Conversation
Previously, GitHub releases only contained static installation instructions with no indication of what changed. Since each release corresponds to a single merged PR, we now include the PR title and body as a "What's Changed" section at the top of the release notes. Changes: - Add "Generate release body" step that builds release notes from the merged PR title and body - Use env vars and printenv for safe handling of PR content that may contain shell-unsafe characters (backticks, $, quotes) - Fall back to HEAD commit message for manual workflow_dispatch runs - Keep installation instructions below a separator - Use body_path instead of inline body for the release action Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review: Approved ✓
This PR cleanly adds changelog information to GitHub release notes. The implementation is well-structured and handles the key security concerns properly.
No Blocking Issues
The PR correctly uses env: variables and printenv to safely handle PR content containing shell-unsafe characters (backticks, $(), quotes, etc.). Edge cases for empty content and manual workflow triggers are handled appropriately.
Suggestion (non-blocking)
Line 107 - Consistency with special character handling:
For the workflow_dispatch fallback path, echo "$COMMIT_BODY" could be made consistent with the safer printenv approach used for PR content by using a heredoc:
cat >> /tmp/release_body.md <<EOF
$COMMIT_BODY
EOFThis is very low risk since commit data comes from trusted repo maintainers, so it's not a blocking concern.
The implementation correctly:
- Extracts PR title/body via environment variables (safe from injection)
- Falls back to git commit message for manual triggers
- Preserves installation instructions below the changelog
- Uses
body_pathfor cleaner release action configuration
LGTM 👍
There was a problem hiding this comment.
Review: Approved ✓
This PR correctly adds PR title and body as a "What's Changed" section to GitHub release notes.
Security ✓
The PR properly handles shell-unsafe characters in PR content by:
- Using
env:block to pass PR content as environment variables - Using
printenv PR_BODYfor safe output without shell interpretation - Properly quoting variable references
Code Quality ✓
- Logic correctly handles both
pull_requestandworkflow_dispatchevents - Fallback to git commit message for manual triggers works well
Suggestion (non-blocking)
Line 107 uses echo "$COMMIT_BODY" while line 100 uses printenv PR_BODY. For consistency, could use printf '%s\n' "$COMMIT_BODY" - though this is low risk since commit bodies come from trusted git history.
LGTM! 🤖
1 participant
Summary
Context
Each release is triggered by a single merged PR, but the release notes contained only download/install instructions. Users browsing releases had no way to see what actually changed without clicking through to the commit or PR.
This adds a "Generate release body" step that:
github.event.pull_requestcontextenv:variables andprintenvto safely handle PR content containing shell-unsafe characters (backticks,$(), quotes, etc.)workflow_dispatchruns---separatorTest plan
🤖 Generated with Claude Code