{"id":45652140,"url":"https://github.com/step-security/changeset-action","last_synced_at":"2026-04-21T02:01:45.335Z","repository":{"id":296338204,"uuid":"991943056","full_name":"step-security/changeset-action","owner":"step-security","description":"Secure drop-in replacement for changesets/action.","archived":false,"fork":false,"pushed_at":"2026-04-20T00:41:08.000Z","size":3547,"stargazers_count":0,"open_issues_count":15,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-20T02:39:35.531Z","etag":null,"topics":["step-security-maintained-actions"],"latest_commit_sha":null,"homepage":"https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/step-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-05-28T11:35:08.000Z","updated_at":"2026-04-16T10:30:20.000Z","dependencies_parsed_at":"2025-05-30T06:32:21.069Z","dependency_job_id":null,"html_url":"https://github.com/step-security/changeset-action","commit_stats":null,"previous_names":["step-security/changeset-action"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/step-security/changeset-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fchangeset-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fchangeset-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fchangeset-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fchangeset-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/step-security","download_url":"https://codeload.github.com/step-security/changeset-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fchangeset-action/sbom","scorecard":{"id":1236628,"data":{"date":"2025-08-26T07:27:30Z","repo":{"name":"github.com/step-security/changeset-action","commit":"d99e03f7f189e43abf00fc2c76ec490bff91f248"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":6.9,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":8,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Warn: codeowners review is required - but no codeowners file found in repo","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":8,"reason":"7 out of 8 merged PRs checked by a CI test -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":8,"reason":"Found 5/6 approved changesets -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":3,"reason":"project has 1 contributing companies or organizations -- score normalized to 3","details":["Info: stepsecurity contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:  10 out of  10 GitHub-owned GitHubAction dependencies pinned","Info:   5 out of   5 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 8 commits out of 24 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":10,"reason":"1 out of the last 1 releases have a total of 1 signed artifacts.","details":["Info: provenance for release artifact: multiple.intoto.jsonl: https://api.github.com/repos/step-security/changeset-action/releases/assets/260122685"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/actions_release.yml:21","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/actions_release.yml:23","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:29","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:30","Info: jobLevel 'issues' permission set to 'read': .github/workflows/scorecards.yml:32","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/scorecards.yml:33","Info: jobLevel 'checks' permission set to 'read': .github/workflows/scorecards.yml:35","Info: topLevel 'contents' permission set to 'read': .github/workflows/actions_release.yml:16","Warn: topLevel 'contents' permission set to 'write': .github/workflows/audit_package.yml:31","Info: topLevel 'packages' permission set to 'read': .github/workflows/audit_package.yml:33","Info: topLevel 'packages' permission set to 'read': .github/workflows/auto_cherry_pick.yml:23","Warn: topLevel 'contents' permission set to 'write': .github/workflows/auto_cherry_pick.yml:21","Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/guarddog.yml:10","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:18"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-95m3-7q98-8xr5","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-09-01T02:36:30.905Z","repository_id":296338204,"created_at":"2025-09-01T02:36:30.905Z","updated_at":"2025-09-01T02:36:30.905Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32073496,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-21T01:35:38.224Z","status":"online","status_checked_at":"2026-04-21T02:00:06.111Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["step-security-maintained-actions"],"created_at":"2026-02-24T06:27:31.983Z","updated_at":"2026-04-21T02:01:45.313Z","avatar_url":"https://github.com/step-security.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![StepSecurity Maintained Action](https://raw.githubusercontent.com/step-security/maintained-actions-assets/main/assets/maintained-action-banner.png)](https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions)\n\n# Changesets Release Action\n\nThis action for [Changesets](https://github.com/changesets/changesets) creates a pull request with all of the package versions updated and changelogs updated and when there are new changesets on [your configured `baseBranch`](https://github.com/changesets/changesets/blob/main/docs/config-file-options.md#basebranch-git-branch-name), the PR will be updated. When you're ready, you can merge the pull request and you can either publish the packages to npm manually or setup the action to do it for you.\n\n## Usage\n\n### Inputs\n\n- publish - The command to use to build and publish packages\n- version - The command to update version, edit CHANGELOG, read and delete changesets. Default to `changeset version` if not provided\n- commit - The commit message to use. Default to `Version Packages`\n- title - The pull request title. Default to `Version Packages`\n- setupGitUser - Sets up the git user for commits as `\"github-actions[bot]\"`. Default to `true`\n- createGithubReleases - A boolean value to indicate whether to create Github releases after `publish` or not. Default to `true`\n- commitMode - Specifies the commit mode. Use `\"git-cli\"` to push changes using the Git CLI, or `\"github-api\"` to push changes via the GitHub API. When using `\"github-api\"`, all commits and tags are GPG-signed and attributed to the user or app who owns the `GITHUB_TOKEN`. Default to `git-cli`.\n- cwd - Changes node's `process.cwd()` if the project is not located on the root. Default to `process.cwd()`\n\n### Outputs\n\n- published - A boolean value to indicate whether a publishing has happened or not\n- publishedPackages - A JSON array to present the published packages. The format is `[{\"name\": \"@xx/xx\", \"version\": \"1.2.0\"}, {\"name\": \"@xx/xy\", \"version\": \"0.8.9\"}]`\n\n### Example workflow:\n\n#### Without Publishing\n\nCreate a file at `.github/workflows/release.yml` with the following content.\n\n```yml\nname: Release\n\non:\n  push:\n    branches:\n      - main\n\nconcurrency: ${{ github.workflow }}-${{ github.ref }}\n\njobs:\n  release:\n    name: Release\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout Repo\n        uses: actions/checkout@v3\n\n      - name: Setup Node.js 20\n        uses: actions/setup-node@v3\n        with:\n          node-version: 20\n\n      - name: Install Dependencies\n        run: yarn\n\n      - name: Create Release Pull Request\n        uses: step-security/action@v1\n```\n\n#### With Publishing\n\nBefore you can setup this action with publishing, you'll need to have an [npm token](https://docs.npmjs.com/creating-and-viewing-authentication-tokens) that can publish the packages in the repo you're setting up the action for and doesn't have 2FA on publish enabled ([2FA on auth can be enabled](https://docs.npmjs.com/about-two-factor-authentication)). You'll also need to [add it as a secret on your GitHub repo](https://help.github.com/en/articles/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables) with the name `NPM_TOKEN`. Once you've done that, you can create a file at `.github/workflows/release.yml` with the following content.\n\n```yml\nname: Release\n\non:\n  push:\n    branches:\n      - main\n\nconcurrency: ${{ github.workflow }}-${{ github.ref }}\n\njobs:\n  release:\n    name: Release\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout Repo\n        uses: actions/checkout@v3\n\n      - name: Setup Node.js 20.x\n        uses: actions/setup-node@v3\n        with:\n          node-version: 20.x\n\n      - name: Install Dependencies\n        run: yarn\n\n      - name: Create Release Pull Request or Publish to npm\n        id: changesets\n        uses: step-security/action@v1\n        with:\n          # This expects you to have a script called release which does a build for your packages and calls changeset publish\n          publish: yarn release\n        env:\n          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}\n\n      - name: Send a Slack notification if a publish happens\n        if: steps.changesets.outputs.published == 'true'\n        # You can do something when a publish happens.\n        run: my-slack-bot send-notification --message \"A new version of ${GITHUB_REPOSITORY} was published!\"\n```\n\nBy default the GitHub Action creates a `.npmrc` file with the following content:\n\n```\n//registry.npmjs.org/:_authToken=${process.env.NPM_TOKEN}\n```\n\nHowever, if a `.npmrc` file is found, the GitHub Action does not recreate the file. This is useful if you need to configure the `.npmrc` file on your own.\nFor example, you can add a step before running the Changesets GitHub Action:\n\n```yml\n- name: Creating .npmrc\n  run: |\n    cat \u003c\u003c EOF \u003e \"$HOME/.npmrc\"\n      //registry.npmjs.org/:_authToken=$NPM_TOKEN\n    EOF\n  env:\n    NPM_TOKEN: ${{ secrets.NPM_TOKEN }}\n```\n\n#### Custom Publishing\n\nIf you want to hook into when publishing should occur but have your own publishing functionality, you can utilize the `hasChangesets` output.\n\nNote that you might need to account for things already being published in your script because a commit without any new changesets can always land on your base branch after a successful publish. In such a case you need to figure out on your own how to skip over the actual publishing logic or handle errors gracefully as most package registries won't allow you to publish over already published version.\n\n```yml\nname: Release\n\non:\n  push:\n    branches:\n      - main\n\njobs:\n  release:\n    name: Release\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout Repo\n        uses: actions/checkout@v3\n\n      - name: Setup Node.js 20.x\n        uses: actions/setup-node@v3\n        with:\n          node-version: 20.x\n\n      - name: Install Dependencies\n        run: yarn\n\n      - name: Create Release Pull Request or Publish to npm\n        id: changesets\n        uses: step-security/action@v1\n\n      - name: Publish\n        if: steps.changesets.outputs.hasChangesets == 'false'\n        # You can do something when a publish should happen.\n        run: yarn publish\n```\n\n#### With version script\n\nIf you need to add additional logic to the version command, you can do so by using a version script.\n\nIf the version script is present, this action will run that script instead of `changeset version`, so please make sure that your script calls `changeset version` at some point. All the changes made by the script will be included in the PR.\n\n```yml\nname: Release\n\non:\n  push:\n    branches:\n      - main\n\nconcurrency: ${{ github.workflow }}-${{ github.ref }}\n\njobs:\n  release:\n    name: Release\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout Repo\n        uses: actions/checkout@v3\n\n      - name: Setup Node.js 20.x\n        uses: actions/setup-node@v3\n        with:\n          node-version: 20.x\n\n      - name: Install Dependencies\n        run: yarn\n\n      - name: Create Release Pull Request\n        uses: step-security/action@v1\n        with:\n          # this expects you to have a npm script called version that runs some logic and then calls `changeset version`.\n          version: yarn version\n```\n\n#### With Yarn 2 / Plug'n'Play\n\nIf you are using [Yarn Plug'n'Play](https://yarnpkg.com/features/pnp), you should use a custom `version` command so that the action can resolve the `changeset` CLI:\n\n```yaml\n- uses: step-security/action@v1\n  with:\n    version: yarn changeset version\n    ...\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstep-security%2Fchangeset-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstep-security%2Fchangeset-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstep-security%2Fchangeset-action/lists"}