.github/workflows/rebase.yml: rebase for multiple branches

- Error if the commenter doesn't have write access or maintainers can't edit the PR branch.

- Close and comment on PR after rebase so that actions are run when it's reopened.
  This doesn't happen currently as we're using the default github token which isn't allowed to trigger other actions.

- Disallow unwanted rebases.
  e.g. invalid branches, redundant rebases or rebasing permanent branches onto permanent branches.
This commit is contained in:
zowoq 2021-01-26 17:48:46 +10:00
parent bc704b5f63
commit fc3b385a4f
2 changed files with 134 additions and 60 deletions

View File

@ -1,60 +0,0 @@
on:
issue_comment:
types:
- created
# This action allows people with write access to the repo to rebase a PRs base branch from
# master to staging by commenting `/rebase-staging` on the PR while avoiding CODEOWNER notifications.
jobs:
rebase:
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS' && github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase-staging')
steps:
- uses: peter-evans/create-or-update-comment@v1
with:
comment-id: ${{ github.event.comment.id }}
reactions: eyes
- uses: scherermichael-oss/action-has-permission@1.0.6
id: check-write-access
with:
required-permission: write
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: check base branch is master
if: steps.check-write-access.outputs.has-permission
run: |
if [ "$(curl https://api.github.com/repos/NixOS/nixpkgs/pulls/${{ github.event.issue.number }} | jq -r '.base.ref')" != "master" ]; then
echo "This action only works when the current base branch is master."
exit 1
fi
- uses: actions/checkout@v2
with:
fetch-depth: 0
if: steps.check-write-access.outputs.has-permission
- name: rebase pull request
if: steps.check-write-access.outputs.has-permission
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PULL_REQUEST: ${{ github.event.issue.number }}
run: |
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
git fetch origin
gh pr checkout "$PULL_REQUEST"
git rebase \
--onto="$(git merge-base origin/master origin/staging)" \
"HEAD~$(git rev-list --count HEAD ^master)"
git push --force
curl \
-X POST \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token $GITHUB_TOKEN" \
-d '{ "base": "staging" }' \
"https://api.github.com/repos/NixOS/nixpkgs/pulls/$PULL_REQUEST"
- uses: peter-evans/create-or-update-comment@v1
if: ${{ failure() }}
with:
issue-number: ${{ github.event.issue.number }}
body: |
[Failed to rebase on `staging`](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }})

134
.github/workflows/rebase.yml vendored Normal file
View File

@ -0,0 +1,134 @@
on:
issue_comment:
types:
- created
# This action allows people with write access to the repo to rebase a PRs base branch
# by commenting `/rebase ${branch}` on the PR while avoiding CODEOWNER notifications.
jobs:
rebase:
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS' && github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
steps:
- uses: peter-evans/create-or-update-comment@v1
with:
comment-id: ${{ github.event.comment.id }}
reactions: eyes
- uses: scherermichael-oss/action-has-permission@1.0.6
id: check-write-access
with:
required-permission: write
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: check permissions
run: |
echo "Commenter doesn't have write access to the repo"
exit 1
if: "! steps.check-write-access.outputs.has-permission"
- name: setup
run: |
curl "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.issue.number }}" 2>/dev/null >pr.json
cat <<EOF >>"$GITHUB_ENV"
CAN_MODIFY=$(jq -r '.maintainer_can_modify' pr.json)
COMMITS=$(jq -r '.commits' pr.json)
CURRENT_BASE=$(jq -r '.base.ref' pr.json)
PR_BRANCH=$(jq -r '.head.ref' pr.json)
COMMENT_BRANCH=$(echo ${{ github.event.comment.body }} | awk "/^\/rebase / {print \$2}")
PULL_REQUEST=${{ github.event.issue.number }}
EOF
rm pr.json
- name: check branch
env:
PERMANENT_BRANCHES: "haskell-updates|master|nixos|nixpkgs|python-unstable|release|staging"
VALID_BRANCHES: "haskell-updates|master|python-unstable|release-20.09|staging|staging-20.09|staging-next"
run: |
message() {
cat <<EOF
Can't rebase $PR_BRANCH from $CURRENT_BASE onto $COMMENT_BRANCH (PR:$PULL_REQUEST COMMITS:$COMMITS)
EOF
}
if ! [[ "$COMMENT_BRANCH" =~ ^($VALID_BRANCHES)$ ]]; then
cat <<EOF
Check that the branch from the comment is valid:
$(message)
This action can only rebase onto these branches:
$VALID_BRANCHES
\`/rebase \${branch}\` must be at the start of the line
EOF
exit 1
fi
if [[ "$COMMENT_BRANCH" == "$CURRENT_BASE" ]]; then
cat <<EOF
Check that the branch from the comment isn't the current base branch:
$(message)
EOF
exit 1
fi
if [[ "$COMMENT_BRANCH" == "$PR_BRANCH" ]]; then
cat <<EOF
Check that the branch from the comment isn't the current branch:
$(message)
EOF
exit 1
fi
if [[ "$PR_BRANCH" =~ ^($PERMANENT_BRANCHES) ]]; then
cat <<EOF
Check that the PR branch isn't a permanent branch:
$(message)
EOF
exit 1
fi
if [[ "$CAN_MODIFY" != "true" ]]; then
cat <<EOF
Check that maintainers can edit the PR branch:
$(message)
EOF
exit 1
fi
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: rebase pull request
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
git fetch origin
gh pr checkout "$PULL_REQUEST"
git rebase \
--onto="$(git merge-base origin/"$CURRENT_BASE" origin/"$COMMENT_BRANCH")" \
"HEAD~$COMMITS"
git push --force
curl \
-X POST \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token $GITHUB_TOKEN" \
-d "{ \"base\": \"$COMMENT_BRANCH\" }" \
"https://api.github.com/repos/${{ github.repository }}/pulls/$PULL_REQUEST"
curl \
-X PATCH \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token $GITHUB_TOKEN" \
-d '{ "state": "closed" }' \
"https://api.github.com/repos/${{ github.repository }}/pulls/$PULL_REQUEST"
- uses: peter-evans/create-or-update-comment@v1
with:
issue-number: ${{ github.event.issue.number }}
body: |
Rebased, please reopen the pull request to restart CI
- uses: peter-evans/create-or-update-comment@v1
if: failure()
with:
issue-number: ${{ github.event.issue.number }}
body: |
[Failed to rebase](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})