fix: address Copilot review comments

Qbandev · Qbandev · commit f024b630c401 · 2025-12-03T14:47:47.000+01:00
- Replace eval with direct command execution for security
- Add platform-specific logic to create-platform-release-pr.sh
  (extension uses yarn, mobile uses npx with pinned version)
- Clarify documentation that require_pr_numbers is ignored for mobile
- Add detailed comment explaining merge logic rationale in
  update-release-changelog.sh (intentionally different from
  create-platform-release-pr.sh)
diff --git a/.github/scripts/create-platform-release-pr.sh b/.github/scripts/create-platform-release-pr.sh
@@ -351,16 +351,33 @@ create_changelog_pr() {
     # Generate Changelog and Test Plan
     echo "Generating changelog for ${platform}.."
 
-    # Build the auto-changelog command based on platform and options
-    CHANGELOG_CMD="yarn auto-changelog update --rc --repo \"${GITHUB_REPOSITORY_URL}\" --currentVersion \"${new_version}\" --autoCategorize --useChangelogEntry --useShortPrLink"
-
-    # Add --requirePrNumbers flag if enabled
-    if [[ "${REQUIRE_PR_NUMBERS}" == "true" ]]; then
-        CHANGELOG_CMD="${CHANGELOG_CMD} --requirePrNumbers"
+    # Platform-specific logic: extension uses yarn auto-changelog (project dependency),
+    # mobile uses npx with pinned version
+    if [[ "${platform}" == "extension" ]]; then
+        if [[ "${REQUIRE_PR_NUMBERS}" == "true" ]]; then
+            yarn auto-changelog update --rc \
+                --repo "${GITHUB_REPOSITORY_URL}" \
+                --currentVersion "${new_version}" \
+                --autoCategorize \
+                --useChangelogEntry \
+                --useShortPrLink \
+                --requirePrNumbers
+        else
+            yarn auto-changelog update --rc \
+                --repo "${GITHUB_REPOSITORY_URL}" \
+                --currentVersion "${new_version}" \
+                --autoCategorize \
+                --useChangelogEntry \
+                --useShortPrLink
+        fi
+    else
+        # Mobile platform: use npx with pinned version, --requirePrNumbers not applicable
+        npx @metamask/auto-changelog@4.1.0 update --rc \
+            --repo "${GITHUB_REPOSITORY_URL}" \
+            --currentVersion "${new_version}" \
+            --autoCategorize
     fi
 
-    eval "${CHANGELOG_CMD}"
-
     # Skip commits.csv for hotfix releases (previous_version_ref is literal "null")
     # - When we create a new major/minor release, we fetch all commits included in the release, by fetching the diff between HEAD and previous version reference.
     # - When we create a new hotfix release, there are no commits included in the release by default (they will be cherry-picked one by one). So we don't have previous version reference, which is why the value is set to 'null'.
diff --git a/.github/scripts/update-release-changelog.sh b/.github/scripts/update-release-changelog.sh
@@ -13,7 +13,7 @@
 #   4. previous_version_ref - Previous version reference (branch/tag/SHA). Defaults to literal "null"
 #                             so that commits.csv generation is skipped, matching hotfix behaviour.
 #   5. require_pr_numbers   - When "true", only include commits with PR numbers (filters out direct commits).
-#                             Defaults to "false". Only applicable to extension platform.
+#                             Defaults to "false". Only applicable to extension platform; ignored for mobile.
 #
 # Environment (optional):
 #   GITHUB_TOKEN         - Token for GitHub CLI operations (falls back to gh auth config)
@@ -63,7 +63,10 @@ checkout_or_create_branch() {
         else
             git checkout "${branch_name}"
         fi
-        # Merge the base branch to include any new commits from the release branch
+        # Merge the base branch to include any new commits from the release branch.
+        # This merge logic is intentionally different from heckout_or_create_branch()
+        # This script runs on every push to the release branch, so the changelog branch may already exist with older content.
+        # We need to merge the latest release branch commits to ensure auto-changelog sees all new commits.
         if [[ -n "${base_branch}" ]]; then
             echo "Merging ${base_branch} into ${branch_name} to include new commits..."
             git fetch origin "${base_branch}"
@@ -216,14 +219,22 @@ echo "Generating changelog for ${PLATFORM} ${VERSION}.."
 
 # Build the auto-changelog command based on platform and options
 if [[ "${PLATFORM}" == "extension" ]]; then
-    CHANGELOG_CMD="yarn auto-changelog update --rc --repo \"${GITHUB_REPOSITORY_URL}\" --currentVersion \"${VERSION}\" --autoCategorize --useChangelogEntry --useShortPrLink"
-
-    # Add --requirePrNumbers flag if enabled
     if [[ "${REQUIRE_PR_NUMBERS}" == "true" ]]; then
-        CHANGELOG_CMD="${CHANGELOG_CMD} --requirePrNumbers"
+        yarn auto-changelog update --rc \
+            --repo "${GITHUB_REPOSITORY_URL}" \
+            --currentVersion "${VERSION}" \
+            --autoCategorize \
+            --useChangelogEntry \
+            --useShortPrLink \
+            --requirePrNumbers
+    else
+        yarn auto-changelog update --rc \
+            --repo "${GITHUB_REPOSITORY_URL}" \
+            --currentVersion "${VERSION}" \
+            --autoCategorize \
+            --useChangelogEntry \
+            --useShortPrLink
     fi
-
-    eval "${CHANGELOG_CMD}"
 else
     npx @metamask/auto-changelog@4.1.0 update --rc --repo "${GITHUB_REPOSITORY_URL}" --currentVersion "${VERSION}" --autoCategorize
 fi
