Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions .github/workflows/Publish-Package.yml

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: Have you looked at Towncrier? I don't think any of our public packages have high enough velocity to require something like that, but it's worth knowing about.

Original file line number Diff line number Diff line change
Expand Up @@ -104,3 +104,43 @@ jobs:
token: ${{ secrets.ADMIN_PAT }}
version-rule: "prepatch"
use-dev-suffix: false
update_changelog:
name: Update changelog
runs-on: ubuntu-latest
needs: [build_package]
if: github.event_name == 'release' || inputs.environment != 'none'

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I typically rerun publish workflows manually when something goes wrong and I would expect it to do all the work that it should have done the first time.

permissions:
contents: write
pull-requests: write
steps:
- name: Check out repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Comment on lines +116 to +117

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will not work when releasing out of "releases/X.Y". The default branch will be "main" or "master" and the PR targeting "releases/X.Y" will have merge conflicts and include inappropriate commits.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmmm, this is going to be fun to fix both...

@bkeryan bkeryan Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's how ni/python-actions/update-project-version determines the base branch: ${{ github.event_name == 'release' && github.event.release.target_commitish || github.ref_name }}

You could check out the base branch when updating the changelog.

However, ni/python-actions/update-project-version doesn't include the checkout step, so if we want that action to support releasing from an older commit tag, I think we need to break compatibility or make a 2nd checkout somewhere else.

Is releasing from an older commit tag really that important?

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW update-project-version has a workflow that relies on the client calling checkout: you can checkout, update-project-version on multiple projects, and set create-pull-request: false for all but the last one. Only the last call will create a PR.

- name: Set up Python
uses: ni/python-actions/setup-python@a2554c7e5680982d3355677b2290e48b60678744 # v0.8.0
- name: Set up Poetry
uses: ni/python-actions/setup-poetry@a2554c7e5680982d3355677b2290e48b60678744 # v0.8.0
- name: Promote package version to release
run: poetry version patch
- name: Get package version
id: get-version
run: echo "version=$(poetry version -s)" >> "$GITHUB_OUTPUT"
Comment on lines +122 to +126

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes me think this should be in the same job...

- name: Update changelog
run: |
CHANGELOG_FILE="CHANGELOG.md"
VERSION="${{ steps.get-version.outputs.version }}"

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does zizmor flag this as https://docs.zizmor.sh/audits/#template-injection ?

It came from the previous step, so obviously it's not untrusted input.

You could potentially merge the steps, though.

TODAY=$(date +"%Y-%m-%d")

# Create the new changelog entry
sed \
-e "s/^## \[Unreleased\]/## [Unreleased]\n\n## [$VERSION] - $TODAY/" \

@bkeryan bkeryan Jun 30, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This runs after the build, so it's updating the main/release branch for the next version.

Does that mean the tagged CHANGELOG.md for version X says [Unreleased] rather than version X? For nidaqmx-python, we have been updating CHANGELOG.md before each release so the tagged CHANGELOG.md lists the correct version.

-e "s;\[Unreleased\]: \(\(.*/compare/\).*\)\.\.\.main;[Unreleased]: \2v${VERSION}...main\n[${VERSION}]: \1...v${VERSION};" \
-i "${CHANGELOG_FILE}"
- name: Create Pull Request
uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, we should consider using gh pr create for stuff like this: https://docs.zizmor.sh/audits/#superfluous-actions

That said, I realize this is easier said than done.

with:
token: ${{ secrets.ADMIN_PAT }}
commit-message: 'docs: update changelog for ${{ steps.get-version.outputs.version }}'
title: 'docs: update changelog for ${{ steps.get-version.outputs.version }}'
body: 'Automatically generated changelog update for release ${{ steps.get-version.outputs.version }}'
branch: changelog-update-${{ steps.get-version.outputs.version }}

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has the wrong base branch when releasing out of "releases/X.Y"

See https://github.com/ni/python-actions/blob/main/update-project-version/action.yml#L101

delete-branch: true