From 997c6a2360953fc7a4ba632d55b4c996839a5fe7 Mon Sep 17 00:00:00 2001 From: Dan Draper Date: Thu, 21 May 2026 14:05:46 +1000 Subject: [PATCH] ci(release): verify CHANGELOG entry + fix Release EQL badge MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a verify-changelog job to the Release EQL workflow that fails the release run when CHANGELOG.md (at the tagged commit) has no `## []` section — i.e. the release was cut without first promoting [Unreleased]. This is what happened with eql-2.3.1. Skips pre-releases, which keep entries under [Unreleased] until the final cut. It's an independent job: artifact build/publish still proceed (the release is already published by then), but the workflow goes red so the omission is visible. Also fix the README Release EQL badge: it tracked `?branch=main`, but the workflow effectively never runs on main (it runs on `release` tag events). The last main run was a cancelled workflow_dispatch from 2025-11-26, so the badge showed "failing" despite every release succeeding. Switch to `?event=release`. --- .github/workflows/release-eql.yml | 23 +++++++++++++++++++++++ README.md | 2 +- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-eql.yml b/.github/workflows/release-eql.yml index bbb825b4..515fa0fe 100644 --- a/.github/workflows/release-eql.yml +++ b/.github/workflows/release-eql.yml @@ -24,6 +24,29 @@ permissions: contents: write jobs: + verify-changelog: + runs-on: ubuntu-latest + name: Verify CHANGELOG entry + # Only real (non-prerelease) eql-* releases. Pre-releases keep their + # entries under [Unreleased] until the final release is cut. + if: ${{ github.event_name == 'release' && contains(github.event.release.tag_name, 'eql') && github.event.release.prerelease == false }} + timeout-minutes: 5 + + steps: + - uses: actions/checkout@v4 + + - name: CHANGELOG.md has a section for this release + env: + TAG: ${{ github.event.release.tag_name }} + run: | + version="${TAG#eql-}" + escaped="${version//./\\.}" + if ! grep -qE "^## \[${escaped}\]" CHANGELOG.md; then + echo "::error file=CHANGELOG.md::No '## [${version}]' section in CHANGELOG.md at tag ${TAG}. The release was cut without promoting [Unreleased] -> [${version}] first. See the 'Cutting a release' section of CLAUDE.md." + exit 1 + fi + echo "Found '## [${version}]' section in CHANGELOG.md." + build-and-publish: runs-on: ubuntu-latest name: Build EQL diff --git a/README.md b/README.md index 17969b8f..7722cfa7 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Encrypt Query Language (EQL) [![Test EQL](https://github.com/cipherstash/encrypt-query-language/actions/workflows/test-eql.yml/badge.svg?branch=main)](https://github.com/cipherstash/encrypt-query-language/actions/workflows/test-eql.yml) -[![Release EQL](https://github.com/cipherstash/encrypt-query-language/actions/workflows/release-eql.yml/badge.svg?branch=main)](https://github.com/cipherstash/encrypt-query-language/actions/workflows/release-eql.yml) +[![Release EQL](https://github.com/cipherstash/encrypt-query-language/actions/workflows/release-eql.yml/badge.svg?event=release)](https://github.com/cipherstash/encrypt-query-language/actions/workflows/release-eql.yml) Encrypt Query Language (EQL) is a set of abstractions for transmitting, storing, and interacting with encrypted data and indexes in PostgreSQL.