Skip to content

feat: enable require-pr-numbers flag for changelog generation #23661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Qbandev merged 1 commit into from
Dec 4, 2025
Merged

feat: enable require-pr-numbers flag for changelog generation #23661

Qbandev merged 1 commit into from
Dec 4, 2025
+8 −8

Conversation

@Qbandev
Copy link
Contributor

@Qbandev Qbandev commented Dec 4, 2025

Description

This PR updates the changelog workflows to use the new @metamask/auto-changelog@5.3.0 which always filters out direct commits without PR numbers. This ensures all changelog entries represent reviewed and approved changes.

Changes:

  • Update @metamask/auto-changelog from ^5.1.0 to ^5.3.0
  • Update update-release-changelog workflow to use github-tools@v1.1.2

The --requirePrNumbers flag is now always applied by default in github-tools, so no additional configuration is needed.

This aligns metamask-mobile with metamask-extension for consistent changelog generation across platforms.

Changelog

CHANGELOG entry: null

Related issues

Manual testing steps

Feature: Changelog generation with PR number filtering

  Scenario: Only PR commits appear in changelog
    Given a release branch exists

    When a commit with an associated PR is merged
    Then the changelog should include that commit

    When a direct commit without PR is pushed
    Then the changelog should NOT include that commit

Tested on consensys-test/metamask-extension-test with release/1100.0.0:

Screenshots/Recordings

Before

Direct commits without PR numbers would appear in the changelog.

After

Only commits with PR numbers (representing reviewed changes) appear in the changelog.

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

@Qbandev
feat: enable require-pr-numbers flag for changelog generation
642a99e 
- Update @metamask/auto-changelog from ^5.1.0 to ^5.3.0
- Update update-release-changelog workflow to use github-tools v1.1.2

This aligns metamask-mobile with metamask-extension for changelog
generation, ensuring only commits with PR numbers are included.
@metamaskbot metamaskbot added the team-dev-ops DevOps team label Dec 4, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 4, 2025

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 4, 2025

🔍 Smart E2E Test Selection

  • Selected E2E tags: None (no tests recommended)
  • Risk Level: low
  • AI Confidence: 95%
click to see 🤖 AI reasoning details

The changes in this PR are limited to:

  1. @metamask/auto-changelog bump (5.1.0 → 5.3.0): This is a dev dependency used exclusively for generating changelogs during the release process. It is not imported or used in any runtime application code (verified by searching the codebase).

  2. GitHub workflow update: The update-release-changelog.yml workflow was updated to use newer versions of MetaMask GitHub tools (v1.1.0 → v1.1.2). This workflow is only triggered during release processes and has no impact on the application code.

  3. yarn.lock: Simply reflects the auto-changelog version update.

None of these changes:

  • Affect runtime application code
  • Modify any features, UI components, or business logic
  • Impact any user-facing functionality
  • Touch any E2E test infrastructure

While package.json is flagged as CRITICAL, in this specific case the change is purely a dev tooling update with zero impact on application behavior. No E2E tests are necessary to validate these changes.

View GitHub Actions results

@socket-security
Copy link

socket-security bot commented Dec 4, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​metamask/​auto-changelog@​5.1.0 ⏵ 5.3.098 -210010093 -7100

View full report

@socket-security
Copy link

socket-security bot commented Dec 4, 2025

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Network access: npm @metamask/auto-changelog in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: package.jsonnpm/@metamask/auto-changelog@5.3.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/auto-changelog@5.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@Qbandev Qbandev requested review from XxdpavelxX and Copilot and removed request for Copilot December 4, 2025 09:42
@Qbandev Qbandev marked this pull request as ready for review December 4, 2025 09:45
@Qbandev Qbandev enabled auto-merge December 4, 2025 09:49
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 4, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Qbandev Qbandev added this pull request to the merge queue Dec 4, 2025
Merged via the queue into main with commit 905838f Dec 4, 2025
165 of 168 checks passed
@Qbandev Qbandev deleted the feat/require-pr-numbers-changelog branch December 4, 2025 11:11
@github-actions github-actions bot locked and limited conversation to collaborators Dec 4, 2025
@metamaskbot metamaskbot added the release-7.62.0 Issue or pull request that will be included in release 7.62.0 label Dec 4, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@alucardzom alucardzom alucardzom approved these changes

@XxdpavelxX XxdpavelxX Awaiting requested review from XxdpavelxX

Assignees

No one assigned

Labels

release-7.62.0 Issue or pull request that will be included in release 7.62.0 size-XS team-dev-ops DevOps team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Qbandev @alucardzom @metamaskbot