Files
sure/.github/workflows/pr.yml
Juan José Mata 51f09cdade Fix prerelease version-bump job: add PR fallback for protected branches (#2224)
* Fix prerelease version bump workflow

* Fix prerelease version-bump job: add PR fallback for protected branches

### Motivation
- The prerelease version bump job was failing when it could not push to protected release branches, causing the workflow to error instead of progressing.
- The job needs permission and robust push logic so prerelease automation can update `.sure-version` and `charts/sure/Chart.yaml` even when direct pushes are blocked.

### Description
- Grant the `bump-pre_release-version` job `pull-requests: write` permission so it may open an automated PR when direct pushes are disallowed.
- Harden the bump step: enable `set -euo pipefail`, pass `GH_TOKEN` into the job environment, and use fully-qualified branch refs for pushes.
- Add retry + rebase logic for direct pushes and a fallback path that pushes the changes to an `automation/bump-version-after-...` branch and opens a PR with `gh pr create` when direct push attempts fail.
- Preserve existing validations that ensure `.sure-version` and `charts/sure/Chart.yaml` exist and the prerelease portion is parsed before writing the bump.

### Testing
- Verified workflow YAML parses with `ruby -e 'require "yaml"; YAML.load_file(".github/workflows/publish.yml"); puts "YAML OK"'` and it succeeded.
- Confirmed the bump job has the expected permission with `ruby -e 'require "yaml"; workflow=YAML.load_file(".github/workflows/publish.yml"); abort("missing bump job") unless workflow.dig("jobs", "bump-pre_release-version", "permissions", "pull-requests") == "write"; puts "bump permissions OK"'` and it succeeded.
- Ran ActionLint via `go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.8 .github/workflows/publish.yml` and received no actionable errors.
- Ran `git diff --check` to ensure no whitespace/format issues and it succeeded.

* Harden pre-release bump job: validation, retries and PR fallback

### Motivation
- Make the `bump-pre_release-version` job more robust by validating prerelease version formats and failing early on unexpected inputs.
- Handle protected branches gracefully by attempting direct pushes with retries and falling back to creating a pull request when direct push is blocked.
- Ensure the workflow has the permissions required to open PRs when needed.

### Description
- Added `pull-requests: write` to the job `permissions` so the workflow can create PRs when required.
- Hardened the bump script with `set -euo pipefail` and a strict regex that validates and extracts `BASE_VERSION`, prerelease tag, and number using `BASH_REMATCH` before incrementing the prerelease counter.
- Simplified and made file reads safer by using input redirection for `tr` and improved error messages for missing or malformed version files.
- Reworked commit/push logic to set a commit message variable, attempt direct pushes with exponential backoff and detection of branch-protection errors, and when rejected create a dedicated bump branch and open a PR via `gh pr create`.

### Testing
- Validated the modified workflow YAML with a YAML linter; no syntax errors were reported.
- Executed the updated bump logic in a CI dry-run (workflow syntax validation on GitHub Actions) and the workflow file was accepted by the Actions syntax checks.

* Add manual workflow triggers and robust pre-release bump with protected-branch fallback

### Motivation
- Allow manual invocation of PR and chart CI workflows via `workflow_dispatch` for on-demand runs.
- Make the pre-release version bump process more robust and reliable when `refs/tags/v*` releases are published.
- Ensure the bump can proceed even when the target branch is protected by creating an automated pull request and running PR checks.

### Description
- Added `workflow_dispatch` to `.github/workflows/pr.yml` and `.github/workflows/chart-ci.yml` to support manual runs.
- Extended `bump-pre_release-version` job in `.github/workflows/publish.yml` to request `actions: write` and `pull-requests: write` permissions.
- Rewrote the bump script to use `set -euo pipefail` and a single regex validation to parse and increment prerelease versions (e.g. `1.2.3-alpha.4`), update `.sure-version`, and update `charts/sure/Chart.yaml` reliably.
- Improved commit and push flow by adding `GH_TOKEN`, using a consistent commit message variable, attempting direct pushes with retry and rebase, detecting branch-protection failures, and falling back to creating a bumped branch and an automated PR via `gh pr create`; the workflow also dispatches `pr.yml` and `chart-ci.yml` runs for the created branch.

### Testing
- No automated tests were run as part of this change; behavior will be exercised when the workflow creates a bump PR or when workflows are manually triggered via the new `workflow_dispatch` events.
2026-06-11 10:13:58 +02:00

85 lines
2.9 KiB
YAML

name: Pull Request
on:
workflow_dispatch:
pull_request:
types: [opened, synchronize, reopened, labeled]
paths-ignore:
- 'charts/**'
permissions:
contents: read
jobs:
ci:
uses: ./.github/workflows/ci.yml
preview_image:
needs: ci
if: |
contains(github.event.pull_request.labels.*.name, 'preview-cf') &&
(github.event.action != 'labeled' || github.event.label.name == 'preview-cf')
name: Build Cloudflare preview image
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: read
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
IMAGE_TAG: sure-preview-pr-${{ github.event.pull_request.number }}:${{ github.event.pull_request.head.sha }}
steps:
- name: Checkout PR code
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
with:
persist-credentials: false
- name: Build preview image without secrets
run: |
set -euo pipefail
image_archive="$RUNNER_TEMP/sure-preview-image.tar.gz"
manifest_file="$RUNNER_TEMP/sure-preview-image.manifest.json"
docker build \
--platform linux/amd64 \
--build-arg "BUILD_COMMIT_SHA=${HEAD_SHA}" \
-f Dockerfile.preview \
-t "${IMAGE_TAG}" \
.
docker image inspect "${IMAGE_TAG}" >/dev/null
docker save "${IMAGE_TAG}" | gzip -1 > "$image_archive"
archive_sha256="$(sha256sum "$image_archive" | awk '{print $1}')"
image_id="$(docker image inspect --format '{{.Id}}' "${IMAGE_TAG}")"
printf '%s\n' "$archive_sha256" > "$RUNNER_TEMP/sure-preview-image.sha256"
ARCHIVE_SHA256="$archive_sha256" IMAGE_ID="$image_id" node - "$manifest_file" <<'NODE'
const fs = require('node:fs');
const manifestPath = process.argv[2];
const manifest = {
artifactVersion: 1,
archivePath: 'sure-preview-image.tar.gz',
archiveSha256: process.env.ARCHIVE_SHA256,
headSha: process.env.HEAD_SHA,
imageId: process.env.IMAGE_ID,
imageTag: process.env.IMAGE_TAG,
prNumber: process.env.PR_NUMBER,
};
fs.writeFileSync(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`);
NODE
jq -e . "$manifest_file" >/dev/null
- name: Upload preview image artifact
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
name: preview-image-pr-${{ env.PR_NUMBER }}-${{ env.HEAD_SHA }}
path: |
${{ runner.temp }}/sure-preview-image.tar.gz
${{ runner.temp }}/sure-preview-image.sha256
${{ runner.temp }}/sure-preview-image.manifest.json
if-no-files-found: error
retention-days: 3