ci: add script to check for .changelog file in PRs

[alvin-huang]

#8387 added go-changelog which generates changelog entries from the .changelog directory. This PR adds a small CI check to add a comment to any PR that does not have the pr/no-changelog label to remind the author to double check that the PR does not require a changelog entry.

[dnephin]

Nice! Thank you for working on this!

One suggestion for allowing this to work with fork PRs from external contributors.

[dnephin]

I guess this means that the check will only work for internal contributions, is that right?

I think it is equally important to have this check run on PRs from external contributors so that we don't have to ask them every time to add a changelog entry.

We should be able to accomplish that by using github actions to do this work instead of circleCI. If we use pull_request_target (https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target), which will run using the code from the master branch.

This should allow us to run the check for external contributions as well.

[dnephin]

I think by using github actions we can get this information without an API call by using the github context github.event.pull_request.base.ref and github.event.pull_request.labels.

[dnephin]

I guess using github actions with pull_request_target would require a git checkout to get this list of changed files, since the available code will be of the target branch (master).

[alvin-huang]

@dnephin Thanks for the review! Yes after looking over this, doing all the GitHub API calls to get the various pieces I need seems cumbersome. I also realized CIRCLE_PULL_REQUEST populates weirdly in that you push up a dev branch and then open a PR in the GitHub UI but by virtue of pushing up that dev branch, Circle will run that and not see that as part of a PR. When the PR is created, it doesn't rerun the tests since that commit already ran and therefore never sets CIRCLE_PULL_REQUEST unless you update the PR with another commit after the PR is created.

Will pivot to using GitHub actions to implement this logic instead. That should make the conditionals cleaner.

[dnephin]

LGTM, couple small suggestions on wording

[dnephin]

In the future I guess we should try and document this under contributing/ and link to that instead. But since we don't have those docs yet, this seems good.

[alvin-huang]

Agreed, I'll keep this as unresolved so it's easier to find if we ever look at this PR again.

[dnephin]

I think the most likely risk here would be someone moving this logic into a script, and calling the script from this workflow.

I think it might help to clarify this point with something like this:

All the code checked out in this workflow should be considered untrusted. This workflow must never call any makefiles or scripts. It must never be changed to run any code from the checkout.

[alvin-huang]

That's true. The only thing that gets 'written' back is a PR comment but the copied script on a PR wouldn't have access to the github token to do that.

That blurb is nice to have though, I'll add it!

[hashicorp-ci]

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/321216.