Add krel release notes validation workflow

[npolshakova]

What type of PR is this:

/kind feature

What this PR does / why we need it:

Adds a GitHub Action to setup krel.

This is required to setup a presubmit job for PRs like: #2659. The current requirement is to add validation using:

$ krel release-notes validate --help
krel release-notes validate

The 'validate' subcommand of krel has been developed to:

1. Check release notes maps for valid yaml.

2. Check release notes maps for valid punctuation.

Usage:
  krel release-notes validate [flags]

Flags:
  -h, --help                           help for validate
      --path-to-release-notes string   The path to the release notes to validate. Can be a top level directory or a specific file.

The release notes team is blocked whenever invalid yaml is merged into sig-release:

#2589
#2541

Invalid yaml can be introduced during the review process when people apply changes or manually edit the maps (not through krel, but in an editor). This workflow automates preventing invalid yaml from merging into sig-release.

Which issue(s) this PR fixes:

Fixes kubernetes/release#2753

Special notes for your reviewer:

Based on @Vyom-Yadav's GitHub workflow: kubernetes-sigs/release-actions#101

[Vyom-Yadav]

/assign

[Vyom-Yadav]

I've pinned this to v0.17.12, if and when we do a new release of krel, we'd need to update this. (I think there may be some automated job to do that, or we can add this to the handbook (for the lead to update it).

Alternatively, do we want to fetch the latest release?

[npolshakova]

Hm, currently the handbook suggests the docs team uses the lastest krel, so maybe it's fine just fetching the latest release? https://github.com/kubernetes/sig-release/blob/ff03da9043cdd4cfd63f4c06c901909a744f2daa/release-team/role-handbooks/docs/README.md#tools

[Vyom-Yadav]

Done, I changed to latest.

[Vyom-Yadav]

Test run: https://github.com/npolshakova/sig-release/actions/runs/12723351941/job/35468384786?pr=4
Test comment: npolshakova#4 (comment)

[Vyom-Yadav]

/remove hold

[Vyom-Yadav]

/assign @npolshakova

[npolshakova]

Changes look good @Vyom-Yadav!

Is there a way to make this workflow required when merging release notes changes in? @kubernetes/sig-release-leads

It should only trigger on release notes changed conditions, but I think we might need admin permissions in GitHub to make it required?

[Vyom-Yadav]

I think required workflows might not be supported anymore (for new workflows - https://docs.github.com/en/enterprise-server@3.11/actions/sharing-automations/required-workflows), but a github admin can check that for us. Anyways, that can only be enabled after merging this action.

[stmcginnis]

/lgtm

[cpanato]

some comments

thanks for doing this

[cpanato]

add

permissions: {}

this will drop all permissions for the workflow, as we dont need

[Vyom-Yadav]

Added.

[cpanato]

add

permissions:
   contents: read

we might just need the contents read to be able to clone

[Vyom-Yadav]

Since, it is a public repo, I don't think this is required. actions/checkout directly uses git, so I don't think we need to add any permission to the github_token

[cpanato]

i think this is fine for now, we can add install krel action in the release-actions repo.

[Vyom-Yadav]

It was discussed that krel install should not be exportable. Ref: kubernetes-sigs/release-actions#101 (comment)

[cpanato]

nit: new line

[Vyom-Yadav]

Added a new line at the end.

[cpanato]

i think this will not work as expected because in fork PRs we dont have the write permission for the github token

i would add this as job summary and then we can see this in the checks tab

https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#adding-a-job-summary

[puerco]

I agree. It only needs pull-requests but I'd prefer to keep the token with less permissions. Just fail it and we can check the results on the workflow run.

[Vyom-Yadav]

Migrated to github job summary. Test run: https://github.com/npolshakova/sig-release/actions/runs/12806142763?pr=4

[puerco]

I think this comment is from another workflow :)

Suggested change

# we need to fetch the full history in order to check changes across all commits on the branch

[Vyom-Yadav]

We do CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} -- releases/ | grep -E '\.ya?ml$' || true), so need fetch-depth 0. I removed the comment though (I think that is just extra)

[puerco]

Since we're gating on the PR I think we can drop the run on push as we know the YAMLs are already valid.

Suggested change

	push:
	branches:
	- master
	paths:
	- releases/**/release-notes/**.yaml
	- releases/**/release-notes/**.yml

[Vyom-Yadav]

Removed.

[puerco]

I agree. It only needs pull-requests but I'd prefer to keep the token with less permissions. Just fail it and we can check the results on the workflow run.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: npolshakova
Once this PR has been reviewed and has the lgtm label, please ask for approval from cpanato. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Vyom-Yadav]

New test run: https://github.com/npolshakova/sig-release/actions/runs/12806142763?pr=4