From c0bf854e8efbb747ac462add447cb4467727101b Mon Sep 17 00:00:00 2001
From: Denis Chilik <denis.chilik@rokt.com>
Date: Mon, 13 Apr 2026 10:18:41 -0400
Subject: [PATCH 1/2] ci: generate CHANGELOG on release draft

Run ROKT/rokt-workflows generate-changelog after mavenLocal smoke; use
default tag-prefix so semver matches VERSION and GitHub release tags.

Made-with: Cursor
---
 .github/workflows/release-draft.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/release-draft.yml b/.github/workflows/release-draft.yml
index 40dcaf84a..637a54953 100644
--- a/.github/workflows/release-draft.yml
+++ b/.github/workflows/release-draft.yml
@@ -63,6 +63,16 @@ jobs:
       - name: Publish to Maven local (smoke test)
         run: ./gradlew publishMavenPublicationToMavenLocal -PVERSION=${{ steps.bump-version.outputs.new_version }}
 
+      - name: Generate changelog entry
+        id: changelog
+        uses: ROKT/rokt-workflows/actions/generate-changelog@main
+        with:
+          version: ${{ steps.bump-version.outputs.new_version }}
+          repo-url: https://github.com/${{ github.repository }}
+          changelog-path: CHANGELOG.md
+          exclude-types: chore,ci,test,build
+          kits-path: kits
+
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:

From e4e42c57be60beb1ca702071e9a9ab327d5326ef Mon Sep 17 00:00:00 2001
From: Denis Chilik <denis.chilik@rokt.com>
Date: Mon, 13 Apr 2026 11:02:42 -0400
Subject: [PATCH 2/2] ci: pin generate-changelog action to commit SHA

Semgrep blocks mutable @main and unpinned third-party actions; use
ROKT/rokt-workflows@c5c93e92107c520fb8b8cf71070995abdf4c403f.

Made-with: Cursor
---
 .github/workflows/release-draft.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-draft.yml b/.github/workflows/release-draft.yml
index 637a54953..bbfa8b258 100644
--- a/.github/workflows/release-draft.yml
+++ b/.github/workflows/release-draft.yml
@@ -65,7 +65,8 @@ jobs:
 
       - name: Generate changelog entry
         id: changelog
-        uses: ROKT/rokt-workflows/actions/generate-changelog@main
+        # Pinned SHA for Semgrep (no mutable @main); bump when upgrading the action.
+        uses: ROKT/rokt-workflows/actions/generate-changelog@c5c93e92107c520fb8b8cf71070995abdf4c403f
         with:
           version: ${{ steps.bump-version.outputs.new_version }}
           repo-url: https://github.com/${{ github.repository }}