feat: add changelog fragments workflow

.github/pull_request_template.md

@@ -18,8 +18,8 @@ Please add a detailed description of how to review this PR.
 
 <summary><b>Community Checklist</b></summary>
 
-- [ ] This feature/issue is listed in [here](https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen) or roadmap.prowler.com
-- [ ] Is it assigned to me, if not, request it via the issue/feature in [here](https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen) or [Prowler Community Slack](goto.prowler.com/slack)
+- [ ] This feature/issue is listed in the [open issues](https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen) or roadmap.prowler.com
+- [ ] Is it assigned to me, if not, request it via the [open issues](https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen) or [Prowler Community Slack](goto.prowler.com/slack)
 
 </details>
 
@@ -28,7 +28,7 @@ Please add a detailed description of how to review this PR.
 - [ ] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
 - [ ] Review if backport is needed.
 - [ ] Review if is needed to change the [Readme.md](https://github.com/prowler-cloud/prowler/blob/master/README.md)
-- [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/prowler/CHANGELOG.md), if applicable.
+- [ ] Ensure a changelog fragment is added under [prowler/changelog.d/](https://github.com/prowler-cloud/prowler/tree/master/prowler/changelog.d), if applicable.
 
 #### SDK/CLI
 - Are there new checks included in this PR? Yes / No
@@ -40,7 +40,7 @@ Please add a detailed description of how to review this PR.
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
-- [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/ui/CHANGELOG.md), if applicable.
+- [ ] Ensure a changelog fragment is added under [ui/changelog.d/](https://github.com/prowler-cloud/prowler/tree/master/ui/changelog.d), if applicable.
 
 #### API
 - [ ] All issue/task requirements work as expected on the API
@@ -50,7 +50,7 @@ Please add a detailed description of how to review this PR.
 - [ ] Any other relevant evidence of the implementation (if applicable)
 - [ ] Verify if API specs need to be regenerated.
 - [ ] Check if version updates are required (e.g., specs, uv, etc.).
-- [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/api/CHANGELOG.md), if applicable.
+- [ ] Ensure a changelog fragment is added under [api/changelog.d/](https://github.com/prowler-cloud/prowler/tree/master/api/changelog.d), if applicable.
 
 ### License
 

.github/scripts/changelog_attribution.py

@@ -0,0 +1,150 @@
+#!/usr/bin/env python3
+"""Rename changelog fragments to their PR number before running towncrier.
+
+For every <slug>.<type>.md in <component_dir>/changelog.d/, find the commit that
+added it, resolve its PR via the GitHub API (falling back to the squash-commit
+subject), and `git mv` it to <PR>.<type>.md so towncrier renders the PR link.
+Unresolvable fragments become +<slug>.<type>.md orphans (rendered without link).
+"""
+
+import argparse
+import json
+import os
+import re
+import subprocess
+import sys
+import urllib.error
+import urllib.request
+
+FRAGMENT_RE = re.compile(
+    r"^(?P<slug>[A-Za-z0-9][A-Za-z0-9._-]*?)"
+    r"\.(?P<type>added|changed|deprecated|removed|fixed|security)"
+    r"(?:\.(?P<counter>[0-9]+))?\.md$"
+)
+SUBJECT_PR_RE = re.compile(r" \(#([0-9]+)\)$")
+IGNORED_FILES = {".gitkeep", "README.md"}
+API_TIMEOUT_SECONDS = 10
+
+
+def git(*args: str) -> str:
+    result = subprocess.run(["git", *args], check=True, capture_output=True, text=True)
+    return result.stdout.strip()
+
+
+def find_adding_commit(path: str) -> str | None:
+    """Find the commit that added a file, following renames.
+
+    Falls back to a plain (no --follow) lookup: rename detection can lose the
+    add event for degenerate content (e.g. files identical to many others).
+    """
+    sha = git("log", "--follow", "--diff-filter=A", "--format=%H", "-1", "--", path)
+    if not sha:
+        sha = git("log", "--diff-filter=A", "--format=%H", "-1", "--", path)
+    return sha or None
+
+
+def pr_from_api(repo: str, sha: str) -> int | None:
+    """Resolve the PR associated with a commit via the GitHub API.
+
+    Returns None on any network/API failure so the caller can fall back to
+    parsing the squash-commit subject.
+    """
+    url = f"https://api.github.com/repos/{repo}/commits/{sha}/pulls"
+    headers = {
+        "Accept": "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28",
+        "User-Agent": "prowler-changelog-attribution",
+    }
+    token = os.environ.get("GITHUB_TOKEN")
+    if token:
+        headers["Authorization"] = f"Bearer {token}"
+    request = urllib.request.Request(url, headers=headers)
+    try:
+        with urllib.request.urlopen(request, timeout=API_TIMEOUT_SECONDS) as response:
+            pulls = json.load(response)
+    except (urllib.error.URLError, TimeoutError, json.JSONDecodeError):
+        return None
+    if isinstance(pulls, list) and pulls:
+        return pulls[0].get("number")
+    return None
+
+
+def pr_from_subject(sha: str) -> int | None:
+    subject = git("log", "-1", "--format=%s", sha)
+    match = SUBJECT_PR_RE.search(subject)
+    return int(match.group(1)) if match else None
+
+
+def unique_destination(directory: str, base_name: str, fragment_type: str) -> str:
+    """Return a non-colliding fragment path, appending a numeric counter if needed."""
+    candidate = os.path.join(directory, f"{base_name}.{fragment_type}.md")
+    counter = 0
+    while os.path.exists(candidate):
+        counter += 1
+        candidate = os.path.join(directory, f"{base_name}.{fragment_type}.{counter}.md")
+    return candidate
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("component_dir", help="Component directory, e.g. prowler")
+    parser.add_argument("--repo", default="prowler-cloud/prowler")
+    parser.add_argument(
+        "--no-api",
+        action="store_true",
+        help="Skip the GitHub API and resolve PRs from commit subjects only",
+    )
+    args = parser.parse_args()
+
+    fragments_dir = os.path.join(args.component_dir, "changelog.d")
+    if not os.path.isdir(fragments_dir):
+        print(f"::error::Fragments directory not found: {fragments_dir}")
+        return 1
+
+    malformed = []
+    for name in sorted(os.listdir(fragments_dir)):
+        if name in IGNORED_FILES or name.startswith("+"):
+            continue
+        match = FRAGMENT_RE.match(name)
+        if not match:
+            malformed.append(name)
+            continue
+        slug, fragment_type = match.group("slug"), match.group("type")
+        if slug.isdigit():
+            continue
+
+        path = os.path.join(fragments_dir, name)
+        sha = find_adding_commit(path)
+        pr_number = None
+        if sha:
+            if not args.no_api:
+                pr_number = pr_from_api(args.repo, sha)
+            if pr_number is None:
+                pr_number = pr_from_subject(sha)
+
+        if pr_number is not None:
+            destination = unique_destination(
+                fragments_dir, str(pr_number), fragment_type
+            )
+        else:
+            destination = unique_destination(fragments_dir, f"+{slug}", fragment_type)
+            print(
+                f"::warning::Could not resolve a PR for {path}; renamed to "
+                f"{os.path.basename(destination)} (entry will render without a PR link)"
+            )
+        git("mv", path, destination)
+        print(f"{path} -> {destination}")
+
+    if malformed:
+        for name in malformed:
+            print(
+                f"::error::Malformed fragment filename in {fragments_dir}: {name} "
+                "(expected <slug>.<type>.md with type one of added|changed|"
+                "deprecated|removed|fixed|security)"
+            )
+        return 1
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

.github/towncrier/template.md.jinja

@@ -0,0 +1,13 @@
+{% for section, _ in sections.items() %}
+{% for category, val in definitions.items() if category in sections[section] %}
+### {{ definitions[category]['name'] }}
+
+{% for text, values in sections[section][category].items() %}
+- {{ text }}{% if values %} {{ values|join(', ') }}{% endif %}
+
+{% endfor %}
+
+{% endfor %}
+{% endfor %}
+---
+{{ "\n" }}

.github/workflows/api-code-quality.yml

@@ -62,6 +62,7 @@ jobs:
             api/docs/**
             api/README.md
             api/CHANGELOG.md
+            api/changelog.d/**
             api/AGENTS.md
 
       - name: Setup Python with uv

.github/workflows/api-container-checks.yml

@@ -111,6 +111,7 @@ jobs:
             api/docs/**
             api/README.md
             api/CHANGELOG.md
+            api/changelog.d/**
             api/AGENTS.md
 
       - name: Set up Docker Buildx

.github/workflows/api-security.yml

@@ -84,6 +84,7 @@ jobs:
             api/docs/**
             api/README.md
             api/CHANGELOG.md
+            api/changelog.d/**
             api/AGENTS.md
 
       - name: Setup Python with uv

.github/workflows/api-tests.yml

@@ -111,6 +111,7 @@ jobs:
             api/docs/**
             api/README.md
             api/CHANGELOG.md
+            api/changelog.d/**
             api/AGENTS.md
 
       - name: Setup Python with uv