Comment changeset status in PRs

[bluwy]

You can test the action with uses: changesets/action/comment-pr-changeset@comment-pr-changeset-dist.

Example workflow setup

# .github/workflows/comment-changeset-pr-status.yml
name: Comment changeset status in PRs

on:
  pull_request_target:
    types: [opened, synchronize, reopened]

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  pr-status:
    runs-on: ubuntu-slim
    permissions:
      contents: read # to check out files in the repo
    outputs:
      commentBody: ${{ steps.pr-status.outputs.commentBody }}
    steps:
      - name: Check out repo
        uses: actions/checkout@v6

      - name: Generate status
        id: pr-status
        uses: changesets/action/pr-status@v1

  comment:
    needs: pr-status
    runs-on: ubuntu-slim
    permissions:
      pull-requests: write # to create and update comments on PRs
    steps:
      - name: Comment on PR
        uses: mshick/add-pr-comment@v3
        with:
          message-id: changeset-pr-status
          message: ${{ needs.pr-status.outputs.commentBody }}

See this action ... in action: bluwy/changesets-playground#1 (feel free to send PRs from forks for testing)

This actions focuses only on generating the comment, and defer the commenting to other actions. This is because we want to use reduced permissions for generating the comment to prevent risks of executing untrusted code and accessing the elevated github token. When changesets generate a release plan, we cannot guarantee in the future it will not execute code because of hooks/plugins or such.

---

When you have this workflow in your repo, you should disable the changeset bot for the repo so messages don't get reported twice. For this action, you should get the exact behaviour and messages from a bot. I didn't change the message for now.

[changeset-bot]

⚠️ No Changeset found

Latest commit: d288cad

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	markdown-table@​3.0.4

View full report

[bluwy]

This is now ready again. The action now works slightly differently to prevent token leaks when generating the release plan. See the PR description and the added README for more info.

I was also considering adding a simple comment action so we don't have to recommend a third-party action, but I don't want to widen the scope for now.