mansona · mansona · Jul 13, 2024 · Jul 12, 2024
diff --git a/.github/workflows/plan-release.yml b/.github/workflows/plan-release.yml
@@ -4,9 +4,10 @@ on:
     branches:
       - main
       - master
-  pull_request:
+  pull_request_target: # This workflow has permissions on the repo, do NOT run code from PRs in this workflow. See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
     types:
       - labeled
+      - unlabeled
 
 concurrency:
   group: plan-release # only the latest one of these should ever be running
@@ -41,40 +42,48 @@ jobs:
       explanation: ${{ steps.explanation.outputs.text }}
     # only run on push event if plan wasn't updated (don't create a release plan when we're releasing)
     # only run on labeled event if the PR has already been merged
-    if: (github.event_name == 'push' && needs.check-plan.outputs.command != 'release') || (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
+    if: (github.event_name == 'push' && needs.check-plan.outputs.command != 'release') || (github.event_name == 'pull_request_target' && github.event.pull_request.merged == true)
 
     steps:
       - uses: actions/checkout@v4
         # We need to download lots of history so that
-        # lerna-changelog can discover what's changed since the last release
+        # github-changelog can discover what's changed since the last release
         with:
           fetch-depth: 0
+          ref: 'main'
       - uses: actions/setup-node@v4
         with:
           node-version: 18
-
-      - uses: pnpm/action-setup@v2
+      
+      - uses: pnpm/action-setup@v3
         with:
           version: 8
       - run: pnpm install --frozen-lockfile
-
+      
       - name: "Generate Explanation and Prep Changelogs"
         id: explanation
         run: |
-          set -x
-
-          pnpm release-plan prepare
+          set +e
+
+          pnpm release-plan prepare 2> >(tee -a release-plan-stderr.txt >&2)
+
 
-          echo 'text<<EOF' >> $GITHUB_OUTPUT
-          jq .description .release-plan.json -r >> $GITHUB_OUTPUT
-          echo 'EOF' >> $GITHUB_OUTPUT
+          if [ $? -ne 0 ]; then
+            echo 'text<<EOF' >> $GITHUB_OUTPUT
+            cat release-plan-stderr.txt >> $GITHUB_OUTPUT
+            echo 'EOF' >> $GITHUB_OUTPUT
+          else
+            echo 'text<<EOF' >> $GITHUB_OUTPUT
+            jq .description .release-plan.json -r >> $GITHUB_OUTPUT
+            echo 'EOF' >> $GITHUB_OUTPUT
+            rm release-plan-stderr.txt
+          fi
         env:
           GITHUB_AUTH: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: peter-evans/create-pull-request@v5
+      - uses: peter-evans/create-pull-request@v6
         with:
           commit-message: "Prepare Release using 'release-plan'"
-          author: "github-actions[bot] <github-actions-bot@users.noreply.github.com>"
           labels: "internal"
           branch: release-preview
           title: Prepare Release

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,6 +1,6 @@
 # For every push to the master branch, this checks if the release-plan was
 # updated and if it was it will publish stable npm packages based on the
-# release plan
+# release plan
 
 name: Publish Stable
 
@@ -49,14 +49,14 @@ jobs:
           node-version: 18
           # This creates an .npmrc that reads the NODE_AUTH_TOKEN environment variable
           registry-url: 'https://registry.npmjs.org'
-
-      - uses: pnpm/action-setup@v2
+      
+      - uses: pnpm/action-setup@v3
         with:
           version: 8
       - run: pnpm install --frozen-lockfile
       - name: npm publish
         run: pnpm release-plan publish
-
+      
         env:
           GITHUB_AUTH: ${{ secrets.GITHUB_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/RELEASE.md b/RELEASE.md
@@ -1,6 +1,6 @@
 # Release Process
 
-Releases in this repo are mostly automated using [release-plan](https://github.com/embroider-build/release-plan/). Once you label all your PRs correctly (see below) you will have an automatically generated PR that updates your CHANGELOG.md file and a `.release-plan.json` that is used prepare the release once the PR is merged.
+Releases in this repo are mostly automated using [release-plan](https://github.com/embroider-build/release-plan/). Once you label all your PRs correctly (see below) you will have an automatically generated PR that updates your CHANGELOG.md file and a `.release-plan.json` that is used to prepare the release once the PR is merged.
 
 ## Preparation
 

diff --git a/package.json b/package.json
@@ -22,7 +22,7 @@
     "concurrently": "^8.2.0",
     "prettier": "^3.0.3",
     "prettier-plugin-ember-template-tag": "^1.1.0",
-    "release-plan": "^0.7.0"
+    "release-plan": "^0.9.0"
   },
   "pnpm": {
     "overrides": {

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml