Skip to content

feat: rework PR bump preview workflow#102

Open
bearomorphism wants to merge 3 commits intocommitizen-tools:masterfrom
bearomorphism:bump-dry-run
Open

feat: rework PR bump preview workflow#102
bearomorphism wants to merge 3 commits intocommitizen-tools:masterfrom
bearomorphism:bump-dry-run

Conversation

@bearomorphism
Copy link
Copy Markdown

@bearomorphism bearomorphism commented Jun 8, 2025
edited
Loading

Description

Reworks the PR bump preview workflow that addresses commitizen-tools/commitizen#1510. Whenever a PR is opened, reopened, synchronised, or marked ready for review, the workflow runs cz bump --dry-run and posts (or updates) a sticky comment showing the would-be version bump and changelog entries.

What changed since the draft

  • Use commitizen-tools/setup-cz instead of bootstrapping Poetry to install commitizen — fewer moving parts, no need for the action repo to ship a working Python project to run cz.
  • Trigger on pull_request_target so the workflow has pull-requests: write permission for PRs from forks too. The job only runs cz bump --dry-run, a read-only command, so PR-controlled scripts are not executed.
  • Handle exit code 21 (NoneIncrementExit) as "no eligible bump" rather than a workflow failure. Other non-zero codes are surfaced inside the comment body so they're visible without digging into the run logs.
  • Sticky comment via marker (<!-- commitizen-bump-preview -->) — peter-evans/create-or-update-comment replaces the previous preview on each push instead of stacking comments.
  • Skip draft PRs but pick them up on ready_for_review.

A matching workflow has been opened in commitizen-tools/commitizen (PR #1957) and an example will be added to commitizen-tools/setup-cz.

Closes commitizen-tools/commitizen#1510

Expected output

The workflow posts (and replaces on every push) a single sticky comment whose body depends on the dry-run exit code.

cz bump --dry-run --yes succeeds (status 0) — eligible bump:

Rendered comment

🔍 Commitizen bump preview

Merging this PR will produce the following bump:

bump: version 4.15.1 → 4.16.0
tag to create: v4.16.0
increment detected: MINOR

<!-- commitizen-bump-preview -->
## 🔍 Commitizen bump preview

Merging this PR will produce the following bump:

```
bump: version 4.15.1 → 4.16.0
tag to create: v4.16.0
increment detected: MINOR
```

NoneIncrementExit (status 21) — no eligible commits:

🔍 Commitizen bump preview

No commits in this PR are eligible for a version bump.

Any other non-zero status — error surfaced inside the comment:

🔍 Commitizen bump preview

⚠️ cz bump --dry-run exited with status 3:

NoCommitsFoundError

Steps to test

Once merged, open a follow-up PR against this repository and confirm a 🔍 Commitizen bump preview comment appears and updates as you push commits.

@bearomorphism bearomorphism mentioned this pull request Jun 8, 2025
Open
@Lee-W Lee-W self-assigned this Jun 8, 2025
@bearomorphism
feat: rework PR bump preview workflow
55cf4e2 
Replace the previous draft (poetry-based) attempt with a simpler,
robust implementation:

* Use commitizen-tools/setup-cz instead of installing Poetry/cz from
  the project lockfile. The action repo doesn't need its own Python
  toolchain to run cz.
* Trigger on pull_request_target so the workflow has pull-requests:
  write even for fork PRs. Only `cz bump --dry-run` is executed, so
  PR-controlled scripts are not run.
* Capture the dry-run exit status. Treat exit code 21
  (NoneIncrementExit) as 'no eligible commits' instead of a hard
  failure, and surface other non-zero codes in the comment.
* Use a hidden HTML marker so the comment is replaced (rather than
  duplicated) on every push.

Closes commitizen-tools/commitizen#1510

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@bearomorphism bearomorphism changed the title feat: bump dry run github action feat: rework PR bump preview workflow May 9, 2026
@bearomorphism bearomorphism marked this pull request as ready for review May 9, 2026 07:15
@bearomorphism bearomorphism mentioned this pull request May 9, 2026
Open
@bearomorphism bearomorphism marked this pull request as draft May 9, 2026 08:33
@bearomorphism bearomorphism marked this pull request as ready for review May 9, 2026 08:36
@bearomorphism
fix(ci): gate PR bump preview to same-repo PRs only
234db23 
Mirrors the security fix on commitizen-tools/commitizen#1957:

* `cz bump` can render Jinja templates from the working directory when
  `update_changelog_on_bump` is set in config, using a non-sandboxed
  loader. Under `pull_request_target` this would let a fork PR execute
  arbitrary code with a write token, so gate the job to same-repo PRs
  only (`head.repo == base.repo`).
* Add `persist-credentials: false` on `actions/checkout` as defense
  in depth.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@bearomorphism
Copy link
Copy Markdown
Author

bearomorphism commented May 9, 2026
edited
Loading

Note for reviewers: the duplication across this repo, commitizen-action, and setup-cz is intentional for now. Tracked as a follow-up in commitizen-tools/commitizen#1959 (mirrored at commitizen-tools/setup-cz#20) — once these PRs are merged and we have one or two real bump-preview comments in production, we plan to promote the example into a reusable workflow in setup-cz and shrink the workflows in commitizen + commitizen-action to ~8-line wrappers pinned to a tagged setup-cz release.

@bearomorphism bearomorphism mentioned this pull request May 9, 2026
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Lee-W Lee-W

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Generate expected bump version comment when receiving a new pull request

2 participants

@bearomorphism @Lee-W