contentstack · harshitha-cstk · Apr 22, 2026 · Apr 22, 2026 · Apr 28, 2026 · Apr 29, 2026
@@ -0,0 +1,54 @@
+name: Back-merge master to development
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  open-back-merge-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Open back-merge PR if needed
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          BASE_BRANCH="development"
+          SOURCE_BRANCH="master"
+
+          git fetch origin "$BASE_BRANCH" "$SOURCE_BRANCH"
+
+          if ! git show-ref --verify --quiet "refs/remotes/origin/$BASE_BRANCH"; then
+            echo "Base branch '$BASE_BRANCH' does not exist on origin; skipping."
+            exit 0
+          fi
+
+          SOURCE_SHA=$(git rev-parse "origin/$SOURCE_BRANCH")
+          BASE_SHA=$(git rev-parse "origin/$BASE_BRANCH")
+
+          if [ "$SOURCE_SHA" = "$BASE_SHA" ]; then
+            echo "$SOURCE_BRANCH and $BASE_BRANCH are at the same commit; nothing to back-merge."
+            exit 0
+          fi
+
+          EXISTING=$(gh pr list --repo "${{ github.repository }}"             --base "$BASE_BRANCH"             --head "$SOURCE_BRANCH"             --state open             --json number             --jq 'length')
+
+          if [ "$EXISTING" -gt 0 ]; then
+            echo "An open PR from $SOURCE_BRANCH to $BASE_BRANCH already exists; skipping."
+            exit 0
+          fi
+
+          gh pr create --repo "${{ github.repository }}"             --base "$BASE_BRANCH"             --head "$SOURCE_BRANCH"             --title "chore: back-merge $SOURCE_BRANCH into $BASE_BRANCH"             --body "Automated back-merge after changes landed on \\`$SOURCE_BRANCH\\`. Review and merge to keep \\`$BASE_BRANCH\\` in sync."
+
+          echo "Created back-merge PR $SOURCE_BRANCH -> $BASE_BRANCH."
@@ -0,0 +1,86 @@
+name: Check Version Bump
+
+on:
+  pull_request:
+
+jobs:
+  version-bump:
+    name: Version & Changelog bump
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Detect changed files and version bump
+        id: detect
+        run: |
+          if git rev-parse HEAD^2 >/dev/null 2>&1; then
+            FILES=$(git diff --name-only HEAD^1 HEAD^2)
+          else
+            FILES=$(git diff --name-only HEAD~1 HEAD)
+          fi
+          VERSION_FILES_CHANGED=false
+          echo "$FILES" | grep -qx 'package.json' && VERSION_FILES_CHANGED=true
+          echo "$FILES" | grep -qx 'CHANGELOG.md' && VERSION_FILES_CHANGED=true
+          echo "version_files_changed=$VERSION_FILES_CHANGED" >> $GITHUB_OUTPUT
+          # Only lib/, webpack/, dist/, package.json count as release-affecting; .github/ and test/ do not
+          CODE_CHANGED=false
+          echo "$FILES" | grep -qE '^lib/|^webpack/|^dist/' && CODE_CHANGED=true
+          echo "$FILES" | grep -qx 'package.json' && CODE_CHANGED=true
+          echo "code_changed=$CODE_CHANGED" >> $GITHUB_OUTPUT
+
+      - name: Skip when only test/docs/.github changed
+        if: steps.detect.outputs.code_changed != 'true'
+        run: |
+          echo "No release-affecting files changed (e.g. only test/docs/.github). Skipping version-bump check."
+          exit 0
+
+      - name: Fail when version bump was missed
+        if: steps.detect.outputs.code_changed == 'true' && steps.detect.outputs.version_files_changed != 'true'
+        run: |
+          echo "::error::This PR has code changes but no version bump. Please bump the version in package.json and add an entry in CHANGELOG.md."
+          exit 1
+
+      - name: Setup Node
+        if: steps.detect.outputs.code_changed == 'true' && steps.detect.outputs.version_files_changed == 'true'
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.x'
+
+      - name: Check version bump
+        if: steps.detect.outputs.code_changed == 'true' && steps.detect.outputs.version_files_changed == 'true'
+        run: |
+          set -e
+          PKG_VERSION=$(node -p "require('./package.json').version.replace(/^v/, '')")
+          if [ -z "$PKG_VERSION" ]; then
+            echo "::error::Could not read version from package.json"
+            exit 1
+          fi
+          git fetch --tags --force 2>/dev/null || true
+          LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || true)
+          if [ -z "$LATEST_TAG" ]; then
+            echo "No existing tags found. Skipping version-bump check (first release)."
+            exit 0
+          fi
+          LATEST_VERSION="${LATEST_TAG#v}"
+          LATEST_VERSION="${LATEST_VERSION%%-*}"
+          if [ "$(printf '%s\n' "$LATEST_VERSION" "$PKG_VERSION" | sort -V | tail -1)" != "$PKG_VERSION" ]; then
+            echo "::error::Version bump required: package.json version ($PKG_VERSION) is not greater than latest tag ($LATEST_TAG). Please bump the version in package.json."
+            exit 1
+          fi
+          if [ "$PKG_VERSION" = "$LATEST_VERSION" ]; then
+            echo "::error::Version bump required: package.json version ($PKG_VERSION) equals latest tag ($LATEST_TAG). Please bump the version in package.json."
+            exit 1
+          fi
+          CHANGELOG_VERSION=$(sed -nE 's/^## \[v?([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' CHANGELOG.md | head -1)
+          if [ -z "$CHANGELOG_VERSION" ]; then
+            echo "::error::Could not find a version entry in CHANGELOG.md (expected line like '## [v1.0.0](...)')."
+            exit 1
+          fi
+          if [ "$CHANGELOG_VERSION" != "$PKG_VERSION" ]; then
+            echo "::error::CHANGELOG version mismatch: CHANGELOG.md top version ($CHANGELOG_VERSION) does not match package.json version ($PKG_VERSION). Please add or update the CHANGELOG entry for $PKG_VERSION."
+            exit 1
+          fi
+          echo "Version bump check passed: package.json and CHANGELOG.md are at $PKG_VERSION (latest tag: $LATEST_TAG)."
@@ -38,7 +38,7 @@
 | Workflow | Trigger | Role |
 |----------|---------|------|
 | [`unit-test.yml`](.github/workflows/unit-test.yml) | `pull_request`, `push` | Windows: unit tests via `Scripts/run-unit-test-case.sh`. |
-| [`check-branch.yml`](.github/workflows/check-branch.yml) | `pull_request` | Merges into **`master`** are only allowed from **`staging`** (otherwise fails with a PR comment). |
+| [`back-merge-pr.yml`](.github/workflows/back-merge-pr.yml) | `push` on `master`, manual dispatch | Opens automated back-merge PRs from `master` to `development` to keep branches aligned. |
 | [`nuget-publish.yml`](.github/workflows/nuget-publish.yml) | `release` (created) | `dotnet pack -c Release -o out`; push package to NuGet.org and GitHub Packages. |
 | [`sca-scan.yml`](.github/workflows/sca-scan.yml) | PR (opened, synchronize, reopened) | Ubuntu: `dotnet restore`, **Snyk** `snyk test` under `Contentstack.Utils`. |
 | [`policy-scan.yml`](.github/workflows/policy-scan.yml) | PR (public repos) | Requires `SECURITY.md` and a license file containing the current year. |

@@ -35,13 +35,9 @@ def __init__(self, trx_path, coverage_path=None):
         self.file_coverage = []
 
     def parse_trx(self):
-        # Create a secure XML parser that disables external entity processing
-        parser = ET.XMLParser()
-        parser.parser.DefaultHandler = lambda data: None
-        parser.parser.ExternalEntityRefHandler = lambda context, base, uri, notationName: False
-        parser.parser.EntityDeclHandler = lambda entityName, is_parameter_entity, value, base, systemId, notationName, publicId: False
-
-        tree = ET.parse(self.trx_path, parser)
+        # Use defusedxml for secure XML parsing
+        from defusedxml.ElementTree import parse
+        tree = parse(self.trx_path)
         root = tree.getroot()
         ns = {'t': 'http://microsoft.com/schemas/VisualStudio/TeamTest/2010'}
 
@@ -121,13 +117,9 @@ def parse_coverage(self):
         if not self.coverage_path or not os.path.exists(self.coverage_path):
             return
         try:
-            # Create a secure XML parser that disables external entity processing
-            parser = ET.XMLParser()
-            parser.parser.DefaultHandler = lambda data: None
-            parser.parser.ExternalEntityRefHandler = lambda context, base, uri, notationName: False
-            parser.parser.EntityDeclHandler = lambda entityName, is_parameter_entity, value, base, systemId, notationName, publicId: False
-
-            tree = ET.parse(self.coverage_path, parser)
+            # Use defusedxml for secure XML parsing
+            from defusedxml.ElementTree import parse
+            tree = parse(self.coverage_path)
             root = tree.getroot()
             self.coverage['lines_pct'] = float(root.get('line-rate', 0)) * 100
             self.coverage['branches_pct'] = float(root.get('branch-rate', 0)) * 100
@@ -221,6 +213,18 @@ def _parse_condition_coverage(cond_str):
             return int(m.group(2)), int(m.group(3))
         return 0, 0
 
+    @staticmethod
+    def _esc(text):
+        if text is None:
+            return ""
+        text = str(text)
+        return (text
+                .replace('&', '&amp;')
+                .replace('<', '&lt;')
+                .replace('>', '&gt;')
+                .replace('"', '&quot;')
+                .replace("'", '&#39;'))
+
     @staticmethod
     def _sanitize_xml_attribute_value(value):
         """Sanitize XML attribute value to prevent XPath injection."""
@@ -259,18 +263,6 @@ def _validate_output_path(output_path):
 
         return normalized_path
 
-    @staticmethod
-    def _esc(text):
-        if text is None:
-            return ""
-        text = str(text)
-        return (text
-                .replace('&', '&amp;')
-                .replace('<', '&lt;')
-                .replace('>', '&gt;')
-                .replace('"', '&quot;')
-                .replace("'", '&#39;'))
-
     def _format_duration_display(self, seconds):
         if seconds < 60:
             return f"{seconds:.1f}s"

@@ -15,7 +15,7 @@ description: Use for PR expectations, review checklist, docs/changelog, and secu
 
 ### Branch and ownership
 
-- Merges into **`master`** are expected from **`staging`** only (see [`check-branch.yml`](../../.github/workflows/check-branch.yml)). Align your PR base/head with team process.
+- Align PRs with the direct release flow **`development` -> `master`** (no `staging` gate in the release path).
 - [`CODEOWNERS`](../../CODEOWNERS) may request reviews from **`@contentstack/devex-pr-reviewers`** and security admins for workflow or `.snyk` changes.
 
 ### Checklist

@@ -15,7 +15,8 @@ description: Use for branches, build/pack, test scripts, CI workflows, versionin
 
 ### Branching and merges
 
-- [`.github/workflows/check-branch.yml`](../../.github/workflows/check-branch.yml) runs on **pull requests**. If the base branch is **`master`** and the head branch is **not** **`staging`**, the job fails and [thollander/actions-comment-pull-request](https://github.com/thollander/actions-comment-pull-request) posts an explanatory comment. To merge into `master`, open a PR **from `staging`** (per current org policy).
+- Release flow is direct **`development` -> `master`** (no `staging` promotion step).
+- [`.github/workflows/back-merge-pr.yml`](../../.github/workflows/back-merge-pr.yml) opens an automated PR from `master` back to `development` after changes land on `master`.
 
 ### Versioning
 
@@ -40,7 +41,7 @@ description: Use for branches, build/pack, test scripts, CI workflows, versionin
 | Workflow | Purpose |
 |----------|---------|
 | `unit-test.yml` | Windows unit tests via `run-unit-test-case.sh`. |
-| `check-branch.yml` | Enforce `staging` → `master` for PRs. |
+| `back-merge-pr.yml` | Auto-open `master` → `development` back-merge PRs. |
 | `nuget-publish.yml` | Pack and push on release. |
 | `sca-scan.yml` | `dotnet restore` + **Snyk** `snyk test` in `Contentstack.Utils` (needs `SNYK_TOKEN`). |
 | `policy-scan.yml` | For **public** repos: `SECURITY.md` and license file with current calendar year. |