fix(release): limit changelog generation to last aio tag

JSONbored · JSONbored · commit 8bc4ed63f767 · 2026-04-01T17:20:26.000-06:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -54,7 +54,12 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           RELEASE_VERSION: ${{ steps.version.outputs.release_version }}
         run: |
-          git-cliff --config cliff.toml --tag "${RELEASE_VERSION}" --output CHANGELOG.md
+          previous_tag="$(python3 scripts/release.py latest-aio-tag)"
+          if [[ -n "${previous_tag}" ]]; then
+            git-cliff --config cliff.toml --tag "${RELEASE_VERSION}" "${previous_tag}..HEAD" --output CHANGELOG.md
+          else
+            git-cliff --config cliff.toml --tag "${RELEASE_VERSION}" --output CHANGELOG.md
+          fi
           parsed_version="$(python3 scripts/release.py latest-changelog-version)"
           if [[ "${parsed_version}" != "${RELEASE_VERSION}" ]]; then
             echo "Generated changelog top section ${parsed_version} does not match ${RELEASE_VERSION}" >&2
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,72 +3,14 @@
 All notable changes to this project will be documented in this file.
 ## v0.6.9-aio.1 - 2026-04-01
 ### Dependency Updates
-- Update docker/setup-qemu-action action to v4 (#13)
-- Update docker/setup-buildx-action action to v4 (#12)
-- Update docker/login-action action to v4 (#11)
-- Update docker/build-push-action action to v7 (#10)
-- Update non-major infrastructure updates (#9)
-- Update ghcr.io/we-promise/sure docker digest to 12f32c0 (#7)
-- Pin docker/dockerfile docker tag to 4a43a54 (#6)
 - Update ghcr.io/we-promise/sure docker digest to 3d899b3 (#21)
 
 
-### Documentation
-- Write comprehensive binhex-style README and power user configuration reference guide
-- Exhaustively map power-user markdown guide to encompass all AI, telemetry, storage, SSO, and encryption advanced features
-- Improve README formatting, add deep links to Power User guide sections, and append Star History chart
-
-
 ### Features
-- Complete XML redesign based on upstream Sure feature parity (AI, Vectors, SMTP)
-- Complete XML redesign based on upstream Sure feature parity (AI, Vectors, SMTP, OIDC, Langfuse)
-- Exhaustive XML mapping of all upstream env variables including Active Storage, PostHog, encryption salts, and raw external AI configs
-- Finalize enterprise standards for sure-aio (healthchecks, nightly scans, and branding)
-- Standardize package tags and add release automation (#19)
 - Align sure-aio with upstream v0.6.9 self-hosting surface (#23)
 
 
 ### Fixes
-- Change default db hosts from local context to generic IP strings
-- Restructure s6-overlay v3 dependencies so db migrations safely wait for postgres to be healthy before booting the web/worker process
-- Remove duplicate uppercase Sure-AIO.xml file that was orphaned during early generation
-- Update build workflow to point to root context and master branch, remove pre-refactor legacy service scripts
-- Add missing type and contents.d files for background worker services
-- Pin scout and upload actions to full-length SHAs
-- Update build-push-action sha pin to valid v6 hash
-- Enforce lowercase image tags and optimize scout execution
-- Disable load to support multi-platform exports and target scout via registry
-- Dynamically resolve postgres version path to fix fatal binary exec errors
-- Fix missing token resolution and globalize node24 fallback in sync action
-- Enforce strict SYNC_TOKEN and remove unsecured GitHub token fallback
-- Fix default startup and add smoke coverage
 - Make releases manual and gate heavy workflows
 
-
-### Maintenance
-- Standardize README, add FUNDING.yml, and clean up legacy files
-- Add security policy and unraid template sync workflow
-- Implement explicit least privilege on GitHub Actions runner
-- Enforce author identity in automation
-- Revert to verifiable bot identity for non-repudiation
-- Pin GitHub actions to strictly verified full-length SHAs
-- Replace docker-scout with anchore-grype to avoid authentication issues
-- Temporarily remove anchor scan to allow build pipeline completion under strict allowlist
-
-
-### Other Changes
-- Initial commit: Sure-AIO build files and Unraid XML template
-- Generalize postgresql package name for base image compatibility
-- Security & CI: Fix node24 deprecation and package write permissions
-- Feat/security scout renovate (#1)
-- Codex/fix default startup (#5)
-- Codex/consolidate ci workflows (#14)
-- Codex/fix template icons (#15)
-- Fix awesome-unraid sync for protected main
-- Standardize tags and add release automation
-
-
-### Refactors
-- Fully realize simplelogin-aio methodology by injecting and orchestrating PostgreSQL and Redis natively inside the container via s6-overlay, dropping external DB requirements
-
 <!-- generated by git-cliff -->
diff --git a/scripts/release.py b/scripts/release.py
@@ -11,6 +11,7 @@
 ROOT = pathlib.Path(__file__).resolve().parents[1]
 DEFAULT_CHANGELOG = ROOT / "CHANGELOG.md"
 DEFAULT_DOCKERFILE = ROOT / "Dockerfile"
+AIO_TAG_PATTERN = "v*-aio.*"
 
 
 def read_upstream_version(dockerfile: pathlib.Path) -> str:
@@ -27,6 +28,19 @@ def git_tags() -> list[str]:
     return [line.strip() for line in output.splitlines() if line.strip()]
 
 
+def latest_aio_release_tag() -> str | None:
+    completed = subprocess.run(
+        ["git", "describe", "--tags", "--abbrev=0", "--match", AIO_TAG_PATTERN, "HEAD"],
+        cwd=ROOT,
+        text=True,
+        capture_output=True,
+    )
+    if completed.returncode != 0:
+        return None
+    tag = completed.stdout.strip()
+    return tag or None
+
+
 def latest_release_tag(dockerfile: pathlib.Path) -> str | None:
     upstream_version = read_upstream_version(dockerfile)
     pattern = re.compile(rf"^{re.escape(upstream_version)}-aio\.(\d+)$")
@@ -42,7 +56,7 @@ def latest_release_tag(dockerfile: pathlib.Path) -> str | None:
 
 
 def has_unreleased_changes(dockerfile: pathlib.Path) -> bool:
-    latest_tag = latest_release_tag(dockerfile)
+    latest_tag = latest_aio_release_tag()
     if latest_tag is None:
         return True
     output = subprocess.check_output(["git", "log", "--format=%s", f"{latest_tag}..HEAD"], cwd=ROOT, text=True)
@@ -125,6 +139,7 @@ def main() -> None:
     next_parser.add_argument("--dockerfile", type=pathlib.Path, default=DEFAULT_DOCKERFILE)
     changes_parser = subparsers.add_parser("has-unreleased-changes")
     changes_parser.add_argument("--dockerfile", type=pathlib.Path, default=DEFAULT_DOCKERFILE)
+    previous_parser = subparsers.add_parser("latest-aio-tag")
 
     latest_parser = subparsers.add_parser("latest-changelog-version")
     latest_parser.add_argument("--changelog", type=pathlib.Path, default=DEFAULT_CHANGELOG)
@@ -147,6 +162,11 @@ def main() -> None:
     if args.command == "has-unreleased-changes":
         print("true" if has_unreleased_changes(args.dockerfile) else "false")
         return
+    if args.command == "latest-aio-tag":
+        latest_tag = latest_aio_release_tag()
+        if latest_tag:
+            print(latest_tag)
+        return
     if args.command == "latest-changelog-version":
         print(latest_changelog_version(args.changelog))
         return
