feat: add changelog fragments workflow

[AdriiiPRodri]

Context

Prowler currently keeps unreleased entries in shared CHANGELOG.md blocks. That makes changelog edits the hottest conflict point in the repository: the migration research measured 400 of 673 recent master commits touching a changelog, with the SDK changelog alone touched 230 times. When two PRs append to the same section, GitHub cannot auto-merge the second one, so contributors rebase, resolve a mechanical conflict, and re-run CI. Backports hit the same problem on release branches.

This PR migrates Prowler to per-PR changelog fragments while preserving the existing per-component CHANGELOG.md files and the release notes format consumed by prepare-release.yml. The core idea is simple: contributors write one small fragment file per changelog entry, and release managers compile those fragments into stamped changelog sections at release time.

Description

This introduces the fragment workflow across SDK, API, UI and MCP Server:

• Adds <component>/changelog.d/ directories, towncrier.toml configs and a shared Towncrier template that renders the same Keep a Changelog structure, emoji section names and PR links used today.
• Migrates the current unreleased SDK, API and UI entries into fragment files, removes the hand-written (Prowler UNRELEASED) blocks, and adds a stable <!-- changelog: release notes start --> insertion marker to every component changelog.
• Adds .github/scripts/changelog_attribution.py, which resolves each fragment's PR from git history and the GitHub API before compilation, so contributors do not need to know or write the PR number in the filename or entry text.
• Adds the Tools: Compile Changelogs workflow. It is manually dispatched with prowler_version and target_branch, auto-derives component versions from the latest stamped changelog heading plus pending fragment types, runs Towncrier, and opens a no-changelog compile PR for review.
• Handles patch releases by also opening an automatic forward-sync PR to master, inserting the same stamped patch block and deleting the consumed fragments there so the next minor release cannot publish those entries again.
• Updates Tools: Check Changelog to require fragments for touched components, validate fragment filenames, reject hand-written PR links, keep the no-changelog opt-out, and temporarily accept direct CHANGELOG.md edits during the migration grace period.
• Updates PR templates, developer docs and Prowler skills so contributors are pointed at fragments instead of direct CHANGELOG.md edits.
• Extends CI path filters so fragment-only changes are treated like changelog-only changes and do not trigger heavy component checks unnecessarily.

Developer flow after this PR:

<component>/changelog.d/<slug>.<type>.md

<slug> is author-chosen, <type> is one of added, changed, deprecated, removed, fixed or security, and the file content is one changelog entry line without a PR link or trailing period. A PR that needs multiple entries adds multiple fragment files.

Release flow after this PR:

• Minor release: dispatch Tools: Compile Changelogs against master, review and merge the compile PR, then cut the v5.X branch and run prepare-release.yml as usual.
• Patch release: backported fixes carry their fragments to v5.X; dispatch the compile workflow against v5.X, review and merge the release-branch compile PR, then review and merge the automatically opened master forward-sync PR. prepare-release.yml remains unchanged.

The workflow fails loudly instead of producing incomplete release notes: it rejects invalid version inputs, empty compiles, missing insertion markers, leftover hand-written (Prowler UNRELEASED) blocks, and removed fragments without an explicit major version decision.

Steps to review

1. Review the migration of existing unreleased entries:

   • SDK entries moved from prowler/CHANGELOG.md to prowler/changelog.d/.
   • API entries moved from api/CHANGELOG.md to api/changelog.d/.
   • UI entries moved from ui/CHANGELOG.md to ui/changelog.d/.
   • MCP Server has no migrated entries, only the insertion marker and empty fragment directory.

2. Review the contributor-facing contract:

   • Fragment filenames follow <slug>.<type>.md.
   • Fragment text omits PR links because compile-time attribution adds them.
   • PR template, developer docs and skills describe the same rules.

3. Review .github/workflows/pr-check-changelog.yml for parity with the current gate:

   • Same workflow name and job id.
   • Same no-changelog escape hatch.
   • Same monitored component behavior plus the existing root dependency rule.
   • New filename and content validation for fragments.

4. Review .github/workflows/compile-changelogs.yml as the replacement for the manual chore(changelog): vX.Y.Z stamping PR:

   • Version derivation reads changelog headings, not package manifests.
   • Towncrier only runs after attribution renames fragments.
   • Compile PRs and forward-sync PRs are labeled no-changelog.
   • Patch forward-sync inserts by marker and deletes original fragment paths instead of cherry-picking.

5. Review .github/scripts/changelog_attribution.py for the PR resolution path:

   • Find the commit that added a fragment.
   • Resolve the PR through the GitHub API, falling back to squash-commit subject parsing.
   • Rename unresolved fragments as orphan entries with a warning rather than blocking release.

6. Validation performed for the migration work:

   • The real v5.30.0 release blocks were reproduced from fragments and compared against the post-release changelog output.
   • prepare-release.yml release-note extraction over the compiled files matched the existing release-note shape.
   • Local end-to-end coverage was prepared for gate logic, developer flow, compile steps and attribution against real history.

Checklist

Community Checklist

• This feature/issue is listed in the open issues or roadmap.prowler.com
• Is it assigned to me, if not, request it via the open issues or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure a changelog fragment is added under prowler/changelog.d/, if applicable.

SDK/CLI

• Are there new checks included in this PR? No
  • If so, do we need to update permissions for the provider? No

UI

• All issue/task requirements work as expected on the UI
• If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient.
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure a changelog fragment is added under ui/changelog.d/, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, uv, etc.).
• Ensure a changelog fragment is added under api/changelog.d/, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 86f26c74-6d86-4b30-bebc-4520b7fc5da5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fragment-changelogs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All required changelog fragments are present.

[github-actions]

🔒 Container Security Scan

Image: prowler-mcp:d23da0b
Last scan: 2026-06-12 13:01:39 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	2
Total	2

2 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[github-actions]

🔒 Container Security Scan

Image: prowler-ui:d23da0b
Last scan: 2026-06-12 13:04:47 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	2
Total	2

2 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[github-actions]

🔒 Container Security Scan

Image: prowler-api:d23da0b
Last scan: 2026-06-12 13:05:24 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	22
Total	22

16 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[github-actions]

🔒 Container Security Scan

Image: prowler:d23da0b
Last scan: 2026-06-12 13:03:41 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	14
Total	14

9 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.50%. Comparing base (a394c0f) to head (45cef5e).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11572      +/-   ##
==========================================
- Coverage   94.02%   93.50%   -0.53%     
==========================================
  Files         241      277      +36     
  Lines       35705    37164    +1459     
==========================================
+ Hits        33573    34750    +1177     
- Misses       2132     2414     +282     

Flag	Coverage Δ
api	94.02% <ø> (ø)
prowler-py3.10-github	80.67% <ø> (?)
prowler-py3.11-github	80.67% <ø> (?)
prowler-py3.12-github	80.67% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	80.67% <ø> (∅)
api	94.02% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.