forked from github-aws-runners/terraform-aws-github-runner
-
Notifications
You must be signed in to change notification settings - Fork 0
176 lines (151 loc) · 6.34 KB
/
Copy pathsync-upstream.yml
File metadata and controls
176 lines (151 loc) · 6.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
name: Sync upstream
on:
schedule:
- cron: '0 5 * * *' # ~7 AM Amsterdam (CEST) / 6 AM (CET)
- cron: '0 22 * * *' # ~midnight Amsterdam (CEST) / 11 PM (CET)
workflow_dispatch:
permissions:
contents: write
issues: write
jobs:
sync-main:
name: Sync main from upstream
runs-on: ubuntu-latest
steps:
- name: Harden the runner
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: main
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
- name: Sync main with upstream
run: |
git remote add upstream https://github.com/github-aws-runners/terraform-aws-github-runner.git
git fetch upstream main --tags
git reset --hard upstream/main
git push origin main --force
# Sync upstream version tags (v*) to the fork
git push origin --tags --force
rebase-philips:
name: Rebase philips onto main
needs: sync-main
runs-on: ubuntu-latest
steps:
- name: Harden the runner
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: philips
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
- name: Configure git
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
- name: Rebase philips onto main
id: rebase
run: |
git fetch origin main
if git rebase origin/main; then
echo "result=success" >> "$GITHUB_OUTPUT"
else
git rebase --abort
echo "result=conflict" >> "$GITHUB_OUTPUT"
fi
- name: Push rebased philips
if: steps.rebase.outputs.result == 'success'
run: git push origin philips --force-with-lease
- name: Detect new upstream releases
if: steps.rebase.outputs.result == 'success'
id: new-releases
run: |
# Find the latest existing upstream-v* tag to use as a baseline
latest_existing=$(git tag -l 'upstream-v[0-9]*' --sort=-version:refname | head -1 | sed 's/^upstream-//')
if [ -n "$latest_existing" ]; then
echo "Latest existing upstream tracking tag: upstream-${latest_existing}"
else
echo "No existing upstream tracking tags found — will tag only the latest upstream release"
fi
# Find upstream v* tags that are newer than our latest upstream-v* tag
new_tags=""
for tag in $(git tag -l 'v[0-9]*' --sort=-version:refname); do
# Skip if we already have an upstream-v* for this version
if git tag -l "upstream-${tag}" | grep -q .; then
continue
fi
# Skip if this tag is older than or equal to our latest tracked version
if [ -n "$latest_existing" ]; then
if [ "$(printf '%s\n%s' "$tag" "$latest_existing" | sort -V | tail -1)" = "$latest_existing" ]; then
echo "Skipping ${tag} (older than or equal to ${latest_existing})"
continue
fi
fi
new_tags="${new_tags}${tag}\n"
done
if [ -n "$new_tags" ]; then
# Take only the latest new upstream release
latest=$(echo -e "$new_tags" | head -1)
echo "latest=${latest}" >> "$GITHUB_OUTPUT"
echo "found=true" >> "$GITHUB_OUTPUT"
echo "Detected new upstream release: ${latest}"
else
echo "found=false" >> "$GITHUB_OUTPUT"
echo "No new upstream releases detected"
fi
- name: Tag new upstream tracking release
if: steps.rebase.outputs.result == 'success' && steps.new-releases.outputs.found == 'true'
env:
UPSTREAM_TAG: ${{ steps.new-releases.outputs.latest }}
run: |
upstream_tag="upstream-${UPSTREAM_TAG}"
# Tag the same commit as the upstream release (on main, not philips)
echo "Creating tag ${upstream_tag} at ${UPSTREAM_TAG}"
git tag "${upstream_tag}" "${UPSTREAM_TAG}"
git push origin "${upstream_tag}"
- name: Trigger release workflow
if: steps.rebase.outputs.result == 'success' && steps.new-releases.outputs.found == 'true'
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
UPSTREAM_TAG: ${{ steps.new-releases.outputs.latest }}
run: |
gh workflow run philips-release.yml \
--repo "${{ github.repository }}" \
--ref philips \
--field "tag=upstream-${UPSTREAM_TAG}"
- name: Open issue on conflict
if: steps.rebase.outputs.result == 'conflict'
env:
GH_TOKEN: ${{ github.token }}
run: |
gh issue create \
--title "Rebase conflict: philips onto main ($(date -u +%Y-%m-%d))" \
--label "rebase-conflict" \
--body "The automated rebase of \`philips\` onto \`main\` failed due to conflicts.
**Action required:** A maintainer must resolve this manually.
\`\`\`bash
git fetch origin
git checkout philips
git rebase origin/main
# Resolve conflicts file by file
git rebase --continue
git push origin philips --force-with-lease
\`\`\`
Use \`/sync-upstream\` in Copilot chat for the full resolution procedure.
Triggered by: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"