-
Notifications
You must be signed in to change notification settings - Fork 354
117 lines (102 loc) · 4.01 KB
/
check-rebaseable.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
---
name: "Check Rebaseable"
############################################################
# Understand this security concern before you edit this file:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests
############################################################
on: # yamllint disable-line rule:truthy
push:
branches:
- 'main'
- 'master'
pull_request_target: {}
env:
EE_REPO: determined-ai/determined-ee
OSS_REPO: determined-ai/determined
permissions:
pull-requests: read
contents: read
jobs:
pre-check-rebaseable:
runs-on: ubuntu-latest
outputs:
rebase_exit: ${{ steps.rebase.outputs.rebase_exit }}
steps:
- name: get EE
# https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability
# the env context is only available on the runner, so can only be used
# in parts of the job which are on the runner. :/
if: github.repository != env.EE_REPO
uses: actions/checkout@v4
with:
# fetch-depth: 1 # we only need the default branch
fetch-depth: 0
token: ${{ secrets.DETERMINED_TOKEN }}
repository: ${{ env.EE_REPO }}
- name: add OSS repository remote and get candidate branch
if: github.repository != env.EE_REPO
run: |
# ssh checkout of additional remotes fails :/
git remote add OSS https://github.com/${{ env.OSS_REPO }}
git fetch OSS "$REF":proposed_base
git config --global user.email "autorebase@address.invalid"
git config --global user.name "Automatic rebase check"
- name: attempt rebase
id: rebase
if: github.repository != env.EE_REPO
continue-on-error: true
run: |
set +e # GHA runs `bash -e` if shell is undefined or 'bash'
git rebase proposed_base 1>&2
printf 'rebase_exit=%s\n' $? >> "$GITHUB_OUTPUT"
exit $?
check-rebaseable:
runs-on: ubuntu-latest
needs: pre-check-rebaseable
if: ${{ needs.pre-check-rebaseable.outputs.rebase_exit == 0 }}
steps:
- name: get EE
# the env context is only available on the runner, so can only be used
# in parts of the job which are on the runner. :/
if: github.repository != env.EE_REPO
uses: actions/checkout@v4
with:
# fetch-depth: 1 # we only need the default branch
fetch-depth: 0
token: ${{ secrets.DETERMINED_TOKEN }}
repository: ${{ env.EE_REPO }}
# pull_request_target sets ref to default branch, not PR :/
# We use /merge because that's what the merge target will look like if
# the PR merge was to be completed
- name: identify branch ref
if: github.repository != env.EE_REPO
run: |
if [[ "${{ github.event_name }}" == "push" ]]
then
REF="${{ github.ref }}"
else
REF="refs/pull/${{ github.event.number }}/merge"
fi
printf "REF=%s\n" "$REF" >> ${{ github.env }}
- name: add OSS repository remote and get candidate branch
if: github.repository != env.EE_REPO
run: |
# ssh checkout of additional remotes fails :/
git remote add OSS https://github.com/${{ env.OSS_REPO }}
git fetch OSS "$REF":proposed_base
git config --global user.email "autorebase@address.invalid"
git config --global user.name "Automatic rebase check"
- name: attempt rebase
if: github.repository != env.EE_REPO
run: |
git rebase proposed_base || (cat <<"EOF" 1>&2
********
This branch failed to rebase onto the "determined-ee" repo!
This may or may not be an issue with your branch that
you need to resolve.
For more information, please consult this confluence page:
https://hpe-aiatscale.atlassian.net/wiki/spaces/ENGINEERIN/pages/1295450385/GitHub+Check+Rebaseable+Test
********
EOF
exit 1
)