|
1 | 1 | name: Route Sync |
2 | 2 |
|
3 | 3 | # Opens a PR when the backend's canonical v2 route manifest drifts from the |
4 | | -# vendored copy; the PR then fails test_route_coverage until the matching SDK |
5 | | -# methods + `# v2:covers` comments are added. demo2 is private, so fetching its |
6 | | -# manifest needs a token with Contents:read on it — store it as the |
7 | | -# BACKEND_REPO_TOKEN secret (fine-grained PAT scoped to demo2, or a GitHub App |
8 | | -# installation token). |
| 4 | +# vendored copy; that PR fails test_route_coverage until the matching SDK |
| 5 | +# methods + `# v2:covers` comments are added. |
| 6 | +# |
| 7 | +# Auth: a GitHub App is the single credential for both halves — it reads the |
| 8 | +# private backend repo's manifest AND opens a PR here that triggers CI (PRs from |
| 9 | +# the default GITHUB_TOKEN do not run checks). Configure: |
| 10 | +# - var SYNC_APP_ID, secret SYNC_APP_PRIVATE_KEY |
| 11 | +# - install the App on the backend repo (Contents: read) and on this repo |
| 12 | +# (Contents: read/write, Pull requests: read/write) |
| 13 | +# Until configured the job no-ops. |
9 | 14 |
|
10 | 15 | on: |
11 | 16 | schedule: |
12 | 17 | - cron: "0 12 * * *" |
13 | 18 | workflow_dispatch: |
14 | 19 |
|
15 | 20 | permissions: |
16 | | - contents: write |
17 | | - pull-requests: write |
| 21 | + contents: read |
18 | 22 |
|
19 | 23 | jobs: |
20 | 24 | sync: |
21 | 25 | runs-on: ubuntu-latest |
22 | 26 | env: |
23 | | - GH_TOKEN: ${{ secrets.BACKEND_REPO_TOKEN }} |
24 | | - BACKEND_REPO: ${{ vars.BACKEND_REPO || 'TextQLLabs/demo2' }} |
| 27 | + BACKEND_REPO_NAME: ${{ vars.BACKEND_REPO_NAME || 'demo2' }} |
25 | 28 | MANIFEST_PATH: ${{ vars.BACKEND_MANIFEST_PATH || 'compute/pkg/platform/v2/routes.manifest.json' }} |
26 | 29 | MANIFEST_REF: ${{ vars.BACKEND_MANIFEST_REF || 'main' }} |
27 | 30 | steps: |
28 | 31 | - uses: actions/checkout@v4 |
| 32 | + - name: Mint App token |
| 33 | + id: app-token |
| 34 | + if: ${{ vars.SYNC_APP_ID != '' }} |
| 35 | + uses: actions/create-github-app-token@v1 |
| 36 | + with: |
| 37 | + app-id: ${{ vars.SYNC_APP_ID }} |
| 38 | + private-key: ${{ secrets.SYNC_APP_PRIVATE_KEY }} |
| 39 | + repositories: | |
| 40 | + ${{ vars.BACKEND_REPO_NAME || 'demo2' }} |
| 41 | + ${{ github.event.repository.name }} |
29 | 42 | - name: Fetch upstream manifest |
30 | 43 | id: fetch |
| 44 | + env: |
| 45 | + GH_TOKEN: ${{ steps.app-token.outputs.token }} |
31 | 46 | run: | |
32 | 47 | set -euo pipefail |
33 | 48 | if [ -z "${GH_TOKEN:-}" ]; then |
34 | | - echo "BACKEND_REPO_TOKEN not set; skipping" |
| 49 | + echo "GitHub App not configured (set SYNC_APP_ID + SYNC_APP_PRIVATE_KEY); skipping" |
35 | 50 | echo "changed=false" >> "$GITHUB_OUTPUT" |
36 | 51 | exit 0 |
37 | 52 | fi |
38 | | - gh api "repos/${BACKEND_REPO}/contents/${MANIFEST_PATH}?ref=${MANIFEST_REF}" \ |
| 53 | + gh api "repos/${{ github.repository_owner }}/${BACKEND_REPO_NAME}/contents/${MANIFEST_PATH}?ref=${MANIFEST_REF}" \ |
39 | 54 | -H "Accept: application/vnd.github.raw" > upstream.json |
40 | 55 | changed=$(python3 -c "import json; a=set(json.load(open('upstream.json'))); b=set(json.load(open('tests/routes.manifest.json'))); print('true' if a!=b else 'false')") |
41 | 56 | if [ "$changed" = "true" ]; then cp upstream.json tests/routes.manifest.json; fi |
|
44 | 59 | if: steps.fetch.outputs.changed == 'true' |
45 | 60 | uses: peter-evans/create-pull-request@v6 |
46 | 61 | with: |
47 | | - # Default GITHUB_TOKEN-created PRs do NOT trigger CI; pass a PAT/App |
48 | | - # token here if you want test_route_coverage to run automatically. |
49 | | - token: ${{ secrets.ROUTE_SYNC_PR_TOKEN || secrets.GITHUB_TOKEN }} |
| 62 | + token: ${{ steps.app-token.outputs.token }} |
50 | 63 | branch: route-sync |
51 | 64 | add-paths: tests/routes.manifest.json |
52 | 65 | commit-message: "chore: sync v2 route manifest from backend" |
|
0 commit comments