fix: replace OpenAI with git-cliff for changelog generation #6
Conversation
Previously, when the Release workflow was triggered by workflow_run (after CI completes on main), it would skip the release if the current version tag already existed. This required manual version bumps before each release. Now, when triggered by workflow_run: - If current version tag doesn't exist → release with current version - If current version tag exists → auto-bump patch version, update Cargo.toml, then release This makes releases fully automatic after merging PRs to main.
Uses RELEASE_TOKEN (a PAT with Contents write permission) to bypass branch protection when auto-bumping the version. Setup required: 1. Create a Fine-Grained PAT at GitHub Settings → Developer Settings → Personal Access Tokens 2. Grant it 'Contents: Read and write' permission for this repo 3. Add it as a repository secret named RELEASE_TOKEN The workflow falls back to GITHUB_TOKEN if RELEASE_TOKEN is not set, which will fail on protected branches but work on unprotected ones.
…to fix/release-workflow-v2
- Remove OpenAI API dependency for changelog generation - Use git-cliff (Rust-based, free, no API keys needed) - Parses conventional commits automatically - Categorizes commits with emoji prefixes - Falls back to simple format if git-cliff fails
WalkthroughReplaces AI-driven changelog generation in the release workflow with a deterministic git-cliff invocation using an inline Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant GH as GitHub Actions
participant Repo as Repository (git)
participant Tool as git-cliff
participant Storage as Actions Artifact / Output
rect rgb(240,248,255)
GH->>Repo: checkout code
GH->>Tool: download & verify git-cliff tarball
GH->>Tool: install git-cliff
end
rect rgb(245,255,240)
GH->>Repo: determine PREV_TAG..HEAD
GH->>Tool: run git-cliff with inline cliff.toml (PREV_TAG..HEAD)
Tool-->>GH: changelog.md (may be empty)
end
alt changelog non-empty
GH->>Storage: upload changelog artifact & set output
else empty output
GH->>Repo: run fallback `git log` to create basic changelog
GH->>Storage: upload fallback artifact & set output
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Fix all issues with AI Agents 🤖
In @.github/workflows/release.yml:
- Around line 227-232: The workflow installs git-cliff v2.7.0 and moves a
downloaded binary to /usr/local/bin without checksum verification; update the
download to a secure, supported release (v2.11.0 or later) and add checksum
validation before installing: change the version string used in the "Install
git-cliff" step, fetch the corresponding release checksum (or .sha256 file) from
the git-cliff releases, validate the downloaded tar.gz against that checksum,
and only then extract and move the binary (still using sudo for /usr/local/bin
if needed); ensure the step fails on checksum mismatch to prevent installing
tampered binaries.
🧹 Nitpick comments (1)
.github/workflows/release.yml (1)
287-301: Consider more explicit error handling for git-cliff.The current implementation only checks if
changelog.mdis empty, which doesn't distinguish between:
- git-cliff failing with an error (which might write error messages to the file)
- git-cliff succeeding but producing no output (e.g., no commits in range)
- git-cliff succeeding with valid output
Consider capturing the exit code to make the fallback logic more deterministic.
🔎 Proposed improvement
# Generate changelog for this release - git-cliff --config cliff.toml --tag "v${VERSION}" "${PREV_TAG}..HEAD" > changelog.md + if ! git-cliff --config cliff.toml --tag "v${VERSION}" "${PREV_TAG}..HEAD" > changelog.md 2>&1; then + echo "git-cliff failed, using fallback" + { + echo "# Release v${VERSION}" + echo "" + echo "Released on $(date '+%Y-%m-%d')" + echo "" + echo "### 📦 Changes" + echo "" + git log "${PREV_TAG}..HEAD" --pretty=format:"- %s (\`%h\`) - @%an" + } > changelog.md + fi # If git-cliff fails or produces empty output, fall back to simple format - if [ ! -s changelog.md ]; then + if [ ! -s changelog.md ]; then echo "git-cliff produced empty output, using fallback" { echo "# Release v${VERSION}" echo "" echo "Released on $(date '+%Y-%m-%d')" echo "" echo "### 📦 Changes" echo "" git log "${PREV_TAG}..HEAD" --pretty=format:"- %s (\`%h\`) - @%an" } > changelog.md fi
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/release.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: build
🔇 Additional comments (2)
.github/workflows/release.yml (2)
209-209: LGTM! Clear description of the new approach.The comment accurately reflects the benefits of replacing OpenAI with git-cliff.
246-284: Well-structured git-cliff configuration.The inline
cliff.tomlconfiguration correctly implements conventional commit parsing with comprehensive type mapping and emoji-prefixed sections. The catch-all pattern at line 280 ensures all commits are captured, andfilter_unconventional = falseprevents commit exclusion.
- Upgrade git-cliff from v2.7.0 to v2.11.0 to address CVE-2024-32650 - Add SHA512 checksum verification before installing git-cliff binary - Improve error handling to capture git-cliff exit code - Distinguish between git-cliff failure vs empty output scenarios
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (2)
.github/workflows/release.yml (2)
236-241: Consider adding explicit error handling for download failures.Whilst the
-fflag incurlwill cause the step to fail on HTTP errors, adding explicit error messages would improve debuggability when downloads fail.♻️ Optional improvement for clearer error handling
- # Download the tarball and checksum - curl -sSfL "${DOWNLOAD_URL}/${TARBALL}" -o "${TARBALL}" - curl -sSfL "${DOWNLOAD_URL}/${TARBALL}.sha512" -o "${TARBALL}.sha512" + # Download the tarball and checksum + echo "Downloading git-cliff ${VERSION}..." + if ! curl -sSfL "${DOWNLOAD_URL}/${TARBALL}" -o "${TARBALL}"; then + echo "Error: Failed to download git-cliff tarball" + exit 1 + fi + if ! curl -sSfL "${DOWNLOAD_URL}/${TARBALL}.sha512" -o "${TARBALL}.sha512"; then + echo "Error: Failed to download checksum file" + exit 1 + fi
257-262: Previous tag logic is correct but could be more explicit.The logic properly handles cases where there are multiple tags, one tag, or no tags. However, the fallback to the initial commit might produce a very large changelog for first releases.
💡 Optional: Add explicit handling for first release
# Get previous tag for range PREV_TAG=$(git tag -l 'v*' --sort=-v:refname | head -2 | tail -1) if [ -z "$PREV_TAG" ]; then - PREV_TAG=$(git rev-list --max-parents=0 HEAD) + # For first release, use initial commit + PREV_TAG=$(git rev-list --max-parents=0 HEAD) + echo "No previous tag found, generating changelog from initial commit" + else + echo "Found previous tag: $PREV_TAG" fi echo "Generating changelog from $PREV_TAG to HEAD"
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/release.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: build
🔇 Additional comments (5)
.github/workflows/release.yml (5)
209-209: LGTM!The comment accurately reflects the benefits of using git-cliff over the previous OpenAI-based approach.
264-302: LGTM!The git-cliff configuration properly parses conventional commits with appropriate categorisation and emoji prefixes. The catch-all pattern ensures no commits are omitted from the changelog.
304-335: Excellent error handling with comprehensive fallback strategy!The implementation properly handles both git-cliff failures and empty output scenarios, with clear logging and a robust fallback to
git log. The captured exit code (line 306) allows distinguishing between command failure and legitimate empty output.
337-345: LGTM!The changelog is properly output to GitHub Actions using heredoc syntax and displayed in logs for transparency. The output is correctly consumed by the release job at line 394.
227-250: Excellent security improvements addressing CVE-2024-32650—v2.11.0 is confirmed as the latest stable release.The upgrade to v2.11.0 (released 14 December 2025) correctly addresses the DoS vulnerability in the rustls dependency, and the addition of SHA512 checksum verification strengthens supply chain security. All claims verified and appropriate.
Summary
Replaces OpenAI API with git-cliff for changelog generation.
Changes
OPENAI_API_KEYsecret needed)How it works
Benefits
Pull Request opened by Augment Code with guidance from the PR author
Summary by CodeRabbit
✏️ Tip: You can customise this high-level summary in your review settings.