Adds nightly-changelog.yml on main so the cron registers#5482
Conversation
GitHub only registers ``schedule:`` triggers from the repository's default branch (``main``). The fragment-based changelog system landed in isaac-sim#5434 with ``nightly-changelog.yml`` only on ``develop``, so the nightly cron has not been firing — fragments accumulate without ever being compiled. This adds the same workflow file to ``main`` so the cron registers and runs daily. The workflow's checkout step pulls ``develop`` at run time, so the runtime (``tools/changelog/cli.py``, fragments) stays on develop — only the trigger file needs to live on main, mirroring the convention already used by ``check-links.yml`` and ``daily-compatibility.yml``. A header comment in the YAML notes the dual-location requirement so future editors are aware. The PR-time gate (``changelog-check.yml``) is unaffected — its ``pull_request`` trigger fires from PR-branch files and already works correctly without being on main.
![isaaclab-review-bot[bot]](https://avatars.githubusercontent.com/u/157846462?s=60&v=4){kind=small}
There was a problem hiding this comment.
🤖 Isaac Lab Review Bot
Summary
This PR adds the nightly-changelog.yml workflow file to the main branch so GitHub's cron scheduler will register the scheduled trigger. This is a well-documented infrastructure fix addressing the fact that GitHub only registers schedule: triggers from the default branch. The workflow itself checks out and operates on develop, so the runtime behavior is correct.
Architecture Impact
Self-contained CI infrastructure change. The workflow:
- Triggers on cron (5 AM UTC) or manual dispatch
- Checks out
developbranch explicitly - Runs
tools/changelog/cli.py compile --all(which lives ondevelop) - Commits and pushes back to
develop
No impact on Isaac Lab source code, simulation runtime, or RL training paths. The only downstream effect is that changelog fragments on develop will now be automatically compiled nightly as originally intended by PR #5434.
Implementation Verdict
Ship it — Minor improvements possible but not blocking.
Test Coverage
This is a CI workflow file; traditional unit tests don't apply. The author notes:
- Live tested on a fork during #5434 development
- Post-merge verification plan includes watching the 5 AM UTC cron run
- Manual
workflow_dispatchtest planned
This is appropriate coverage for a CI workflow change.
CI Status
No CI checks available yet. For a workflow-only change targeting main, this is expected — the workflow syntax is valid YAML and uses pinned action SHAs.
Findings
🔵 Improvement: .github/workflows/nightly-changelog.yml:91-93 — git add may fail silently if paths don't exist
git add source/*/changelog.d/ \
source/*/docs/CHANGELOG.rst \
source/*/config/extension.tomlIf no packages have changelog fragments or the directory structure changes, the glob may match nothing. Consider using git add --ignore-missing or checking glob expansion. However, since git diff --staged --quiet follows immediately and handles the "nothing staged" case gracefully, this is non-blocking.
🔵 Improvement: .github/workflows/nightly-changelog.yml:113-115 — awk pattern may miss version lines with leading whitespace
old=$(git diff --staged "$tom" | awk -F'"' '/^-version/{print $2; exit}')
new=$(git diff --staged "$tom" | awk -F'"' '/^\+version/{print $2; exit}')The regex /^-version/ and /^\+version/ assume version appears at column 0 in the TOML. If extension.toml uses version = "..." with leading spaces (inside a [package] section, for example), these won't match. A safer pattern would be /^[-+][ \t]*version/. That said, if the existing extension.toml files consistently have version at the start of a line, this works. Non-blocking but worth verifying against actual file format.
🔵 Improvement: .github/workflows/nightly-changelog.yml:119 — Commit message uses UTF-8 arrow character
echo "- $pkg: $old → $new"The → character (U+2192) should render fine in GitHub's UI and most terminals, but if there are encoding issues in some log viewers, consider using -> instead. Cosmetic only.
🟡 Warning: .github/workflows/nightly-changelog.yml:122-124 — No error handling on push failure
git commit -F "$MSG_FILE"
git push origin HEAD:developIf the push fails (network issue, branch protection rule, concurrent push from another workflow), the job fails but there's no retry or notification mechanism. The next nightly run should pick up where this left off since fragments aren't deleted until the commit succeeds, so data loss is unlikely. However, consider adding || exit 1 explicitly after push or using workflow failure notifications. Non-blocking since GitHub Actions will mark the job as failed anyway.
🔵 Improvement: .github/workflows/nightly-changelog.yml:69-70 — Token fallback documented but CHANGELOG_PAT secret may not exist
The workflow gracefully falls back to GITHUB_TOKEN if CHANGELOG_PAT isn't configured, which is correct. The header comment (lines 20-27) explains the tradeoff well. No action needed, just confirming this is intentional and documented.
Greptile SummaryThis PR adds Confidence Score: 4/5Safe to merge — single workflow file addition with well-documented intent and no logic bugs; one minor P2 style note on missing timeout. Only P2 findings (missing job timeout); no P0/P1 issues. The fallback token expression, dry-run gating, concurrency settings, and hardcoded ref: develop checkout are all intentional and correctly implemented. No files require special attention beyond the single P2 note on nightly-changelog.yml. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A["schedule: cron 0 5 UTC\nregistered from main branch"] --> C
B["workflow_dispatch\ndry_run input"] --> C
C["checkout develop\nfull history fetch-depth 0"] --> D
D["setup-python 3.12"] --> E
E["cli.py compile --all\noptional --dry-run flag"]
E -->|dry_run true| F["Preview only — no commit"]
E -->|dry_run false or schedule| G["git add changelog fragments\nCHANGELOG.rst + extension.toml"]
G --> H{Staged changes?}
H -->|No| I["Nothing to commit"]
H -->|Yes| J["git commit with auto-version bump message"]
J --> K["git push origin HEAD:develop"]
Reviews (1): Last reviewed commit: "Add nightly-changelog.yml on main so cro..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| # Operate on develop, not the repo's default branch. Scheduled | ||
| # workflows fire from the default branch's workflow file by |
There was a problem hiding this comment.
The compile-changelog job has no timeout-minutes setting. If cli.py compile hangs (e.g., waiting on a lock, infinite loop in a malformed fragment) or the push stalls, the job will run for GitHub's default 6-hour maximum before being cancelled, blocking the nightly-changelog concurrency group for the entire window and preventing any follow-up manual dispatches from starting.
| # Operate on develop, not the repo's default branch. Scheduled | |
| # workflows fire from the default branch's workflow file by | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 |
github-actions
Bot
added
the
documentation
There was a problem hiding this comment.
🤖 Isaac Lab Review Bot
Summary
This is a follow-up review. The new commits add a .github/workflows/README.md documentation file explaining the dual-branch requirement for scheduled workflows. The core workflow file (nightly-changelog.yml) is unchanged from the previous review.
Implementation Verdict
Ship it
Findings
No new issues. The added README.md is a helpful documentation addition that explains the main/develop dual-location requirement for scheduled workflows — this directly addresses the "why is this file on main?" question future maintainers will have.
Previous findings remain valid but were all marked as non-blocking improvements (🔵) or low-severity warnings (🟡). None require changes before merge.
The failing "Check for Broken Links" CI job is unrelated to this PR's changes (workflow files don't contain documentation links that would be checked).
There was a problem hiding this comment.
🤖 Isaac Lab Review Bot
Summary
This is a follow-up review. No new commits have been added since the previous review — the HEAD is still ef70601f. The workflow file and README remain unchanged.
Implementation Verdict
Ship it
Findings
No new issues. The previous review already approved this PR with no blocking concerns. The failing "Check for Broken Links" CI job is unrelated to this PR (it checks documentation links, not workflow files). Ready to merge once CI stabilizes.
There was a problem hiding this comment.
🤖 Isaac Lab Review Bot
Summary
Follow-up review after commit 6af12896. The changes are identical to the previous review — the workflow file and README content are unchanged. This PR correctly adds the nightly changelog workflow to main to enable GitHub's cron registration.
Implementation Verdict
Ship it
Findings
No new issues. The previous approval stands. The "Check for Broken Links" CI failure is unrelated to this PR's changes (it's a documentation link checker, not a workflow validator). Ready to merge.
kellyguo11
changed the title
…sh (#5527) ## Why Develop's branch ruleset requires 18 status checks **and** 1 approval before any push. The nightly compile workflow (#5482) was authenticated with `GITHUB_TOKEN` (identity `github-actions[bot]`), which has neither the bypass entitlement nor a way to satisfy approvals. Result: the cron pushed cleanly until it hit develop, then failed with `protected branch hook declined` — fragments accumulate, no auto-bump happens. Confirmed failure: https://github.com/isaac-sim/IsaacLab/actions/runs/25419200769 ## What this PR does Switches the workflow's checkout/push token to a short-lived installation access token minted from the `isaaclab-bot` GitHub App (created by @kellyguo11 and added to develop's ruleset bypass list). | Change | Effect | |---|---| | Add `actions/create-github-app-token@v3.1.1` step (SHA-pinned) | Mints a 1-hour installation token from `CHANGELOG_APP_ID` + `CHANGELOG_APP_PRIVATE_KEY` repo secrets. | | `actions/checkout` token: `app-token` instead of `GITHUB_TOKEN` | Push is signed by `isaaclab-bot[bot]` — the bypass identity. Lands without satisfying required-checks / required-approval. | | `git config user.{name,email}` updated to `isaaclab-bot[bot]` | Auto-commits attribute to the bot user in the GitHub UI. | | Workflow `permissions: contents: write` → `contents: read` | The App token carries write access; `GITHUB_TOKEN` only needs read. Tightens least-privilege. | | Header comment rewritten | Documents the App-token model + bypass requirement. | ## Side benefit: triggers downstream workflows `GITHUB_TOKEN`-signed pushes don't trigger downstream workflows by design (loop guard). App-token-signed pushes are treated as external pushes and DO trigger downstream CI — so docs / Docker rebuild jobs fire on the auto-commit naturally, no separate PAT required. ## Setup status Already done by maintainers: - [x] `isaaclab-bot` GitHub App created with `contents: write` permission - [x] App installed on `isaac-sim/IsaacLab` - [x] App added to develop's ruleset bypass actor list - [x] Repo secrets `CHANGELOG_APP_ID` and `CHANGELOG_APP_PRIVATE_KEY` set ## Test plan - [x] PR diff is YAML-only, no code changes. - [ ] After merge: manually trigger via `gh workflow run "Nightly Changelog Compilation" --repo isaac-sim/IsaacLab` and verify the push lands and the bot user shows as the commit author on https://github.com/isaac-sim/IsaacLab/commits/develop. - [ ] Confirm the next 5 AM UTC cron sweeps the accumulated fragment backlog (~22 fragments at last count). cc @kellyguo11
…sh (isaac-sim#5527) Develop's branch ruleset requires 18 status checks **and** 1 approval before any push. The nightly compile workflow (isaac-sim#5482) was authenticated with `GITHUB_TOKEN` (identity `github-actions[bot]`), which has neither the bypass entitlement nor a way to satisfy approvals. Result: the cron pushed cleanly until it hit develop, then failed with `protected branch hook declined` — fragments accumulate, no auto-bump happens. Confirmed failure: https://github.com/isaac-sim/IsaacLab/actions/runs/25419200769 Switches the workflow's checkout/push token to a short-lived installation access token minted from the `isaaclab-bot` GitHub App (created by @kellyguo11 and added to develop's ruleset bypass list). | Change | Effect | |---|---| | Add `actions/create-github-app-token@v3.1.1` step (SHA-pinned) | Mints a 1-hour installation token from `CHANGELOG_APP_ID` + `CHANGELOG_APP_PRIVATE_KEY` repo secrets. | | `actions/checkout` token: `app-token` instead of `GITHUB_TOKEN` | Push is signed by `isaaclab-bot[bot]` — the bypass identity. Lands without satisfying required-checks / required-approval. | | `git config user.{name,email}` updated to `isaaclab-bot[bot]` | Auto-commits attribute to the bot user in the GitHub UI. | | Workflow `permissions: contents: write` → `contents: read` | The App token carries write access; `GITHUB_TOKEN` only needs read. Tightens least-privilege. | | Header comment rewritten | Documents the App-token model + bypass requirement. | `GITHUB_TOKEN`-signed pushes don't trigger downstream workflows by design (loop guard). App-token-signed pushes are treated as external pushes and DO trigger downstream CI — so docs / Docker rebuild jobs fire on the auto-commit naturally, no separate PAT required. Already done by maintainers: - [x] `isaaclab-bot` GitHub App created with `contents: write` permission - [x] App installed on `isaac-sim/IsaacLab` - [x] App added to develop's ruleset bypass actor list - [x] Repo secrets `CHANGELOG_APP_ID` and `CHANGELOG_APP_PRIVATE_KEY` set - [x] PR diff is YAML-only, no code changes. - [ ] After merge: manually trigger via `gh workflow run "Nightly Changelog Compilation" --repo isaac-sim/IsaacLab` and verify the push lands and the bot user shows as the commit author on https://github.com/isaac-sim/IsaacLab/commits/develop. - [ ] Confirm the next 5 AM UTC cron sweeps the accumulated fragment backlog (~22 fragments at last count). cc @kellyguo11
2 participants
Why
PR #5434 landed the fragment-based changelog system on
develop. The accompanying nightly workflow file only lives ondevelop. GitHub registersschedule:triggers from the default branch only (mainfor this repo) — so the cron has not fired since #5434 merged, and fragments have been accumulating on develop without ever being compiled intoCHANGELOG.rst/extension.tomlbumps.As of this writing, 7 fragments are stranded across 6 packages on develop.
What this PR does
Adds
nightly-changelog.ymltomain, mirroring the convention already used by other scheduled workflows in this repo (check-links.yml,daily-compatibility.ymlboth live on both branches for the same reason).The workflow's checkout step explicitly pulls
developat run time (actions/checkout@... ref: develop), so the runtime —tools/changelog/cli.pyand the per-package fragments — stays on develop. Only the trigger file needs to be on main, just to satisfy GitHub's default-branch registration rule for cron.A header comment was added to the YAML noting the dual-location requirement so future editors know to land changes on both branches.
What this PR does not touch
changelog-check.yml— itspull_requesttrigger fires from PR-branch files and works correctly today. No need to put it on main.tools/changelog/cli.pyand other runtime code — unchanged on develop.After merge
The next 5 AM UTC cron will sweep up the accumulated develop-fragments backlog. From then on, daily compile + auto-commit to develop should work as designed in #5434.
Test plan
nightly-changelog.ymlcontent on this PR is byte-equal to develop's, plus the dual-location header comment.gh workflow run "Nightly Changelog Compilation" --repo isaac-sim/IsaacLab --ref developsucceeds (manual workflow_dispatch should work once registered).Live tested on a fork during #5434 development — the workflow body itself is verified end-to-end (single fragment, 7-fragment multi-package, cross-section merge). This PR is purely about getting the cron registered upstream.
cc @kellyguo11