repo-sync/.github/workflows/sync.yml at main · warpdotdev/repo-sync · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
# Reusable workflow: sync creation.
# Triggered by a consuming repo on push to its default branch.
# All decision-making logic lives in Python (repo_sync.workflows.cli).

name: sync

on:
  workflow_call:
    inputs:
      public_repo:
        description: "Public repo (e.g. warpdotdev/warp-public)."
        required: true
        type: string
      private_repo:
        description: "Private repo (e.g. warpdotdev/warp-internal)."
        required: true
        type: string
      escalate_to:
        description: "GitHub team or user to escalate to on timeout."
        required: false
        type: string
        default: "@oncall-client-primary"
      slack_webhook_url:
        description: "Slack webhook URL for stripping error notifications."
        required: false
        type: string
        default: ""
      private_to_public_fixup_script:
        description: "Optional script to run after stripping for private-to-public sync. Receives the snapshot directory as its sole argument."
        required: false
        type: string
        default: ""
      public_to_private_fixup_script:
        description: "Optional script to run after cherry-pick for public-to-private sync (not yet implemented). Receives the working directory as its sole argument."
        required: false
        type: string
        default: ""
      setup_command:
        description: "Optional command to run on the source repo before sync begins (e.g. 'cargo fetch' to populate the local registry cache for offline fixup scripts)."
        required: false
        type: string
        default: ""
      app_id:
        description: "GitHub App ID."
        required: true
        type: string
      repo_sync_ref:
        description: "Ref of the repo-sync repo to use (e.g. v1, main, david/integration)."
        required: false
        type: string
        default: "main"
    secrets:
      app_private_key:
        description: "GitHub App private key."
        required: true
      warp_api_key:
        description: "Warp API key."
        required: true
      ssh_key:
        description: "Optional SSH private key for accessing private dependencies (e.g. private crates) during the setup command."
        required: false

concurrency:
  group: repo-sync-${{ github.repository == inputs.private_repo && 'private-to-public' || 'public-to-private' }}-${{ github.repository }}-${{ github.repository == inputs.private_repo && inputs.public_repo || inputs.private_repo }}
  cancel-in-progress: false

jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
      - name: Generate installation token
        id: token
        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
        with:
          app-id: ${{ inputs.app_id }}
          private-key: ${{ secrets.app_private_key }}
          owner: ${{ github.repository_owner }}

      - name: Set GH_TOKEN
        run: echo "GH_TOKEN=${{ steps.token.outputs.token }}" >> "$GITHUB_ENV"

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          token: "${{ steps.token.outputs.token }}"

      - name: Configure git identity
        run: |
          git config --global user.name "warp-repo-sync[bot]"
          git config --global user.email "270220925+warp-repo-sync[bot]@users.noreply.github.com"

      # Resolve the peer repo's default branch via the GitHub API rather
      # than assuming it matches the source repo's default.  The two repos
      # may use different default branch names (e.g. `master` vs `main`).
      # The same value is used as the peer checkout ref and as the PR base
      # for new sync stacks, so both paths stay in sync.
      - name: Resolve peer default branch
        id: peer_default
        env:
          PEER_REPO: ${{ github.repository == inputs.private_repo && inputs.public_repo || inputs.private_repo }}
        run: |
          branch=$(gh api "repos/${PEER_REPO}" --jq .default_branch)
          echo "branch=${branch}" >> "$GITHUB_OUTPUT"

      # Checkout the peer repo (always, to avoid conditional complexity).
      # The Python code exits early if there are no unsynced commits.
      - name: Checkout peer repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          repository: ${{ github.repository == inputs.private_repo && inputs.public_repo || inputs.private_repo }}
          ref: ${{ steps.peer_default.outputs.branch }}
          path: peer
          fetch-depth: 0
          token: ${{ steps.token.outputs.token }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          repository: warpdotdev/repo-sync
          ref: ${{ inputs.repo_sync_ref }}
          path: .repo-sync
          token: ${{ steps.token.outputs.token }}

      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
        with:
          python-version: "3.12"

      - name: Install repo-sync tools
        run: pip install -e .repo-sync

      - name: Build PR description agent image
        run: docker build -f .repo-sync/docker/pr-description/Dockerfile -t repo-sync-pr-description .repo-sync

      - name: Build conflict resolution agent image
        run: docker build -f .repo-sync/docker/conflict-resolution/Dockerfile -t repo-sync-conflict-resolution .repo-sync
      - name: Configure Git LFS
        run: |
          git lfs install --local
          git -C peer lfs install --local

      - name: Check if SSH key is provided
        id: check-ssh-key
        shell: bash
        run: |
          if [ "${{ secrets.ssh_key }}" != "" ]; then
            echo "::output name=exists::true"
          else
            echo "::output name=exists::false"
          fi

      - name: Setup SSH keys
        if: ${{ steps.check-ssh-key.outputs.exists == 'true' }}
        uses: webfactory/ssh-agent@e83874834305fe9a4a2997156cb26c5de65a8555 # v0.10.0
        with:
          ssh-private-key: ${{ secrets.ssh_key }}

      - name: Run setup command
        if: inputs.setup_command != ''
        run: ${{ inputs.setup_command }}

      - name: Run sync
        run: |
          python -m repo_sync.workflows.cli run-sync \
            --source-repo-dir . \
            --peer-repo-dir peer \
            --source-repo "${{ github.repository }}" \
            --public-repo "${{ inputs.public_repo }}" \
            --private-repo "${{ inputs.private_repo }}" \
            --source-default-branch "${{ github.event.repository.default_branch }}" \
            --peer-default-branch "${{ steps.peer_default.outputs.branch }}" \
            --slack-webhook-url "${{ inputs.slack_webhook_url }}" \
            --private-to-public-fixup-script "${{ inputs.private_to_public_fixup_script }}" \
            --public-to-private-fixup-script "${{ inputs.public_to_private_fixup_script }}" \
            --escalate-to "${{ inputs.escalate_to }}"
        env:
          WARP_API_KEY: ${{ secrets.warp_api_key }}