chore: add release note generation script

[dougch]

Release Summary:

Resolved issues:

none

Description of changes:

Based on minor changes to #5327

Example release run:

./generate_release_notes.py  --release-commit 6aefe741f17489211f6c28e837c1a65ee66a1ef2
cat release_notes.md

Weekly release for Oct 27, 2025

Release Summary:

• Multiple changes to the s2n-tls default policy:

1. Added TLS13 support
2. Added Post-Quantum key exchange
3. Removed CBC ciphersuites

• Adds support for PQ only policies, which should not include classical ECC curves. This feature only works on libcryptos that support TLS 1.3 and PQ kem groups.
• • Removes RSA key exchange and DHE cipher suites from the rfc9151 named security policy. Use the numbered version of this policy instead (20250429) to maintain the current preferences.
• Fixed a validation issue in s2n_connection_deserialize() where malformed protocol version bytes could result in invalid connection state and inconsistent TLS behavior.
• Add a synchronous rust binding API for s2n_cert_validation_callback
• Upgrades MSRV for extended crates (s2n-tls-sys, s2n-tls, s2n-tls-tokio) from 1.63 to 1.72

What's Changed:

• ci: scope down GitHub Token permissions by @AdnaneKhan in ci: scope down GitHub Token permissions #5570
• build(deps): bump the all-gha-updates group in /.github/workflows with 2 updates by @dependabot[bot] in build(deps): bump the all-gha-updates group in /.github/workflows with 2 updates #5585
• refactor: Adds tls13 ciphersuites to default/default_fips policy by @maddeleine in refactor: Adds tls13 ciphersuites to default/default_fips policy #5560
• fix: update test_pq_only policy snapshot by @CarolYeh910 in fix: update test_pq_only policy snapshot #5583
• feat: add PQ only policy support by @CarolYeh910 in feat: add PQ only policy support #5545
• feat: output utility for security policy by @jouho in feat: output utility for security policy #5502
• fix: update test broken by Openssl dhe generation change by @lrstewart in fix: update test broken by Openssl dhe generation change #5580
• ci: pin to older kissat version to unblock CBMC by @lrstewart in ci: pin to older kissat version to unblock CBMC #5581
• feat: Improve supported cipher suites in RFC9151 policy by @goatgoose in feat: Improve supported cipher suites in RFC9151 policy #5559
• build(deps): update regex requirement from =1.9.6 to =1.12.1 in /bindings/rust/extended by @dependabot[bot] in build(deps): update regex requirement from =1.9.6 to =1.12.1 in /bindings/rust/extended #5556
• build(deps): update zeroize requirement from =1.7.0 to =1.8.2 in /bindings/rust/extended by @dependabot[bot] in build(deps): update zeroize requirement from =1.7.0 to =1.8.2 in /bindings/rust/extended #5537
• build(deps): bump the all-gha-updates group across 1 directory with 4 updates by @dependabot[bot] in build(deps): bump the all-gha-updates group across 1 directory with 4 updates #5548
• docs: update nix integration test instructions for uvinteg function by @kaukabrizvi in docs: update nix integration test instructions for uvinteg function #5550
• fix(test): Reduce s2n_security_policies_test duration by @goatgoose in fix(test): Reduce s2n_security_policies_test duration #5558
• refactor 2/2: Fix security policy version in tests to numbered string by @maddeleine in refactor 2/2: Fix security policy version in tests to numbered string #5553
• fix(aws-kms-tls-auth): supress logging & version bump by @jmayclin in fix(aws-kms-tls-auth): supress logging & version bump #5554
• build(deps): update rtshark requirement from 3.1.0 to 4.0.0 in /tests/pcap in the all-cargo-updates group across 1 directory by @dependabot[bot] in build(deps): update rtshark requirement from 3.1.0 to 4.0.0 in /tests/pcap in the all-cargo-updates group across 1 directory #5555
• refactor: add psk receiver by @jmayclin in refactor: add psk receiver #5552
• refactor 1/2: Fix security policy version in tests to numbered string by @maddeleine in refactor 1/2: Fix security policy version in tests to numbered string #5549
• chore: update bindgen version to v0.69.0 by @boquan-fang in chore: update bindgen version to v0.69.0 #5396
• refactor(aws-kms-tls-auth): psk provider using HMAC psks by @jmayclin in refactor(aws-kms-tls-auth): psk provider using HMAC psks #5530
• chore(bindings): revert dependency pins by @jmayclin in chore(bindings): revert dependency pins #5544
• fix: validate protocol version during connection deserialization by @jouho in fix: validate protocol version during connection deserialization #5523
• chore: add new team member by @kaukabrizvi in chore: add new team member #5542
• chore: bindings release 0.3.28 by @goatgoose in chore: bindings release 0.3.28 #5540
• feat(bindings): expose cert validation callback by @CarolYeh910 in feat(bindings): expose cert validation callback #5357
• bindings(rust): bump extended crates MSRV to 1.72.0 by @jouho in bindings(rust): bump extended crates MSRV to 1.72.0 #5534
• fix(usage-guide): Update book.toml for mdbook 0.5 release by @goatgoose in fix(usage-guide): Update book.toml for mdbook 0.5 release #5535
• chore: bindings release 0.3.27 by @jouho in chore: bindings release 0.3.27 #5526
• refactor(aws-kms-tls-auth): add hmac based psk derivation by @jmayclin in refactor(aws-kms-tls-auth): add hmac based psk derivation #5519
• ci: install missing rust component for gitthub action workflows by @jouho in ci: install missing rust component for gitthub action workflows #5528
• docs: Small doc changes for KTLS by @maddeleine in docs: Small doc changes for KTLS #5521

Full Changelog: https://github.com/aws/s2n-tls/compare/30f40f2345a89570ed3c4cee2274942f1ebf85fa..6aefe741f17489211f6c28e837c1a65ee66a1ef2

---

Call-outs:

This script could do much more to streamline the process, this is a starting point for more iteration.

Testing:

How is this change tested (unit tests, fuzz tests, etc.)? Locally/CI

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[maddeleine]

Do we actually need changelog generation in this script? It was my understanding that this was already done automatically.
I'm trying to think about at which point in our release process would we run this generate release notes script. Like, we need the release notes before we work on the github script IIRC. But I don't think we also need the changelog part.

[dougch]

This would replace the automatically generated notes. I have a draft PR showing how we could add a config file to customize, slightly, the generated notes, but the way we're doing a release summary requires a script.

[maddeleine]

What permissions do we need to give our PAT? Based on my experimentation you do not need to add any.

[dougch]

Correct, basic repo:status should be enough.

[maddeleine]

60 API calls per hour doesn't sound like a lot. How many API calls does this script need?

[dougch]

There's more to the story...unauthenticated users are tracked by their IP address, so if we're all going out the same IP Gateway/NAT... those 60 calls could be shared across an entire office/org/metro area.