Normalize changelog PR metadata from repo sync

[vikvang]

Description

Normalize changelog PR metadata when stable release workflows run from warpdotdev/warp-internal:

• resolve repo-sync bot PRs back to the original public warpdotdev/warp PR number, URL, author, and body before changelog classification
• omit non-repo-sync warp-internal PRs so private/internal work is not exposed in changelog artifacts
• use explicit resolved PR URLs when converting drafts to release JSON instead of synthesizing public links from internal PR numbers
• update the changelog skill and workflows to rely on normalized metadata

Linked Issue

• The linked issue is labeled ready-to-spec or ready-to-implement.
• Where appropriate, screenshots or a short video of the implementation are included below (especially for user-visible or UI changes).

Testing

• python3 -m py_compile .agents/skills/changelog-draft/scripts/fetch_prs.py .agents/skills/changelog-draft/scripts/convert_to_release_json.py

• Live validation: warp-internal#25712 resolves to public warp#9444 with author Faizanq

• Live validation: non-sync warp-internal#25339 is excluded before changelog output

• Live validation: public warp#9444 remains unchanged

• Converter fixture validates resolved public links and no synthesized link for records without URLs

• git diff --check

• cargo fmt

• Attempted cargo clippy --workspace --all-targets --all-features --tests -- -D warnings, but it was blocked by the local macOS Metal Toolchain missing before code diagnostics ran (xcodebuild -downloadComponent MetalToolchain)

• I have manually tested my changes locally with ./script/run

Agent Mode

• Warp Agent Mode - This PR was created via Warp's AI Agent Mode

CHANGELOG-NONE

Co-Authored-By: Oz oz-agent@warp.dev

[oz-for-oss]

@vikvang

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

[oz-for-oss]

Overview

This PR normalizes changelog metadata for release workflows running from warp-internal by resolving repo-sync PRs to public warp PR metadata, omitting non-sync internal PRs, and using explicit PR URLs during release JSON conversion.

Concerns

• Unresolved repo-sync PRs still fall back to internal PR metadata, which can lead to incorrect changelog attribution/links and leak internal-repo details into generated artifacts.
• The internal-repo filtering gate compares the repository name literally, so equivalent casing of warpdotdev/warp-internal would bypass the privacy filter.

Security

• The changed filtering logic is the privacy boundary for keeping non-sync internal PRs out of changelog artifacts; normalize the repository name before applying that boundary.

Verdict

Found: 0 critical, 2 important, 0 suggestions

Request changes

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

[oz-for-oss]

⚠️ [IMPORTANT] [SECURITY] This is the privacy gate for internal PRs, but it only matches the exact lowercase repo string. Normalize the CLI repo value before comparing so equivalent casing of warpdotdev/warp-internal cannot leak non-sync internal PRs into changelog artifacts.

[oz-for-oss]

⚠️ [IMPORTANT] [SECURITY] These unresolved paths still emit the internal PR's number, title, body, labels, and changed files into the changelog pipeline. Fail closed by skipping or surfacing the PR for manual review instead of classifying internal metadata as a public release PR.

[oz-for-oss]

@vikvang

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

[oz-for-oss]

Overview

This PR updates the changelog draft workflow so release runs from warpdotdev/warp-internal normalize repo-sync PRs back to public warpdotdev/warp metadata and avoid synthesized public links.

Concerns

• Unresolved repo-sync PRs currently fall back to internal PR metadata instead of being omitted or failed, which can leak warp-internal details into changelog generation artifacts and violates the normalization guarantee.

Security

• The fallback path can expose internal PR metadata when public PR resolution fails.

Verdict

Found: 0 critical, 1 important, 0 suggestions

Request changes

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

[oz-for-oss]

⚠️ [IMPORTANT] [SECURITY] If public PR resolution fails, this emits the internal PR's title/body/author and internal_pr metadata into changelog generation instead of suppressing it. Return None/skip the PR or fail closed here so unresolved repo-sync PRs cannot leak warp-internal details into generated artifacts.

[danielpeng2]

Couple questions about the Slack changes:

• Have you tested that this works in the Github workflow? We should make sure that the process for posting to #release doesn't break if we merge this in.
• What does the new format for the Slack message looks like? It would make it easier to review if there was an example of the updated format.

Can we align on the formatting before we make changes here? I'm worried that the formatting will change in a way that makes it harder for engineers to construct the changelog. Happy to get on a call to hash this out.