mirror of
https://github.com/scylladb/scylladb.git
synced 2026-05-23 08:12:08 +00:00
d2d7604188
Pin all external GitHub Actions to full commit SHAs and upgrade to their latest major versions to reduce supply chain attack surface: - actions/checkout: v3/v4/v5 -> v6.0.2 - actions/github-script: v7 -> v8.0.0 - actions/setup-python: v5 -> v6.2.0 - actions/upload-artifact: v4 -> v7.0.0 - astral-sh/setup-uv: v6 -> v8.0.0 - mheap/github-action-required-labels: v5.5.2 (pinned) - redhat-plumbers-in-action/differential-shellcheck: v5.5.6 (pinned) - codespell-project/actions-codespell: v2.2 (pinned, was @master) Set FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true in all 21 workflows that use JavaScript-based actions to opt into the Node.js 24 runtime now. This resolves the deprecation warning: "Node.js 20 actions are deprecated. Please check if updated versions of these actions are available that support Node.js 24. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026." See: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/ scylladb/github-automation references are intentionally left at @main as they are org-internal reusable workflows. Fixes: SCYLLADB-1410 Backport: Backport is required for live branches that run GH actions: 2026.1, 2025.4, 2025.1 and 2024.1 Closes scylladb/scylladb#29421
87 lines
3.8 KiB
YAML
87 lines
3.8 KiB
YAML
name: Check if commits are promoted
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
- branch-*.*
|
|
- enterprise
|
|
pull_request_target:
|
|
types: [labeled, unlabeled]
|
|
branches: [master, next, enterprise]
|
|
|
|
env:
|
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
|
|
|
jobs:
|
|
check-commit:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
pull-requests: write
|
|
issues: write
|
|
steps:
|
|
- name: Dump GitHub context
|
|
env:
|
|
GITHUB_CONTEXT: ${{ toJson(github) }}
|
|
run: echo "$GITHUB_CONTEXT"
|
|
- name: Set Default Branch
|
|
id: set_branch
|
|
run: |
|
|
if [[ "${{ github.repository }}" == *enterprise* ]]; then
|
|
echo "DEFAULT_BRANCH=enterprise" >> $GITHUB_ENV
|
|
else
|
|
echo "DEFAULT_BRANCH=master" >> $GITHUB_ENV
|
|
fi
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
repository: ${{ github.repository }}
|
|
ref: ${{ env.DEFAULT_BRANCH }}
|
|
token: ${{ secrets.AUTO_BACKPORT_TOKEN }}
|
|
fetch-depth: 0 # Fetch all history for all tags and branches
|
|
- name: Set up Git identity
|
|
run: |
|
|
git config --global user.name "GitHub Action"
|
|
git config --global user.email "action@github.com"
|
|
git config --global merge.conflictstyle diff3
|
|
- name: Install dependencies
|
|
run: sudo apt-get install -y python3-github python3-git
|
|
- name: Run python script
|
|
if: github.event_name == 'push'
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.AUTO_BACKPORT_TOKEN }}
|
|
run: python .github/scripts/label_promoted_commits.py --commits ${{ github.event.before }}..${{ github.sha }} --repository ${{ github.repository }} --ref ${{ github.ref }}
|
|
- name: Run auto-backport.py when promotion completed
|
|
if: ${{ github.event_name == 'push' && github.ref == format('refs/heads/{0}', env.DEFAULT_BRANCH) }}
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.AUTO_BACKPORT_TOKEN }}
|
|
run: python .github/scripts/auto-backport.py --repo ${{ github.repository }} --base-branch ${{ github.ref }} --commits ${{ github.event.before }}..${{ github.sha }}
|
|
- name: Check if a valid backport label exists and no backport_error
|
|
env:
|
|
LABELS_JSON: ${{ toJson(github.event.pull_request.labels) }}
|
|
id: check_label
|
|
run: |
|
|
labels_json="$LABELS_JSON"
|
|
echo "Checking labels:"
|
|
echo "$labels_json" | jq -r '.[].name'
|
|
|
|
# Check if a valid backport label exists
|
|
if echo "$labels_json" | jq -e 'any(.[] | .name; test("backport/[0-9]+\\.[0-9]+$"))' > /dev/null; then
|
|
# Ensure scylladbbot/backport_error is NOT present
|
|
if ! echo "$labels_json" | jq -e '.[] | select(.name == "scylladbbot/backport_error")' > /dev/null; then
|
|
echo "A matching backport label was found and no backport_error label exists."
|
|
echo "ready_for_backport=true" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
else
|
|
echo "The label 'scylladbbot/backport_error' is present, invalidating backport."
|
|
fi
|
|
else
|
|
echo "No matching backport label found."
|
|
fi
|
|
echo "ready_for_backport=false" >> "$GITHUB_OUTPUT"
|
|
- name: Run auto-backport.py when PR is closed
|
|
if: ${{ github.event_name == 'pull_request_target' && steps.check_label.outputs.ready_for_backport == 'true' && github.event.pull_request.state == 'closed' }}
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.AUTO_BACKPORT_TOKEN }}
|
|
run: python .github/scripts/auto-backport.py --repo ${{ github.repository }} --base-branch ${{ github.ref }} --pull-request ${{ github.event.pull_request.number }} --head-commit ${{ github.event.pull_request.base.sha }} --github-event ${{ github.event.action }}
|