 12, 2026
View reviewed changes
Copy link
Contributor

@pietern pietern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shreyas-goenka I was thinking about the label override.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pietern pietern pietern approved these changes

@andrewnester andrewnester Awaiting requested review from andrewnester andrewnester is a code owner

@anton-107 anton-107 Awaiting requested review from anton-107 anton-107 is a code owner

@denik denik Awaiting requested review from denik denik is a code owner

@simonfaltum simonfaltum Awaiting requested review from simonfaltum simonfaltum is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shreyas-goenka @eng-dev-ecosystem-bot @pietern