Emit workflow pins as a downloadable patch artifact#127
Merged
Conversation
GITHUB_TOKEN cannot push commits that modify files under
.github/workflows/, so the release workflow can no longer pin the
labeler workflow files to the release commit on its own. Re-pin them
as a patch instead:
* Commit and push the predict/action.yml image digest update to the
release branch as before.
* Apply the dotnet/issue-labeler/* pin updates to the working tree,
capture them with git diff into $RUNNER_TEMP/workflow-pins.patch,
and reset the working tree to keep the post-checkout cleanup clean.
* Upload workflow-pins.patch as a run artifact and reproduce the diff
in the step summary inside a ```diff fence so the patch can be
applied via a follow-up pull request.
* Permit the leading "- " in "- uses: ..." so the regex matches the
inline step form (e.g. labeler-cache-retention.yml).
* Replace the \1 backreference with ${1} so a SHA beginning with a
digit is not parsed as an extended octal escape.
* Drop the unused packages: read permission from this job; it only
reads digest strings from upstream job outputs and never queries the
packages API.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions
Bot
added
the
area-Workflows
jeffhandley
added
area-Release
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the release workflow to work around GITHUB_TOKEN restrictions on modifying .github/workflows/* by generating workflow pin updates as a downloadable patch artifact instead of committing them directly on the release branch.
Changes:
- Commit and push only the
predict/action.ymlimage digest update during release. - Re-pin
dotnet/issue-labeler/*workflowuses:SHAs in the working tree, capture the changes intoworkflow-pins.patch, then reset the working tree. - Upload
workflow-pins.patchas a run artifact and include the patch content in the workflow step summary.
Under `set -e`, `git commit` with nothing staged exits non-zero and would abort the job when the release workflow is re-run against an already-pinned digest. Gate the commit and push on `git diff --cached --quiet` so a re-run is idempotent. RELEASE_SHA is still taken from `git rev-parse HEAD`, which correctly points at the original release commit in the skip path. Addresses PR #127 review feedback. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GITHUB_TOKEN cannot push commits that modify files under .github/workflows/, so the release workflow can no longer pin the labeler workflow files to the release commit on its own. Re-pin them as a patch instead: