Commit 7f51fd8ef7 for openssl.org
commit 7f51fd8ef7c79d81c3c42c1863606011cc9e3cbb
Author: Neil Horman <nhorman@openssl.org>
Date: Fri Jan 2 12:29:34 2026 -0500
Create a simple check for suggesting NEWS/CHANGES additions
During a release cycle we always wind up going through our git history
to try make sure we caught all the stuff that needed a CHANGES/NEWS
entry. Lets try make that at least a little more automated here. PR's
that reference CVEs, come from feature branches or impact public apis
generally need a NEWS/CHANGES entry, so lets flag those during CI. It
should serve as a reminder to add entries to NEWS/CHANGES to prs meeting
the above criteria, and can be ignored via the application of the
no_news_changes_needed label to the PR.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Tue Jan 13 19:17:37 2026
(Merged from https://github.com/openssl/openssl/pull/29536)
diff --git a/.github/workflows/check-news-changes.yml b/.github/workflows/check-news-changes.yml
new file mode 100644
index 0000000000..a4bb905fa1
--- /dev/null
+++ b/.github/workflows/check-news-changes.yml
@@ -0,0 +1,82 @@
+name: "Scan to check for NEWS/CHANGES suggestions"
+
+on: pull_request
+env:
+ NEED_NEWS_CHANGES: "no"
+permissions: {}
+
+jobs:
+ scan_for_news_changes:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v5
+ with:
+ persist-credentials: false
+ fetch-depth: 2
+ - name: "Check if we already have a NEWS/CHANGES entry"
+ run: |
+ git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} > ./names.txt
+ set +e
+ grep -q "NEWS\.md" names.txt
+ if [ $? -eq 0 ]; then
+ echo "FOUND_NEWS_CHANGES_ADDITION=yes" >> $GITHUB_ENV
+ else
+ grep -q "CHANGES\.md" names.txt
+ if [ $? -eq 0 ]; then
+ echo "FOUND_NEWS_CHANGES_ADDITION=yes" >> $GITHUB_ENV
+ else
+ echo "FOUND_NEWS_CHANGES_ADDITION=no" >> $GITHUB_ENV
+ fi
+ fi
+ - name: "Check if this PR affects a CVE"
+ if: ${{ env.FOUND_NEWS_CHANGES_ADDITION == 'no' }}
+ run: |
+ git log ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} > ./log.txt
+ set +e
+ grep -q "CVE-" ./log.txt
+ if [ $? -eq 0 ]; then
+ echo "Changes in this PR reference a CVE"
+ echo "NEED_NEWS_CHANGES=yes" >> $GITHUB_ENV
+ fi
+ - name: "Check if this PR impacts a public API"
+ if: ${{ env.FOUND_NEWS_CHANGES_ADDITION == 'no' }}
+ run: |
+ set +e
+ grep -q "include\/crypto" ./names.txt
+ if [ $? -eq 0 ]; then
+ echo "Changes in this PR may impact public APIS's"
+ echo "NEED_NEWS_CHANGES=yes" >> $GITHUB_ENV
+ fi
+ - name: "Check if this is a feature branch merge"
+ if: ${{ env.FOUND_NEWS_CHANGES_ADDITION == 'no' }}
+ run: |
+ set +e
+ echo ${{ github.head_ref }} | grep -q "feature"
+ if [ $? -eq 0 ]; then
+ echo "Feature branch found"
+ echo "NEED_NEWS_CHANGES=yes" >> $GITHUB_ENV
+ fi
+ - name: "Check if configuration options have changed"
+ if: ${{ env.FOUND_NEWS_CHANGES_ADDITION == 'no' }}
+ run: |
+ git checkout ${{ github.event.pull_request.base.sha }}
+ set +e
+ ./Configure --help > ./before.txt 2>&1
+ git checkout ${{ github.event.pull_request.head.sha }}
+ ./Configure --help > ./after.txt 2>&1
+ set -e
+ CONF_CHANGE=$(diff ./before.txt ./after.txt | wc -l)
+ if [ $CONF_CHANGE -ne 0 ]; then
+ echo "Configuration options changes"
+ echo "NEED_NEWS_CHANGES=yes" >> $GITHUB_ENV
+ fi
+ - name: "Report Results"
+ if: ${{ !(contains(github.event.pull_request.labels.*.name, 'no_news_changes_needed')) }}
+ run: |
+ if [ "${{ env.NEED_NEWS_CHANGES }}" == "yes" ]; then
+ echo "Suggest that you add a NEWS/CHANGES entry for this PR"
+ echo "Alternatively, quiet this suggestion by applying the no_news_changes_needed label"
+ exit 1
+ fi
+
+