Create external PR Workflow (#118)

ammarwa · web-flow · commit 87484dad413d · 2025-06-17T10:51:05.000-05:00
Create external-pr.yml
diff --git a/.github/workflows/external-pr.yml b/.github/workflows/external-pr.yml
@@ -0,0 +1,109 @@
+name: Mirror External PR to Internal Repo
+
+on:
+  pull_request_target: # IMPORTANT: Use pull_request_target for security
+    types: [opened, synchronize]
+    branches:
+      - amd-staging
+
+permissions:
+  pull-requests: write # To close and comment on the PR in the public repo
+  contents: read     # To checkout code
+
+jobs:
+  mirror_pr:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.head.repo.full_name != 'AMD-ROCm-Internal/aqlprofile' # Avoid loops if internal creates a PR back
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+      - name: Checkout PR base
+        uses: actions/checkout@v4
+        # This checks out the base of the PR, not the PR head itself initially
+
+      - name: Setup Git User
+        run: |
+          git config --global user.name 'External PR Mirror Bot'
+          git config --global user.email 'bot@users.noreply.github.com'
+
+      - name: Fetch PR branch from fork/external
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Use built-in token to fetch from public fork
+        run: |
+          # The PR branch is available at 'refs/pull/PULL_REQUEST_NUMBER/head'
+          # We fetch it into a local branch with a unique name
+          # Using github.event.pull_request.head.sha ensures we get the exact commit
+          git fetch origin pull/${{ github.event.pull_request.number }}/head:external-pr-${{ github.event.pull_request.number }}
+          git checkout external-pr-${{ github.event.pull_request.number }}
+          echo "Checked out PR branch: external-pr-${{ github.event.pull_request.number }}"
+          git show --summary # Show commit details
+
+      - name: Push branch to Internal Repository
+        env:
+          INTERNAL_REPO_PAT: ${{ secrets.INTERNAL_REPO_PAT }}
+          INTERNAL_REPO_URL: "https://x-access-token:${{ secrets.INTERNAL_REPO_PAT }}@github.com/AMD-ROCm-Internal/aqlprofile.git"
+          INTERNAL_BRANCH_NAME: "external-pr-${{ github.event.pull_request.number }}"
+        run: |
+          git remote add internal_mirror "${INTERNAL_REPO_URL}"
+          git push internal_mirror "refs/heads/${INTERNAL_BRANCH_NAME}:refs/heads/${INTERNAL_BRANCH_NAME}" --force
+          echo "Pushed to internal repository as branch ${INTERNAL_BRANCH_NAME}"
+
+      - name: Create Pull Request in Internal Repository
+        id: create_internal_pr
+        env:
+          GH_TOKEN: ${{ secrets.INTERNAL_REPO_PAT }} # PAT for internal repo actions
+          INTERNAL_REPO: "AMD-ROCm-Internal/aqlprofile"
+          INTERNAL_BASE_BRANCH: "amd-staging" # Change if your internal default branch is different
+          HEAD_BRANCH: "external-pr-${{ github.event.pull_request.number }}"
+          PR_TITLE: "Mirror: ${{ github.event.pull_request.title }} (Ext PR #${{ github.event.pull_request.number }})"
+          PR_BODY: |
+            This PR mirrors changes from external pull request: ${{ github.event.pull_request.html_url }}
+
+            Original PR Body:
+            -------------------
+            ${{ github.event.pull_request.body }}
+        run: |
+          # Create PR and capture its URL
+          INTERNAL_PR_URL=$(gh pr create \
+            --repo "$INTERNAL_REPO" \
+            --base "$INTERNAL_BASE_BRANCH" \
+            --head "$HEAD_BRANCH" \
+            --title "$PR_TITLE" \
+            --body "$PR_BODY")
+
+          if [ -z "$INTERNAL_PR_URL" ]; then
+            echo "Failed to create internal PR. URL is empty."
+            # Check if PR already exists (gh pr create might not fail if branch has open PR)
+            EXISTING_PR_URL=$(gh pr list --repo "$INTERNAL_REPO" --head "$HEAD_BRANCH" --json url -q '.[0].url')
+            if [ -n "$EXISTING_PR_URL" ]; then
+              echo "Internal PR already exists: $EXISTING_PR_URL"
+              echo "INTERNAL_PR_URL=$EXISTING_PR_URL" >> $GITHUB_OUTPUT
+            else
+              echo "::error::Failed to create or find existing internal PR."
+              exit 1
+            fi
+          else
+            echo "Internal PR created: $INTERNAL_PR_URL"
+            echo "INTERNAL_PR_URL=$INTERNAL_PR_URL" >> $GITHUB_OUTPUT
+          fi
+
+
+      - name: Comment on and Close External PR
+        if: steps.create_internal_pr.outputs.INTERNAL_PR_URL != '' # Only if internal PR was created/found
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Built-in token for actions on ROCm/aqlprofile
+          EXTERNAL_PR_NUMBER: ${{ github.event.pull_request.number }}
+          EXTERNAL_REPO: ${{ github.repository }} # e.g., ROCm/aqlprofile
+          INTERNAL_PR_URL: ${{ steps.create_internal_pr.outputs.INTERNAL_PR_URL }}
+        run: |
+          COMMENT_BODY="This pull request has been mirrored to our internal repository for review and integration: ${INTERNAL_PR_URL} . This external PR will now be closed. Thank you for your contribution!"
+
+          gh pr comment "$EXTERNAL_PR_NUMBER" \
+            --repo "$EXTERNAL_REPO" \
+            --body "$COMMENT_BODY"
+
+          echo "Commented on external PR #${EXTERNAL_PR_NUMBER}"
