{"id":49338114,"url":"https://github.com/dangoslen/changelog-enforcer","last_synced_at":"2026-04-27T02:01:12.813Z","repository":{"id":40362615,"uuid":"258373641","full_name":"dangoslen/changelog-enforcer","owner":"dangoslen","description":"A simple GitHub action that enforces that a maintained changelog is kept up to date.","archived":false,"fork":false,"pushed_at":"2026-03-16T10:56:19.000Z","size":2127,"stargazers_count":62,"open_issues_count":7,"forks_count":24,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-04-20T23:37:08.268Z","etag":null,"topics":["actions","actionshackathon","changelog","javascript","project-management"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dangoslen.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-04-24T01:28:25.000Z","updated_at":"2026-04-19T15:08:30.000Z","dependencies_parsed_at":"2023-02-15T04:15:50.549Z","dependency_job_id":"573ef02d-916a-4678-9075-62caa9902323","html_url":"https://github.com/dangoslen/changelog-enforcer","commit_stats":{"total_commits":116,"total_committers":9,"mean_commits":12.88888888888889,"dds":0.4655172413793104,"last_synced_commit":"3f35559311160a87bb8826a499d47252dcee62da"},"previous_names":[],"tags_count":37,"template":false,"template_full_name":"actions/javascript-action","purl":"pkg:github/dangoslen/changelog-enforcer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dangoslen%2Fchangelog-enforcer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dangoslen%2Fchangelog-enforcer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dangoslen%2Fchangelog-enforcer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dangoslen%2Fchangelog-enforcer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dangoslen","download_url":"https://codeload.github.com/dangoslen/changelog-enforcer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dangoslen%2Fchangelog-enforcer/sbom","scorecard":{"id":318961,"data":{"date":"2025-08-11","repo":{"name":"github.com/dangoslen/changelog-enforcer","commit":"ea6a56764870c323a4563f450c0a50c5f2d72cd6"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":1.8,"checks":[{"name":"Code-Review","score":3,"reason":"Found 3/9 approved changesets -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":0,"reason":"dangerous workflow patterns detected","details":["Warn: untrusted code checkout '${{ github.event.pull_request.head.ref }}': .github/workflows/pull_request.yml:36","Warn: untrusted code checkout '${{ github.event.pull_request.head.ref }}': .github/workflows/pull_request.yml:24"],"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/pull_request.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/dangoslen/changelog-enforcer/pull_request.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pull_request.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/dangoslen/changelog-enforcer/pull_request.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pull_request.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/dangoslen/changelog-enforcer/pull_request.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pull_request.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/dangoslen/changelog-enforcer/pull_request.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pull_request.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/dangoslen/changelog-enforcer/pull_request.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pull_request.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/dangoslen/changelog-enforcer/pull_request.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pull_request.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/dangoslen/changelog-enforcer/pull_request.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/dangoslen/changelog-enforcer/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/dangoslen/changelog-enforcer/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/dangoslen/changelog-enforcer/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/dangoslen/changelog-enforcer/release.yml/main?enable=pin","Warn: npmCommand not pinned by hash: bin/cut-release.sh:9","Warn: npmCommand not pinned by hash: .github/workflows/pull_request.yml:30","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   8 third-party GitHubAction dependencies pinned","Info:   0 out of   2 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":1,"reason":"9 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975","Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T00:55:36.499Z","repository_id":40362615,"created_at":"2025-08-18T00:55:36.499Z","updated_at":"2025-08-18T00:55:36.499Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32319560,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"online","status_checked_at":"2026-04-27T02:00:06.769Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","actionshackathon","changelog","javascript","project-management"],"created_at":"2026-04-27T02:01:09.455Z","updated_at":"2026-04-27T02:01:12.805Z","avatar_url":"https://github.com/dangoslen.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/dangoslen/changelog-enforcer/actions/workflows/pull_request.yml/badge.svg\" alt=\"unit tests badge\" /\u003e\n  \u003cimg src=\"https://img.shields.io/github/v/release/dangoslen/changelog-enforcer?color=orange\u0026label=Latest\" alt=\"latest version\" /\u003e\n  \u003cimg src=\"./coverage/badge.svg\" alt=\"coverage badge\" /\u003e\n \u003c/p\u003e\n\n## Changelog Enforcer\n\nThe purpose of this action is to enforce that every pull request in a repository includes a change to an ongoing changelog file. Inspired by [KeepAChangelog](https://keepachangelog.com/en/1.0.0/), this action helps development teams to keep a change file up to date as new features or fixes are implemented. \n\n### Usage\n\nTo use this action, follow the typical GitHub Action `uses` syntax. An example workflow using the default parameters of this action is shown below:\n\n```yaml\nname: \"Pull Request Workflow\"\non:\n  pull_request:\n    # The specific activity types are listed here to include \"labeled\" and \"unlabeled\"\n    # (which are not included by default for the \"pull_request\" trigger).\n    # This is needed to allow skipping enforcement of the changelog in PRs with specific labels,\n    # as defined in the (optional) \"skipLabels\" property.\n    types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]\n\njobs:\n  # Enforces the update of a changelog file on every pull request \n  changelog:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: dangoslen/changelog-enforcer@v3\n```\n\nOther examples can be seen in the [example-workflows](./example-workflows) directory in this repository.\n\n_:warning: The Changelog Enforcer is designed to be used with the `pull_request` or `pull_request_target` event types. Using this action on any other event type will result in a warning logged and the action succeeding (as to not block the rest of a workflow)._\n\n### Inputs / Properties\n\nBelow are the properties allowed by the Changelog Enforcer. These properties are shipped with sane defaults for typical use, especially for changelogs inline with the [KeepAChangelog](Keepachangelog.org) format.\n\n#### `changeLogPath`\n* Default: `CHANGELOG.md`\n* The path to your changelog file. Should be from the perspective of the root directory to `git`. The file being checked for updates must be either an add (`A`) or modified (`M`) status to `git` to qualify as updated. \n\n#### `skipLabels` \n* Default: `'Skip-Changelog'` \n* List of labels used to skip enforcing of the changelog during a pull request. Each label name is comma separated and only one label needs to be present for enforcement to be skipped.\n\n  For example, if `label-1,label-2` was supplied as the `skipLabels`, `label-1` _or_ `label-2` would skip the enforcer. Each label is trimmed for leading and trailing spaces since GitHub labels do not allow for leading or trailing spaces. Thus, the following lists are equivalent:\n  * `label-1,label-2`\n  * `label-1 , label-2`\n  * `label-1  ,label-2`\n\n#### `missingUpdateErrorMessage`\n* Default: `''`\n* Custom error message to use when no update to the changelog is found.\n\n#### `expectedLatestVersion`\n* Default: `''`\n* The latest version of the software expected in the changelog. Should be in the form of `v1.1.0`, `v3.5.6` etc. Allows for the first version in the changelog to be an unreleased      version (either `unreleased|Unreleased|UNRELEASED`) before checking versions. If the only version in the changelog is an unreleased version, no validation occurs. This is to support a repository adding a changelog after other versions have been released and don't want to backport previous versions (though doing so is recommended).\n\n#### `versionPattern`\n* Default: `'## \\\\[((v|V)?\\\\d*\\\\.\\\\d*\\\\.\\\\d*-?\\\\w*|unreleased|Unreleased|UNRELEASED)\\\\]'`\n* A regex pattern used to extract the version section headings from the changelog. The Changelog Enforcer assumes the use of the [KeepAChangelog.com](https://keepachangelog.com/en/1.0.0/) convention for section headings, and as such looks for a line starting with `## [version] - date`. Versions are only extracted from the changelog when enforcing the expected latest version (via the `expectedLatestVersion` property).\n\n  If you supply your own regex to match a different format, your regex must match the version string as a capture group (in the default format, that's the part inside square brackets). The first capture group will be used if your regex includes multiple groups. The regex pattern is used with global and multiline flags to find all of the versions in the changelog.\n\n  Because the regex is passed as a `String` object, you will need to escape backslash characters (`\\`) via `\\\\`.\n\n#### `token`\n* Default: `${{ github.token }}`\n* The token used to authenticate to the GitHub API. Uses the default token from the `github.token` context. Can be any access token you have  configured for your repository.\n\n### Outputs\n\n#### `errorMessage`\n* The reason for why the Changelog Enforcer failed. Uses the `missingUpdateErrorMessage` property value if set when no update to the changelog is found.\n\n### Creating Releases Automatically\n\nUsing this Action and the [Changelog Reader](https://github.com/mindsers/changelog-reader-action), plus a few standard GitHub created Actions, we can keep the changelog of a project up to date and create a GitHub release automatically with contents from the changelog. See this project's [release.yml](./.github/workflows/release.yml) for how to set up a simple workflow to create a new release based on a `VERSION` file and a changelog.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdangoslen%2Fchangelog-enforcer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdangoslen%2Fchangelog-enforcer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdangoslen%2Fchangelog-enforcer/lists"}