From 18cb2364c937474cbc5d6aee936e10e28571e074 Mon Sep 17 00:00:00 2001 From: Charalampos Mainas Date: Wed, 29 Apr 2026 11:26:57 +0300 Subject: [PATCH 1/2] refactor: Cleanup workflow for adding git trailers Clean up the workflows that add git trailers after an approval of a review. In particular: - move the check if the PR can get rebased a job condition - remove duplicate step for adding git trailers and setting up git, since this takes place inside the reusable action for the git trailers. Signed-off-by: Charalampos Mainas --- .github/workflows/add-git-trailers.yml | 46 ++++++++------------------ .github/workflows/pr-merge.yml | 27 ++++++++++----- .github/workflows/pr-trailers.yml | 16 --------- 3 files changed, 31 insertions(+), 58 deletions(-) delete mode 100644 .github/workflows/pr-trailers.yml diff --git a/.github/workflows/add-git-trailers.yml b/.github/workflows/add-git-trailers.yml index 73d5f5ff..5cd4fa2d 100644 --- a/.github/workflows/add-git-trailers.yml +++ b/.github/workflows/add-git-trailers.yml @@ -1,12 +1,12 @@ name: Add Git Trailers to PR commits on: - workflow_call: - secrets: - GIT_CLONE_PAT: - required: false - URUNC_BOT_PRIVATE_KEY: - required: true + pull_request_review: + types: [submitted] + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true permissions: contents: read @@ -14,26 +14,17 @@ permissions: jobs: git-trailers: name: Add Git Trailers - runs-on: ${{ matrix.runner }} - strategy: - matrix: - include: - - arch: amd64 - runner: ubuntu-22.04 - continue-on-error: true - permissions: - contents: write - pull-requests: write + if: >- + github.event.pull_request.base.ref == 'main' && + github.event.review.state == 'approved' && + github.event.pull_request.rebaseable != false + runs-on: ubuntu-22.04 steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit - - name: Exit if PR is not rebaseable - if: ${{ github.event.pull_request.rebaseable != null && github.event.pull_request.rebaseable == false }} - run: exit 1 - - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -41,7 +32,7 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - name: Append git trailers - uses: nubificus/git-trailers@8e08c91bb4c1fd9cb1ccbd9cc8029c31acf8da66 # feat_use_rebase + uses: nubificus/git-trailers@e3cefe03237a8a33f12ee41a8194bfb03a4d179b # fix_auto_merge with: user_info: .github/contributors.yaml @@ -52,20 +43,9 @@ jobs: app-id: ${{ vars.URUNC_BOT_APP_ID }} private-key: ${{ secrets.URUNC_BOT_PRIVATE_KEY }} - - name: Set up Git - run: | - git config --global user.name "urunc-bot[bot]" - git config --global user.email "urunc-bot[bot]@users.noreply.github.com" - - - name: Append git trailers - uses: nubificus/git-trailers@18fd322f3fbfd505b4de728974a4ac1f32f758a7 # feat_auto_merge - with: - user_info: .github/contributors.yaml - - name: Merge PR env: GH_TOKEN: ${{ steps.generate-token.outputs.token }} + PR_URL: ${{ github.event.pull_request.html_url }} run: | - PR_URL=${{ github.event.pull_request.html_url }} - gh pr merge "$PR_URL" --rebase --admin diff --git a/.github/workflows/pr-merge.yml b/.github/workflows/pr-merge.yml index 1b57dfd4..7436ba2c 100644 --- a/.github/workflows/pr-merge.yml +++ b/.github/workflows/pr-merge.yml @@ -4,6 +4,8 @@ on: pull_request_target: types: - closed + branches: + - 'main-pr*' permissions: contents: read @@ -23,11 +25,6 @@ jobs: with: egress-policy: audit - - name: Set up Git - run: | - git config --global user.name "urunc-bot[bot]" - git config --global user.email "urunc-bot[bot]@users.noreply.github.com" - - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -42,21 +39,33 @@ jobs: private-key: ${{ secrets.URUNC_BOT_PRIVATE_KEY }} - name: Append git trailers - uses: nubificus/git-trailers@18fd322f3fbfd505b4de728974a4ac1f32f758a7 # feat_auto_merge + uses: nubificus/git-trailers@e3cefe03237a8a33f12ee41a8194bfb03a4d179b # fix_auto_merge with: user_info: .github/contributors.yaml - name: Create a Pull Request from PR_BRANCH to main and merge it env: GH_TOKEN: ${{ steps.generate-token.outputs.token }} + PR_BRANCH: ${{ github.event.pull_request.base.ref }} run: | - PR_BRANCH=${{ github.event.pull_request.base.ref }} - + PR_NUMBER=${PR_BRANCH#main-pr} + + # Use GitHub's API to get issues referenced with closing keywords + CLOSING_ISSUES=$(gh pr view "$PR_NUMBER" --json closingIssuesReferences \ + --jq '.closingIssuesReferences[].number' || true) + + BODY="This PR was automatically created by GitHub Actions to merge changes from $PR_BRANCH into main." + if [ -n "$CLOSING_ISSUES" ]; then + while IFS= read -r issue; do + BODY="$BODY"$'\n'"Closes #$issue" + done <<< "$CLOSING_ISSUES" + fi + # Create the pull request PR_URL=$(gh pr create \ --head "$PR_BRANCH" \ --base main \ --title "Merge External PR: Merge $PR_BRANCH into main" \ - --body "This PR was automatically created by GitHub Actions to merge changes from $PR_BRANCH into main.") + --body "$BODY") gh pr merge "$PR_URL" --rebase --admin --delete-branch diff --git a/.github/workflows/pr-trailers.yml b/.github/workflows/pr-trailers.yml deleted file mode 100644 index 82fbcde7..00000000 --- a/.github/workflows/pr-trailers.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: Add Git Trailers to PR commits - -on: - pull_request_review: - types: [submitted] - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - git-trailers: - name: Add Git Trailers to PR commits - if: ${{ github.event.pull_request.base.ref == 'main' && github.event.review.state == 'approved' }} - uses: ./.github/workflows/add-git-trailers.yml - secrets: inherit From e69b989e7aa48d16354d024e87dabb7383d9f805 Mon Sep 17 00:00:00 2001 From: Anastassios Nanos Date: Fri, 1 May 2026 11:15:59 +0000 Subject: [PATCH 2/2] chore: Fix GH race if PR variable is not populated GH variable `rebaseable` is populated asynchronously, so there might be a case where this is null and not true/false. The way the if statement is structured might result in the job being skipped. Also, move the token generator before the checkout to avoid perm. issues when pushing the trailers. Signed-off-by: Anastassios Nanos --- .github/workflows/add-git-trailers.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/workflows/add-git-trailers.yml b/.github/workflows/add-git-trailers.yml index 5cd4fa2d..c1146006 100644 --- a/.github/workflows/add-git-trailers.yml +++ b/.github/workflows/add-git-trailers.yml @@ -17,7 +17,8 @@ jobs: if: >- github.event.pull_request.base.ref == 'main' && github.event.review.state == 'approved' && - github.event.pull_request.rebaseable != false + (github.event.pull_request.rebaseable == null || + github.event.pull_request.rebaseable == true) runs-on: ubuntu-22.04 steps: - name: Harden the runner (Audit all outbound calls) @@ -25,9 +26,17 @@ jobs: with: egress-policy: audit + - name: Generate urunc-bot token + id: generate-token + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 + with: + app-id: ${{ vars.URUNC_BOT_APP_ID }} + private-key: ${{ secrets.URUNC_BOT_PRIVATE_KEY }} + - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + token: ${{ steps.generate-token.outputs.token }} fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} @@ -36,13 +45,6 @@ jobs: with: user_info: .github/contributors.yaml - - name: Generate urunc-bot token - id: generate-token - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 - with: - app-id: ${{ vars.URUNC_BOT_APP_ID }} - private-key: ${{ secrets.URUNC_BOT_PRIVATE_KEY }} - - name: Merge PR env: GH_TOKEN: ${{ steps.generate-token.outputs.token }}