OCM-24478 | chore: add historical changelog automation

[olucasfreitas]

PR Summary

Add git-cliff configuration, repository helpers, and a seeded CHANGELOG.md so ROSA can generate a historical changelog after stable tags. Document the post-tag Prow flow and manual fallback commands for changelog regeneration and backfills.

Detailed Description of the Issue

ROSA does not currently keep a historical CHANGELOG.md in the repository, and the release-time changelog work needs to stay on Prow rather than being introduced as a GitHub Actions workflow. This change adds the repo-side git-cliff configuration, bootstrap changelog content, and helper scripts that a stable-tag Prow job can call to generate a changelog branch and open a reviewable PR back to master.

Related Issues and PRs

• Jira: OCM-24478
• Fixes: N/A
• Related PR(s):
• Related design/docs: N/A

Type of Change

• feat - adds a new user-facing capability.
• fix - resolves an incorrect behavior or bug.
• docs - updates documentation only.
• style - formatting or naming changes with no logic impact.
• refactor - code restructuring with no behavior change.
• test - adds or updates tests only.
• chore - maintenance work (tooling, housekeeping, non-product code).
• build - changes build system, packaging, or dependencies for build output.
• ci - changes CI pipelines, jobs, or automation workflows.
• perf - improves performance without changing intended behavior.

Previous Behavior

ROSA did not have a committed historical changelog, git-cliff configuration, or repo-side scripts that could generate a changelog PR after a stable tag. Release-note grouping only existed in GoReleaser, and no Prow job was wired to maintain a repository changelog.

Behavior After This Change

ROSA now has a historical CHANGELOG.md generated by git-cliff, a repo-side changelog generation helper, and a PR helper script designed for stable-tag Prow automation. Contributors do not add changelog fragments to feature PRs; instead, stable tags trigger a reviewable historical changelog update flow.

How to Test (Step-by-Step)

Preconditions

• Stable tags exist in the repository history.
• The companion openshift/release PR is applied when validating the full Prow flow.

Test Steps

1. Run ./hack/changelog-generate.sh --tag v1.2.63 --previous-tag v1.2.62 --output "$(mktemp)".
2. Run ./hack/changelog-generate.sh --bootstrap.
3. Review cliff.toml, CHANGELOG.md, hack/changelog-generate.sh, and hack/changelog-pr.sh.
4. Run make test, make lint, and make rosa.

Expected Results

• The helper can generate a single stable-tag changelog entry.
• The bootstrap command rebuilds the historical CHANGELOG.md from stable tags only.
• The generated changelog format stays consistent with the committed file.
• ROSA test, lint, and build checks pass.

Proof of the Fix

• Screenshots: N/A
• Videos: N/A
• Logs/CLI output: ./hack/changelog-generate.sh --tag v1.2.63 --previous-tag v1.2.62, make test, make lint, make rosa
• Other artifacts: N/A

Breaking Changes

• No breaking changes
• Yes, this PR introduces a breaking change (describe impact and migration plan below)

Breaking Change Details / Migration Plan

N/A

Developer Verification Checklist

• Commit subject/title follows [JIRA-TICKET] | [TYPE]: <MESSAGE>.
• PR description clearly explains both what changed and why.
• Relevant Jira/GitHub issues and related PRs are linked.
• make install-hooks has been run in this clone.
• Tests were added/updated where appropriate.
• I manually tested the change.
• make test passes.
• make lint passes.
• make rosa passes.
• Documentation or repo-local agent guidance was added/updated where appropriate.
• Any risk, limitation, or follow-up work is documented.

Summary by CodeRabbit

• Documentation

  • Added "Release Process and Changelog Automation" docs explaining automated changelog generation, canonical history, PR-based review flow, and manual bootstrap/backfill commands.
  • Expanded release-helper docs with usage and fallback guidance for changelog generation and PR creation.

• Chores

  • Added changelog tooling, configuration, helper scripts, Makefile targets, and a CI workflow to generate/update CHANGELOG.md, open reviewable changelog PRs, and auto-install the pinned changelog tool.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR adds a git-cliff configuration (cliff.toml), scripts to generate CHANGELOG.md (hack/changelog-generate.sh) and to create/update a changelog PR (hack/changelog-pr.sh), Makefile targets to run those scripts, and documentation updates (CONTRIBUTING.md, hack/README.md). The generator auto-resolves or downloads a pinned git-cliff binary, supports bootstrap and single-tag modes, and the PR script commits/pushes a tag-named branch and uses the GitHub API to create or update the release changelog PR.

Suggested reviewers

• jerichokeyne
• amandahla

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'OCM-24478 | chore: add historical changelog automation' is directly related to the main change: adding changelog automation infrastructure including git-cliff configuration, helper scripts, and documentation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR does not introduce any Ginkgo tests; it only adds changelog automation infrastructure (scripts, configuration, and workflows).
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code—only changelog automation infrastructure (bash scripts, configuration, and GitHub Actions workflow). Custom check for test quality is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests. Check for MicroShift test compatibility only applies when new e2e tests are added; not applicable here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to changelog automation: markdown docs, bash scripts, and config files. Check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds changelog automation (scripts, documentation, CI/CD workflow) with no deployment manifests, operator code, controllers, or pod scheduling constraints. Check is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR adds only documentation, shell scripts, configuration, and GitHub Actions workflow - no Go source code that could violate OTE binary stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are present in this PR. The PR adds changelog automation infrastructure (scripts, configs, workflows, docs) without introducing any test code.
Description check	✅ Passed	PR description comprehensively covers all required template sections with clear context, detailed problem statement, scope, validation steps, and evidence.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olucasfreitas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [olucasfreitas]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/changelog-generate.sh`:
- Around line 150-153: The commit range logic drops the repository's first
commit because using root_commit..${current_tag} excludes root_commit; update
the branch that handles i==0 so that when computing commit_range you use just
"${current_tag}" (or otherwise include root_commit by using
"${root_commit}"..="${current_tag}" if your Git supports the inclusive range)
instead of root_commit..${current_tag}; modify the code that sets root_commit
and commit_range (variables root_commit, commit_range, current_tag, and the i==0
conditional) so the first-tag path includes the initial commit in the changelog.

In `@hack/changelog-pr.sh`:
- Line 84: The diff check currently hardcodes "CHANGELOG.md" which ignores the
configurable variable CHANGELOG_FILE; update the git diff invocation in
hack/changelog-pr.sh (the if condition using git -C "${REPO_ROOT}" diff --quiet
-- "CHANGELOG.md") to reference the CHANGELOG_FILE variable instead (e.g., use
"${CHANGELOG_FILE}") so the script respects the configured changelog path and
correctly detects changes for non-default files.

In `@hack/README.md`:
- Around line 33-35: Replace the fenced triple-backtick code blocks used for the
shell examples (the snippet showing ./hack/changelog-generate.sh --bootstrap and
the two other similar examples) with the repository’s configured indented
code-block style so markdownlint MD046 is satisfied; locate the three
occurrences (the example blocks currently fenced at the shown snippets) and
convert them to indented blocks preserving the exact shell commands and spacing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6fd2d8a0-633d-402e-9ef8-4df5cb3c5011

📥 Commits

Reviewing files that changed from the base of the PR and between c332d23 and fd2396d.

📒 Files selected for processing (7)

• CHANGELOG.md
• CONTRIBUTING.md
• Makefile
• cliff.toml
• hack/README.md
• hack/changelog-generate.sh
• hack/changelog-pr.sh

[olucasfreitas]

@coderabbitai resolve

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/changelog-pr.sh`:
- Line 122: Update the PR body template so the ticket keyword uses the required
uppercase form: replace the "Jira:
[${JIRA_KEY}](https://issues.redhat.com/browse/${JIRA_KEY})" string in
hack/changelog-pr.sh with "JIRA:
[${JIRA_KEY}](https://issues.redhat.com/browse/${JIRA_KEY})" (referencing the
JIRA_KEY variable in that template) so the automation recognizes the link.
- Around line 75-77: The script currently persists GITHUB_TOKEN into the
repository git config by setting credential.helper via git -C "${REPO_ROOT}"
config credential.helper, which leaves credentials behind; instead avoid
persistence by either using a non-persistent git -c credential.helper=...
invocation for the specific git commands that need the token or, if you must set
it, immediately remove it after use with git -C "${REPO_ROOT}" config --unset
credential.helper; update the lines around the credential.helper setup (the git
config call referencing REPO_ROOT and GITHUB_TOKEN) to use one of these
approaches so the token is never written permanently to the repo config.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9e73bf76-51d3-46cb-af25-cd24296d7c03

📥 Commits

Reviewing files that changed from the base of the PR and between fd2396d and 678fd30.

📒 Files selected for processing (7)

• CHANGELOG.md
• CONTRIBUTING.md
• Makefile
• cliff.toml
• hack/README.md
• hack/changelog-generate.sh
• hack/changelog-pr.sh

✅ Files skipped from review due to trivial changes (1)

• CONTRIBUTING.md

[coderabbitai]

✅ Actions performed

Comments resolved. Approval is disabled; enable reviews.request_changes_workflow to allow explicit top-level @coderabbitai resolve or @coderabbitai approve commands.

[olucasfreitas]

@amandahla please review this when you can, low priority

[olucasfreitas]

@amandahla please review this when you can, low priority

[amandahla]

I think keeping the changelog updates in a GitHub workflow is easier to maintain than using a Prow job, especially given the complexity of shell scripting and the GitHub token setup/rotation. wdyt

[amandahla]

Can we use the same nomenclature from this guide? 'Historical Changelog' sounds a bit off (IMHO)

[olucasfreitas]

Done. Renamed the section to "Release Process and Changelog Automation" to match the provider's CONTRIBUTING.md.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/changelog-pr.sh`:
- Around line 73-82: The script currently sets a repo-local credential.helper
(via the git -C "${REPO_ROOT}" config credential.helper ... block) and unsets
all credential.helper entries in cleanup(), which can leak and clobber
configurations; remove the repo-local credential.helper writes and the cleanup()
unset logic, and instead pass the token-only helper inline for the push command
using git -c credential.helper="!f() { echo username=x-access-token; echo
password=${GITHUB_TOKEN}; }; f" git push ... (i.e., use git -c on the push
invocation rather than modifying config), leaving functions and trap (cleanup)
that are unrelated unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8511f9bf-2d4c-462f-aa8b-c6e356cde33a

📥 Commits

Reviewing files that changed from the base of the PR and between 678fd30 and b5bb678.

📒 Files selected for processing (7)

• CHANGELOG.md
• CONTRIBUTING.md
• Makefile
• cliff.toml
• hack/README.md
• hack/changelog-generate.sh
• hack/changelog-pr.sh

✅ Files skipped from review due to trivial changes (1)

• CONTRIBUTING.md

[coderabbitai]

🧹 Nitpick comments (2)

Makefile (1)

184-187: 💤 Low value

Consider adding a more helpful error message when TAG is missing.

The @test -n "$(TAG)" check exits with a generic "Error 1" message. A clearer message would improve the developer experience.

💬 Proposed improvement

 .PHONY: changelog-generate
 changelog-generate:
-	`@test` -n "$(TAG)"
+	`@test` -n "$(TAG)" || { echo "Error: TAG is required. Usage: make changelog-generate TAG=v1.2.63"; exit 1; }
 	./hack/changelog-generate.sh --tag "$(TAG)" $(if $(PREVIOUS_TAG),--previous-tag "$(PREVIOUS_TAG)",)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` around lines 184 - 187, The changelog-generate target currently
uses "`@test` -n \"$(TAG)\"" which yields an opaque "Error 1" when TAG is unset;
change the check in the Makefile's changelog-generate recipe to explicitly test
TAG and print a clear error (e.g., echo "TAG is required for changelog-generate"
to stderr) and exit non-zero if missing so maintainers see a helpful message;
update the line that contains the test -n "$(TAG)" to an explicit conditional
that echoes the message and exits when TAG is empty.

hack/changelog-generate.sh (1)

114-116: ⚡ Quick win

Add timeout to curl to prevent indefinite hangs.

The curl call lacks a timeout, which could cause the script to hang indefinitely on network issues during Prow automation or local execution.

Suggested fix

   echo "Downloading git-cliff v${GIT_CLIFF_VERSION}..." >&2
-  curl -fsSL -o "${archive_path}" "${download_url}"
+  curl -fsSL --max-time 120 --retry 2 -o "${archive_path}" "${download_url}"
   tar -xzf "${archive_path}" -C "${extract_dir}" --strip-components=1 "git-cliff-${GIT_CLIFF_VERSION}/git-cliff"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/changelog-generate.sh` around lines 114 - 116, The curl call that
downloads git-cliff (using variables download_url, archive_path and
GIT_CLIFF_VERSION) has no timeout and can hang; update the curl invocation to
include connection and overall timeouts (for example --connect-timeout 10 and
--max-time 60 or -m 60) so the script fails fast on network issues and does not
block Prow or local runs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@hack/changelog-generate.sh`:
- Around line 114-116: The curl call that downloads git-cliff (using variables
download_url, archive_path and GIT_CLIFF_VERSION) has no timeout and can hang;
update the curl invocation to include connection and overall timeouts (for
example --connect-timeout 10 and --max-time 60 or -m 60) so the script fails
fast on network issues and does not block Prow or local runs.

In `@Makefile`:
- Around line 184-187: The changelog-generate target currently uses "`@test` -n
\"$(TAG)\"" which yields an opaque "Error 1" when TAG is unset; change the check
in the Makefile's changelog-generate recipe to explicitly test TAG and print a
clear error (e.g., echo "TAG is required for changelog-generate" to stderr) and
exit non-zero if missing so maintainers see a helpful message; update the line
that contains the test -n "$(TAG)" to an explicit conditional that echoes the
message and exits when TAG is empty.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f94a32bf-b451-4b9b-b5b6-f73858f78136

📥 Commits

Reviewing files that changed from the base of the PR and between b5bb678 and 5523db9.

📒 Files selected for processing (7)

• CHANGELOG.md
• CONTRIBUTING.md
• Makefile
• cliff.toml
• hack/README.md
• hack/changelog-generate.sh
• hack/changelog-pr.sh

✅ Files skipped from review due to trivial changes (1)

• CONTRIBUTING.md

[olucasfreitas]

Agreed @amandahla, moved the automation to a GitHub Actions workflow (.github/workflows/update-changelog.yml) and closed the companion openshift/release PR. The workflow follows the same pattern as the provider repo: stable tag triggers changelog generation via git-cliff and opens a reviewable PR. The hack/changelog-pr.sh script stays as a manual fallback.

[olucasfreitas]

@coderabbitai resolve

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/update-changelog.yml:
- Around line 27-31: The checkout step currently leaves credentials persisted
(actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd); update that step to
explicitly disable credential persistence by adding persist-credentials: false
in the step's with: block so the job token isn't written to the repo git config
while keeping ref: master and fetch-depth: 0 unchanged.

In `@hack/changelog-generate.sh`:
- Around line 35-66: The parsing for options --tag, --previous-tag and --output
currently assigns "${2:-}" and then unconditionally does shift which can cause
the script to exit if the value is missing; update the case branches that set
TARGET_TAG, PREVIOUS_TAG and CHANGELOG_FILE to validate that a next token exists
and is not another flag before shifting. Specifically, inside the while/case
handling, check the second positional parameter is non-empty and does not begin
with '-' (for example using a guard like testing "${2:-}" and its first char)
and if invalid print a descriptive error and exit; only then assign
TARGET_TAG/PREVIOUS_TAG/CHANGELOG_FILE and perform the extra shift. This change
applies to the --tag, --previous-tag and --output branches and leaves MODE and
FETCH_TAGS handling unchanged.

In `@hack/changelog-pr.sh`:
- Around line 202-219: The script never applies the required "changelog" label
when updating or creating PRs; after either the existing_PR branch
(existing_pr_number) or the new PR creation (pr_url / response), call the Issues
labels API to set the label. Concretely: when existing_pr_number is set, POST to
"${api_base}/issues/${existing_pr_number}/labels" with
'{"labels":["changelog"]}'; when creating a PR, capture the returned PR number
(jq -r '.number') instead of only .html_url and then POST to
"${api_base}/issues/${new_pr_number}/labels" with '{"labels":["changelog"]}'.
Ensure both paths use the same Authorization/Accept headers and handle failures
similarly to the existing curl calls.
- Around line 76-96: The branch creation currently makes branch_name from the
caller’s HEAD which can include unrelated commits; change the flow to create the
new branch from BASE_BRANCH instead: after generating the changelog and before
adding/committing CHANGELOG_FILE, fetch/update refs in REPO_ROOT and replace the
git checkout -B "${branch_name}" call so it creates the branch starting at
"${BASE_BRANCH}" (not HEAD) ensuring the new branch_name (built from
PR_BRANCH_PREFIX and TARGET_TAG) contains only the changelog change before git
add/commit/push.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d6991aec-6b26-49c1-8036-7dc91a25ffc2

📥 Commits

Reviewing files that changed from the base of the PR and between 5523db9 and ba7a1c9.

📒 Files selected for processing (8)

• .github/workflows/update-changelog.yml
• CHANGELOG.md
• CONTRIBUTING.md
• Makefile
• cliff.toml
• hack/README.md
• hack/changelog-generate.sh
• hack/changelog-pr.sh

✅ Files skipped from review due to trivial changes (1)

• CONTRIBUTING.md

[coderabbitai]

✅ Actions performed

Comments resolved. Approval is disabled; enable reviews.request_changes_workflow to allow explicit top-level @coderabbitai resolve or @coderabbitai approve commands.