santosomar/change-log-generator
skills/devops/change-log-generator/SKILL.md
Generates a structured CHANGELOG.md from VCS history and PR/issue references, categorized by change type. Use when cutting a release, when the user asks to update CHANGELOG.md, or when backfilling a changelog from git history.
development
Updated Apr 13, 2026
$ install --global
skillsauthnpx skillsauth add santosomar/general-secure-coding-agent-skills change-log-generatorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 14, 2026, 11:55 PM1.4s1 file scanned
SKILL.md
- name:
- change-log-generator
- description:
- Generates a structured CHANGELOG.md from VCS history and PR/issue references, categorized by change type. Use when cutting a release, when the user asks to update CHANGELOG.md, or when backfilling a changelog from git history.
- license:
- Apache-2.0
- category:
- devops
- suite:
- general-secure-coding-agent-skills
- version:
- 0.3.0
- related:
- release-notes-writer
Change Log Generator
A changelog is for developers who use your project. It answers one question: what do I need to know before I upgrade?
Audience split — this skill vs. release notes
| This skill (CHANGELOG.md) | → release-notes-writer |
| ------------------------------------ | ------------------------------------------- |
| Developers, maintainers | End users, stakeholders |
| Terse, categorized, complete | Narrative, highlights only |
| Every user-visible change | The 3 things anyone actually cares about |
| Lives in the repo | Goes in the release announcement |
Step 1 — Delimit the range
git log <prev-tag>..HEAD --oneline --no-merges
If there's no previous tag, the range is "since the last ## [x.y.z] heading in CHANGELOG.md" — grep it out.
Step 2 — Classify each commit
Bucket every commit. One bucket per commit — if a commit is both a feature and a fix, it should have been two commits, but pick the more user-impacting bucket.
| Bucket | Commit message signals | What qualifies |
| ------------ | ---------------------------------------------------- | ---------------------------------------------------- |
| Breaking | BREAKING CHANGE:, ! after type, removed API | Anything that breaks existing user code — always first, always loud |
| Added | feat:, add, new, implement | New capabilities the user can now use |
| Changed | refactor: (if user-visible), behavior changes | Existing features that work differently now |
| Fixed | fix:, bug, patch, Fixes #N | Things that were broken and now aren't |
| Security | security:, CVE refs, vuln | Separate section — people grep for this |
| Removed | remove, drop, delete (of user-facing things) | Deprecation follow-throughs |
| (drop) | chore:, ci:, docs:, test:, style: | Internal. Changelog readers don't care. |
Step 3 — Rewrite each entry
The commit message is input, not output. Transform:
| Commit says | Changelog says |
| ------------------------------------ | -------------------------------------------------------- |
| fix: handle null in getUserEmail | getUserEmail() no longer throws when user has no email |
| feat: add retry param | Client() now accepts retries=N to retry failed calls |
| remove v1 endpoints | Breaking: /api/v1/* endpoints removed; use /api/v2/* |
Rules for rewriting:
- Past tense or present — be consistent with the existing changelog.
- User-facing names, not internal names.
the billing modulenotBillingServiceImpl. - State the effect, not the mechanism. "No longer throws" not "added null check."
- Link the PR/issue:
(#123)at the end.
Worked example
Input commits:
a1b2c3d feat(client): add timeout parameter
b2c3d4e fix: race in connection pool cleanup (fixes #891)
c3d4e5f chore: bump pytest to 8.0
d4e5f6a feat!: drop Python 3.8 support
e5f6a7b docs: fix typo in README
Output:
## [2.4.0] — 2026-03-09
### Breaking
- Dropped Python 3.8 support; minimum is now 3.9 (#94)
### Added
- `Client()` now accepts a `timeout` parameter (seconds, default 30) (#92)
### Fixed
- Connection pool no longer leaks connections under concurrent close (#891)
Two commits dropped (chore:, docs:). Three kept, rewritten, linked.
Edge cases
- No conventional commits — messages are freeform: Read the diffs. A commit touching
docs/is probablydocs:. A commit that adds a test and changes one line is probablyfix:. Classify by content. - Merge commits with 50 sub-commits: If merges are the unit (squash workflow), one entry per merge. If not, skip merge commits and use the underlying commits.
- A revert of something from the same range: Both the original and the revert should be dropped — net zero change.
- Backfilling a changelog that was never kept: Work tag-by-tag, oldest first. The git log between
v1.0andv1.1is the## [1.1.0]section.
Do not
- Do not include internal changes (CI, tests, refactors with no user-visible effect). The changelog is not a git log.
- Do not use commit messages verbatim.
fix: thingis not an entry. - Do not combine Breaking with anything else in a section. It gets its own heading even if there's one item.
- Do not generate an
## [Unreleased]section and call it done. Either pin a version or be explicit that it's unreleased. - Do not reorder existing changelog entries. Append only.
Output format
## [<version>] — <YYYY-MM-DD>
### Breaking
- <entry> (#<pr>)
### Added
- ...
### Changed
- ...
### Fixed
- ...
### Security
- ...
Omit empty sections. Breaking first, always.
Related Skills
santosomar/verified-pseudocode-extractor
development
VerifiedTrustedCommunity
Extracts human-readable pseudocode from a verified formal artifact (Dafny, Lean, TLA+) while preserving the verified properties as annotations, so the proof-carrying logic can be reimplemented in a production language. Use when porting verified code to an unverified target, when documenting what a formal spec actually does, or when handing a verified algorithm to an implementer.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-spec-generator
development
VerifiedTrustedCommunity
Translates natural-language or pseudocode descriptions of concurrent and distributed systems into TLA+ specifications ready for the TLC model checker. Identifies state variables, actions, type invariants, safety properties, and liveness properties from the description. Use when formalizing a protocol, when the user describes a distributed algorithm to verify, when designing a consensus or locking scheme, or when starting formal verification of a concurrent system.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-model-reduction
testing
VerifiedTrustedCommunity
Reduces a TLA+ model so TLC can actually check it — shrinks constants, adds state constraints, abstracts data, or applies symmetry — when the state space is too large to enumerate. Use when TLC runs out of memory, when checking takes hours, or when a spec works at N=2 and you need confidence at larger scale.
SKILL.mdUpdated Apr 13, 2026
santosomar/tlaplus-guided-code-repair
development
VerifiedTrustedCommunity
TLA+-specific instance of model-guided repair — reads a TLC error trace, identifies the enabling condition that should have been false, strengthens the corresponding action, and maps the fix to source code. Use when TLC reports an invariant violation or deadlock and you have the code-to-TLA+ mapping from extraction.
SKILL.mdUpdated Apr 13, 2026