Add changelog feature

[springzhang-kite]

Summary by CodeRabbit

• New Features

  • Public, machine-generated changelog with automated build/regeneration and comment-triggered commands.

• Documentation

  • Added changelog index, README, and release entries for Backend v1.1.0, CLI v1.3.4, Skills v0.9.1, and Web v1.2.0.

• Tests

  • Added tests validating changelog generation, sorting, markers, and frontmatter validation.

• Chores

  • CI tasks, schema and validation for changelog entries, package scripts and dev dependencies, and CODEOWNERS for changelog reviewers.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a schema-validated changelog system: JSON Schema and components config, a Node.js build script with tests to render README/SUMMARY/public index, CODEOWNERS and GitHub Actions for rebuilds and reviewer commands, npm wiring, and initial changelog entries dated 2026-05-19.

Changes

Changelog Management System

Layer / File(s)	Summary
Changelog schema and component configuration changelog/index.schema.json, changelog/components.yml	ChangelogEntry schema enforces required fields, types/formats, nullable corrected_at, and disallows extra properties. Components config lists backend, web, cli, and skills with descriptions.
Build changelog script and test suite scripts/build-changelog.mjs, scripts/build-changelog.test.mjs	buildChangelog({ root, outDir }) reads changelog/<year>/*.md, parses frontmatter with gray-matter, validates via ajv/ajv-formats, sorts newest-first (slug tie-break), writes public/changelog/index.json, and rewrites changelog/README.md and SUMMARY.md between markers. Tests cover output correctness and error cases (invalid frontmatter, missing markers).
CODEOWNERS and GitHub Actions workflows .github/CODEOWNERS, .github/workflows/changelog-build.yml, .github/workflows/changelog-commands.yml	Assigns @gokite-ai/changelog-reviewers as code owners for /changelog/**. changelog-build.yml runs npm run build:changelog on relevant PR/push events and commits signed regenerated artifacts when changed. changelog-commands.yml reacts to /regenerate and /skip comments, extracts component/tag from PR body, maps to component repo, and either runs the external changelog action or updates the changelog file with an ai_generated placeholder.
Build dependencies and npm scripts package.json	Adds build:changelog and test:changelog scripts; adds devDeps ajv, ajv-formats, gray-matter, vitest and dependency js-yaml.
Changelog entries and documentation changelog/2026/*, changelog/README.md, SUMMARY.md, public/changelog/index.json	Adds four release notes (Backend v1.1.0, CLI v1.3.4, Skills v0.9.1, Web v1.2.0) and updates README and SUMMARY markers. Writes public/changelog/index.json with structured entries and generated_at.

Sequence Diagram(s)

sequenceDiagram
  participant Reviewer
  participant GitHubAPI
  participant GHScript
  participant ComponentRepo
  participant ChangelogAction
  Reviewer->>GitHubAPI: Comment with /regenerate or /skip
  GitHubAPI->>GHScript: Parse comment
  GHScript->>GitHubAPI: Extract component/tag from PR body
  alt /regenerate command
    GHScript->>ComponentRepo: Checkout component repo
    ComponentRepo->>ChangelogAction: Run changelog action
    ChangelogAction->>GitHubAPI: Generate & submit changelog
  else /skip command
    GHScript->>GitHubAPI: Find changelog file in PR
    GitHubAPI->>GHScript: Return file SHA
    GHScript->>GitHubAPI: Create file with ai_generated marker
  end
  GitHubAPI->>Reviewer: React with eyes emoji

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A tidy changelog, built with care,

schemas and scripts all placed with flair,
Workflows humming to keep notes in line,
Four releases recorded, timestamped fine,
Hooray — the docs and index now align!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add changelog feature' accurately summarizes the main change: introducing a complete changelog system with documentation, workflows, components, and build tooling.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-changelog-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

changelog/2026/2026-05-19-web-v1-2-0.md (1)

15-29: ⚡ Quick win

Consider adding a cross-reference to the backend release.

The Web v1.2.0 release displays the estimated_fees field introduced in Backend v1.1.0. Adding an explicit reference (e.g., "See also: Backend v1.1.0") at the end of this entry would help readers understand the full feature story across both components.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@changelog/2026/2026-05-19-web-v1-2-0.md` around lines 15 - 29, Add an
explicit cross-reference to the backend release that introduced the
estimated_fees field by appending a "See also" link at the end of this Web
v1.2.0 entry; mention Backend v1.1.0 and point to the backend changelog filename
(2026-05-19-backend-v1-1-0.md) so readers can follow the full feature story for
estimated_fees (referencing the Web entry's mention of estimated_fees and the
file name for Backend v1.1.0).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/changelog-build.yml:
- Around line 34-35: The workflow step uses a signed commit flag (`git commit -S
-m "chore(changelog): regenerate index"`) which will fail in CI without a GPG
signing key; update the step to create unsigned commits instead by removing the
`-S` flag (i.e., use `git commit -m ...`) or alternatively configure CI to
provide a signing key (set `user.signingkey` and enable commit signing) before
running `git commit -S`; also ensure the same change touches the `git push` line
so the unsigned commit is pushed when using the `git push` command.
- Around line 18-25: Replace the floating action tags with pinned commit SHAs
for both actions/checkout@v4 and actions/setup-node@v4 and add
persist-credentials: false to the checkout step; specifically update the
workflow steps that reference actions/checkout@v4 and actions/setup-node@v4 to
use their corresponding full SHA pins and modify the checkout step to include
persist-credentials: false (so credentials from the provided token are not left
available to subsequent steps).

In @.github/workflows/changelog-commands.yml:
- Around line 89-90: The workflow step that generates changelog frontmatter for
the `/skip` command currently writes an invalid field `component: placeholder`;
update the step that sets frontmatter (the step using BRANCH: ${{
steps.meta.outputs.branch }} and the other occurrence) to either remove the
`component` key entirely or set it to a schema-valid value (e.g., `component:
none` or another allowed enum), so the generated frontmatter conforms to
changelog validation; apply the same change to the second occurrence of the
frontmatter generation in this workflow.
- Around line 93-99: The file-selection logic using github.rest.pulls.listFiles
is unsafe because it can match changelog/README.md and may miss files due to
pagination; update the code that builds files (the call to
github.rest.pulls.listFiles and the variables files/target) to (1) paginate
properly (use github.paginate or loop with per_page & page) so all PR files are
retrieved, and (2) tighten the target selector to a stricter regex that excludes
README and matches changelog entry names only (for example require
/^changelog\/\d{4}-\d{2}-\d{2}.*\.md$/ or explicitly reject 'README.md') before
throwing the 'No changelog file' error.
- Line 19: Pin all GitHub Action references instead of floating refs: replace
actions/github-script@v7, actions/checkout@v4, and
gokite-ai/gha-actions/changelog@main with fixed tags or commit SHAs (e.g., a
specific vX.Y.Z or full SHA) to ensure reproducible runs, and in the
actions/checkout step that uses secrets.CHANGELOG_BOT_TOKEN set
persist-credentials: false to avoid leaving bot credentials on the runner;
update the checkout step (actions/checkout) to include persist-credentials:
false and change the other uses entries to pinned versions/SHAs.

In `@changelog/index.schema.json`:
- Line 18: The schema currently validates changelog dates with a regex pattern
that allows invalid calendar dates; update the JSON Schema entries for the
"date" and "corrected_at" properties to use "type": "string" combined with
"format": "date" (Ajv + ajv-formats will enforce real YYYY-MM-DD dates) instead
of the current "pattern" key so invalid dates like 2026-99-99 are rejected;
locate the "date" and "corrected_at" property definitions in the schema (symbols
"date" and "corrected_at") and replace the pattern-based validation with
format-based validation.

---

Nitpick comments:
In `@changelog/2026/2026-05-19-web-v1-2-0.md`:
- Around line 15-29: Add an explicit cross-reference to the backend release that
introduced the estimated_fees field by appending a "See also" link at the end of
this Web v1.2.0 entry; mention Backend v1.1.0 and point to the backend changelog
filename (2026-05-19-backend-v1-1-0.md) so readers can follow the full feature
story for estimated_fees (referencing the Web entry's mention of estimated_fees
and the file name for Backend v1.1.0).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 75b8e40d-9e26-4974-bbaa-51e1cf6297c0

📥 Commits

Reviewing files that changed from the base of the PR and between 2562698 and 920af6f.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (17)

• .github/CODEOWNERS
• .github/workflows/changelog-build.yml
• .github/workflows/changelog-commands.yml
• SUMMARY.md
• changelog/2026/.gitkeep
• changelog/2026/2026-05-19-backend-v1-1-0.md
• changelog/2026/2026-05-19-cli-v1-3-4.md
• changelog/2026/2026-05-19-skills-v0-9-1.md
• changelog/2026/2026-05-19-web-v1-2-0.md
• changelog/2027/.gitkeep
• changelog/README.md
• changelog/components.yml
• changelog/index.schema.json
• package.json
• public/changelog/index.json
• scripts/build-changelog.mjs
• scripts/build-changelog.test.mjs

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/changelog-commands.yml (1)

8-12: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Add commenter authorization gating before executing reviewer commands.

Line 8 currently allows any commenter with a matching command string to trigger a job with write permissions and secret-backed steps. Restrict execution to trusted associations (for example: OWNER/MEMBER/COLLABORATOR) to prevent unauthorized /regenerate or /skip runs.

Suggested fix

     if: |
       github.event.issue.pull_request != null &&
+      contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
       startsWith(github.event.issue.title, 'Changelog:') &&
       (startsWith(github.event.comment.body, '/regenerate') ||
        startsWith(github.event.comment.body, '/skip'))

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/changelog-commands.yml around lines 8 - 12, The workflow
currently triggers on comment body commands but lacks an authorization check;
update the if condition that contains github.event.issue.pull_request and the
startsWith(github.event.comment.body, ...) checks to also require
github.event.comment.author_association to be one of the trusted values (e.g.,
OWNER, MEMBER, COLLABORATOR). In practice, add a predicate like
contains('OWNER,MEMBER,COLLABORATOR', github.event.comment.author_association)
(or equivalent OR comparisons) alongside the existing startsWith checks so only
authorized commenter associations can run the secret-backed steps.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/changelog-commands.yml:
- Around line 8-12: The workflow currently triggers on comment body commands but
lacks an authorization check; update the if condition that contains
github.event.issue.pull_request and the startsWith(github.event.comment.body,
...) checks to also require github.event.comment.author_association to be one of
the trusted values (e.g., OWNER, MEMBER, COLLABORATOR). In practice, add a
predicate like contains('OWNER,MEMBER,COLLABORATOR',
github.event.comment.author_association) (or equivalent OR comparisons)
alongside the existing startsWith checks so only authorized commenter
associations can run the secret-backed steps.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 00a9cceb-7dff-49ba-a67b-e09eee0b4a3c

📥 Commits

Reviewing files that changed from the base of the PR and between 920af6f and c6ccc63.

📒 Files selected for processing (1)

• .github/workflows/changelog-commands.yml