ci: add JSON syntax validation for release-notes files

[rduffyuk]

Summary

Adds a GitHub Actions workflow that runs jq empty against changed
releases/release-*/release-notes/**/*.json files on PRs, failing the
check with inline annotations if any file has invalid JSON syntax.

Closes #2985.

Why

Release notes JSON gets manually edited during alpha → beta → RC. A trailing
comma or an unmatched brace in a manual edit silently breaks downstream
rendering on https://relnotes.k8s.io/ after the release ships. Catching it at
PR time is cheaper than catching it post-release.

There are 17 release-notes-draft.json files in the tree today (release-1.21
through release-1.36) — any of them being touched mid-cycle should pay this
~5-second validation cost.

This is complementary to the existing krel-release-notes-validate.yaml
workflow, which validates YAML release-notes files via krel. JSON syntax
validation isn't covered there because the path filter is YAML-only.

What it does

• Triggers on PRs touching releases/release-*/release-notes/**/*.json
• Identifies Added or Modified files via git diff --diff-filter=AM against the PR base
• Runs jq empty <file> against each (preinstalled on ubuntu-latest, no setup needed)
• Emits GitHub ::error file=... annotations so failures appear inline in the PR's "Files changed" tab; messages are URL-encoded per GitHub's workflow command spec
• No-ops cleanly when no JSON files are touched

What it doesn't do (intentional scope)

• Schema validation — only catches syntax errors. Schema enforcement is a separate concern and out of scope.
• Markdown frontmatter validation — issue Add automated JSON syntax validation for release notes files to prevent downstream failures #2985 is JSON only.
• Validate already-merged JSON in master — runs only on PRs.
• Run on deletion-only PRs — --diff-filter=AM excludes deletions, so the workflow simply doesn't trigger when only deletions occur.

Testing — local validation against real data

Verified the core behaviour locally against the actual release-1.36
release-notes JSON in this repo:

Valid JSON → silent success, exit 0:

$ jq empty releases/release-1.36/release-notes/release-notes-draft.json
$ echo "Exit code: $?"
Exit code: 0

Deliberately corrupted JSON → parse error with file:line, exit 5:

$ cp releases/release-1.36/release-notes/release-notes-draft.json /tmp/test-bad.json
$ echo "}" >> /tmp/test-bad.json
$ jq empty /tmp/test-bad.json
jq: parse error: Unmatched '}' at line 8586, column 1
$ echo "Exit code: $?"
Exit code: 5

This proves both halves: the workflow correctly accepts well-formed
release-notes JSON, and correctly rejects malformed JSON with a parse error
that identifies the offending line. The ::error file=...:: annotation in
the workflow surfaces the same line:column information inline on the PR's
"Files changed" tab so reviewers can click straight to the broken file.

No-op behaviour: the path filter on pull_request ensures the workflow
does not run at all on PRs that don't touch matching JSON files, so there is
no false-positive risk on unrelated PRs.

Disclosure

AI-assisted: workflow YAML drafted with Claude, reviewed and adapted by me
against the actual release-notes-draft.json schema and file layout in this
repo. I addressed the initial Copilot review feedback (license header, action
SHA pinning, removal of dead deleted-file branch, GitHub Actions message
escaping, dropping unused pull-requests: read permission) in the same
amend. I understand every line of the workflow, ran the local validation
above myself, and own the implementation. Happy to walk through any part in
review.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: rduffyuk / name: Ryan Duffy (f173175)

[k8s-ci-robot]

Welcome @rduffyuk!

It looks like this is your first PR to kubernetes/sig-release 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/sig-release has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rduffyuk
Once this PR has been reviewed and has the lgtm label, please assign jeremyrickard for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

Adds a new GitHub Actions workflow to validate JSON syntax for release-notes artifacts in PRs, aiming to prevent malformed release-notes JSON from being merged and breaking downstream rendering (relnotes.k8s.io).

Changes:

• Introduces .github/workflows/validate-release-notes-json.yaml to run jq empty on changed releases/release-*/release-notes/**/*.json files in pull requests.
• Detects added/modified JSON files via git diff and surfaces failures as GitHub Actions annotations.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[rduffyuk]

/kind feature
/priority important-longterm

[rduffyuk]

comments replied to see inline thxs

[rduffyuk]

Quick housekeeping note on the Copilot review — when I was replying inline some of my replies landed on the wrong threads (the SHA-pin reply ended up on the deleted-file thread), and the SHA-pin and pull-requests: read threads are showing as "Outdated" and won't let me reply on them via the UI. Sorry for the mess.

For the avoidance of doubt, all 5 fixes from Copilot's review are in bb7990f5:

• License header — Apache 2.0 block added at top, matches the wording used in krel-release-notes-validate.yaml
• Pin actions/checkout — pinned to 692973e3d937129bcbf40652eb9f2f61becf3332 (v4.1.7), same SHA as the existing krel-release-notes-validate.yaml already uses
• Deleted-file dead code — removed the unreachable warning branch (--diff-filter=AM already excludes deletions); also updated PR description's "What it doesn't do" section to reflect the actual scope
• ::error annotation escaping — added escape_msg() function that URL-encodes %, \r, \n per GitHub's workflow command spec; applied to the error message before emission. % is encoded first so the subsequent \r and \n encodings don't get double-encoded
• pull-requests: read permission — dropped, since the workflow only does actions/checkout + git diff + jq. Now permissions: contents: read only

Local testing details are in the PR description's Testing section. Happy to walk through any part in further review.