murdle/fluxer
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(ci): use a github app for the promote workflow

Browse Source
This commit is contained in:
Hampus Kraft 2026-01-06 17:19:32 +00:00
parent 39254dd359
commit c50a74db7b
No known key found for this signature in database
GPG Key ID: 6090864C465A454D
1 changed files with 23 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
.github/workflows/promote-canary-to-main.yaml vendored
View File

@ -21,7 +21,7 @@ concurrency:
cancel-in-progress: false cancel-in-progress: false
permissions: permissions:
contents: write contents: read
jobs: jobs:
promote: promote:
@ -29,59 +29,53 @@ jobs:
timeout-minutes: 10 timeout-minutes: 10
steps: steps:
- name: Checkout source branch - name: Create GitHub App token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.PROMOTE_APP_ID }}
private-key: ${{ secrets.PROMOTE_APP_PRIVATE_KEY }}
- name: Checkout source
uses: actions/checkout@v6 uses: actions/checkout@v6
with: with:
ref: ${{ inputs.src }} ref: ${{ inputs.src }}
fetch-depth: 0 fetch-depth: 0
persist-credentials: true token: ${{ steps.app-token.outputs.token }}
- name: Configure git identity - name: Verify ff-only + summarize
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
- name: Fetch destination branch
run: |
set -euo pipefail
git fetch origin "${{ inputs.dst }}" --prune --tags
- name: Verify FF-only + write summary
id: verify id: verify
run: | run: |
set -euo pipefail set -euo pipefail
src="${{ inputs.src }}" src="${{ inputs.src }}"
dst="${{ inputs.dst }}" dst="${{ inputs.dst }}"
SRC_SHA="$(git rev-parse HEAD)" git fetch origin "${dst}" "${src}" --prune
DST_SHA="$(git rev-parse "origin/${dst}")"
echo "src=$src" >> "$GITHUB_OUTPUT" # Ensure HEAD is exactly origin/src
echo "dst=$dst" >> "$GITHUB_OUTPUT" git reset --hard "origin/${src}"
echo "src_sha=$SRC_SHA" >> "$GITHUB_OUTPUT"
echo "dst_sha=$DST_SHA" >> "$GITHUB_OUTPUT"
# Ensure main is an ancestor of canary => fast-forward is possible # FF-only requirement: dst must be an ancestor of src
if ! git merge-base --is-ancestor "origin/${dst}" HEAD; then if ! git merge-base --is-ancestor "origin/${dst}" "origin/${src}"; then
echo "::error::Cannot fast-forward: origin/${dst} is not an ancestor of ${src}. Branches have diverged." echo "::error::Cannot fast-forward: origin/${dst} is not an ancestor of origin/${src} (branches diverged)."
exit 1 exit 1
fi fi
ahead="$(git rev-list --count "origin/${dst}..HEAD")" ahead="$(git rev-list --count "origin/${dst}..origin/${src}")"
echo "ahead=$ahead" >> "$GITHUB_OUTPUT" echo "ahead=$ahead" >> "$GITHUB_OUTPUT"
{ {
echo "## Promote \`${src}\` → \`${dst}\` (ff-only)" echo "## Promote \`${src}\` → \`${dst}\` (ff-only)"
echo "" echo ""
echo "- ${dst}: \`${DST_SHA}\`" echo "- \`${dst}\`: \`$(git rev-parse "origin/${dst}")\`"
echo "- ${src}: \`${SRC_SHA}\`" echo "- \`${src}\`: \`$(git rev-parse "origin/${src}")\`"
echo "- Commits to promote: **${ahead}**" echo "- Commits to promote: **${ahead}**"
echo "" echo ""
echo "### Commits" echo "### Commits"
if [ "$ahead" -eq 0 ]; then if [ "$ahead" -eq 0 ]; then
echo "_Nothing to promote._" echo "_Nothing to promote._"
else else
git log --oneline --decorate "origin/${dst}..HEAD" git log --oneline --decorate "origin/${dst}..origin/${src}"
fi fi
} >> "$GITHUB_STEP_SUMMARY" } >> "$GITHUB_STEP_SUMMARY"
@ -89,7 +83,8 @@ jobs:
if: ${{ steps.verify.outputs.ahead != '0' && inputs.dry_run != true }} if: ${{ steps.verify.outputs.ahead != '0' && inputs.dry_run != true }}
run: | run: |
set -euo pipefail set -euo pipefail
dst="${{ steps.verify.outputs.dst }}" dst="${{ inputs.dst }}"
# Push src HEAD to dst (no merge commit, same SHAs)
git push origin "HEAD:refs/heads/${dst}" git push origin "HEAD:refs/heads/${dst}"
- name: Dry run / no-op - name: Dry run / no-op