Skip to content

Commit 9125c2d

Browse files
committed
ci(repo): add refresh-lock job and aggregator check-runs
Learn from NMD-Scanner workflows: - release-please.yml: add refresh-lock job that refreshes the workspace uv.lock on the release PR branch (release-please bumps package versions but not the lock, so uv lock --check fails on the PR). Checks out with RELEASE_PLEASE_PAT so the pushed commit re-triggers CI. Replaces the echo-only release-pr-check job. Exposes the release-please prs output. - ci.yml: add a ci aggregator job (needs all leaf jobs, if: always) as a single stable required status check that tolerates skipped matrix jobs. - check-pr.yml: add a matching conventional-commit-pr aggregator job.
1 parent 11bddd9 commit 9125c2d

3 files changed

Lines changed: 111 additions & 6 deletions

File tree

.github/workflows/check-pr.yml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,3 +32,20 @@ jobs:
3232
requireScope: true
3333
env:
3434
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
35+
36+
# Aggregator job: a single, stable check-run name to use as the required
37+
# status check in branch protection, independent of the underlying job name.
38+
conventional-commit-pr:
39+
name: Conventional commit PRs
40+
needs: [main]
41+
runs-on: ubuntu-latest
42+
if: always()
43+
steps:
44+
- name: Verify PR title validation did not fail
45+
run: |
46+
# Fail only on failure/cancelled; a skipped run is allowed.
47+
result="${{ needs.main.result }}"
48+
if [ "$result" = "failure" ] || [ "$result" = "cancelled" ]; then
49+
echo "PR title validation did not pass: $result"
50+
exit 1
51+
fi

.github/workflows/ci.yml

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -335,3 +335,47 @@ jobs:
335335
env:
336336
GRZ_TOX_PACKAGE: ${{ steps.pkg_info.outputs.name }}
337337
run: uv run tox -e py${{ matrix.python-version }} -- ${{ matrix.package.path }}
338+
339+
# Aggregator job: a single, stable check-run name to use as the required
340+
# status check in branch protection. Stays valid even when matrix jobs are
341+
# skipped (nothing changed) or individual job names change. Lists every leaf
342+
# job below - keep this in sync when adding or removing jobs.
343+
ci:
344+
name: CI
345+
needs:
346+
- determine-changes
347+
- quality-checks-python
348+
- quality-checks-rust
349+
- build-grz-check-binary
350+
- test-changed-packages-rust
351+
- run-workspace-tests-python
352+
- test-changed-packages-python
353+
runs-on: ubuntu-latest
354+
if: always()
355+
steps:
356+
- name: Verify no upstream job failed
357+
shell: bash
358+
run: |
359+
# Fail only on failure/cancelled. A skipped job is allowed.
360+
declare -A results=(
361+
[determine-changes]="${{ needs.determine-changes.result }}"
362+
[quality-checks-python]="${{ needs.quality-checks-python.result }}"
363+
[quality-checks-rust]="${{ needs.quality-checks-rust.result }}"
364+
[build-grz-check-binary]="${{ needs.build-grz-check-binary.result }}"
365+
[test-changed-packages-rust]="${{ needs.test-changed-packages-rust.result }}"
366+
[run-workspace-tests-python]="${{ needs.run-workspace-tests-python.result }}"
367+
[test-changed-packages-python]="${{ needs.test-changed-packages-python.result }}"
368+
)
369+
failed=0
370+
for job in "${!results[@]}"; do
371+
result="${results[$job]}"
372+
echo "$job=$result"
373+
if [ "$result" = "failure" ] || [ "$result" = "cancelled" ]; then
374+
echo "::error::Upstream job did not pass: $job=$result"
375+
failed=1
376+
fi
377+
done
378+
if [ "$failed" -ne 0 ]; then
379+
exit 1
380+
fi
381+
echo "All upstream jobs passed or were skipped."

.github/workflows/release-please.yml

Lines changed: 50 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,10 @@ on:
66
- main # Or your default branch
77
workflow_dispatch:
88

9+
permissions:
10+
contents: write
11+
pull-requests: write
12+
913
jobs:
1014
release-please:
1115
runs-on: ubuntu-latest
@@ -14,6 +18,8 @@ jobs:
1418
paths_released: ${{ steps.release.outputs.paths_released }}
1519
# releases_created is true if any release PR was created/updated
1620
releases_created: ${{ steps.release.outputs.releases_created }}
21+
# JSON array of the open release PR objects (consumed by refresh-lock)
22+
prs: ${{ steps.release.outputs.prs }}
1723
steps:
1824
- name: Checkout code
1925
uses: actions/checkout@v4
@@ -26,13 +32,51 @@ jobs:
2632
manifest-file: .release-please-manifest.json
2733
token: ${{ secrets.RELEASE_PLEASE_PAT }}
2834

29-
release-pr-check:
35+
# release-please bumps package versions in the release PR but does not touch
36+
# the workspace uv.lock, so `uv lock --check` in CI fails on that PR. This job
37+
# refreshes uv.lock on the release PR branch and pushes it back. It checks out
38+
# with the PAT (not GITHUB_TOKEN) so the pushed commit re-triggers CI.
39+
refresh-lock:
40+
name: Refresh uv.lock on release PR
3041
needs: release-please
31-
if: needs.release-please.outputs.releases_created == 'true'
42+
if: ${{ needs.release-please.outputs.prs != '' && needs.release-please.outputs.prs != '[]' }}
3243
runs-on: ubuntu-latest
44+
permissions:
45+
contents: write
3346
steps:
34-
- name: Confirm Release PR
47+
- name: Determine release PR branch
48+
id: branch
49+
run: |
50+
BRANCH=$(echo '${{ needs.release-please.outputs.prs }}' | jq -r '.[0].headBranchName')
51+
echo "name=$BRANCH" >> "$GITHUB_OUTPUT"
52+
53+
- name: Checkout release PR branch
54+
uses: actions/checkout@v4
55+
with:
56+
ref: ${{ steps.branch.outputs.name }}
57+
token: ${{ secrets.RELEASE_PLEASE_PAT }}
58+
59+
- name: Install uv
60+
uses: astral-sh/setup-uv@v6
61+
with:
62+
version-file: "pyproject.toml"
63+
enable-cache: true
64+
65+
- name: Set up Python
66+
run: uv python install 3.12
67+
68+
- name: Refresh uv.lock
3569
run: |
36-
echo "A Release PR has been created or updated by release-please."
37-
echo "Affected paths in this release cycle (before PR merge): ${{ needs.release-please.outputs.paths_released }}"
38-
echo "Merge the 'chore: release ...' PR to trigger tagging and publishing."
70+
uv lock
71+
if git diff --quiet uv.lock; then
72+
echo "uv.lock already in sync - nothing to commit."
73+
exit 0
74+
fi
75+
# Attribute the lock refresh to the github-actions bot (41898282 is that
76+
# account's stable user id). The push uses RELEASE_PLEASE_PAT so CI re-runs
77+
# on the PR - the commit author is independent of the pushing token.
78+
git config user.name "github-actions[bot]"
79+
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
80+
git add uv.lock
81+
git commit -m "chore: refresh uv.lock for release"
82+
git push

0 commit comments

Comments
 (0)