|
1 | 1 | name: On-Demand Prerelease |
2 | 2 |
|
| 3 | +# Minimal permissions for security (addresses GitHub Advanced Security feedback) |
| 4 | +permissions: |
| 5 | + contents: read |
| 6 | + pull-requests: write |
| 7 | + issues: write |
| 8 | + |
3 | 9 | on: |
4 | 10 | workflow_dispatch: |
5 | 11 | inputs: |
|
30 | 36 | id: vars |
31 | 37 | run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT |
32 | 38 |
|
| 39 | + - name: Check that PR number is provided |
| 40 | + if: github.event.inputs.pr == '' |
| 41 | + run: | |
| 42 | + echo "Error: /prerelease command must be invoked on a pull request, not an issue." |
| 43 | + exit 1 |
| 44 | +
|
| 45 | + - name: Get PR info |
| 46 | + id: pr-info |
| 47 | + run: | |
| 48 | + PR_JSON=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.inputs.pr }}) |
| 49 | + HEAD_REF=$(echo "$PR_JSON" | jq -r .head.ref) |
| 50 | + HEAD_REPO=$(echo "$PR_JSON" | jq -r .head.repo.full_name) |
| 51 | + echo "head-ref=${HEAD_REF}" >> $GITHUB_OUTPUT |
| 52 | + echo "head-repo=${HEAD_REPO}" >> $GITHUB_OUTPUT |
| 53 | + echo "PR branch: ${HEAD_REF} from ${HEAD_REPO}" |
| 54 | + env: |
| 55 | + GH_TOKEN: ${{ steps.get-app-token.outputs.token }} |
| 56 | + |
| 57 | + - name: Check that PR is from this repository (not a fork) |
| 58 | + if: steps.pr-info.outputs.head-repo != github.repository |
| 59 | + run: | |
| 60 | + echo "Error: /prerelease only works for branches in this repository, not forks." |
| 61 | + echo "PR is from: ${{ steps.pr-info.outputs.head-repo }}" |
| 62 | + echo "Expected: ${{ github.repository }}" |
| 63 | + exit 1 |
| 64 | +
|
33 | 65 | - name: Append comment with job run link |
34 | 66 | if: github.event.inputs.comment-id |
35 | 67 | id: first-comment-action |
|
47 | 79 | [1]: ${{ steps.vars.outputs.run-url }} |
48 | 80 |
|
49 | 81 | - name: Trigger publish workflow |
| 82 | + id: trigger-publish |
50 | 83 | run: | |
| 84 | + # Trigger the publish workflow on the PR's head branch |
| 85 | + # Note: These defaults mirror the defaults in publish.yml and can be extended |
| 86 | + # to accept optional overrides via slash command arguments if needed in the future. |
51 | 87 | gh workflow run publish.yml \ |
52 | | - --ref ${{ github.ref }} \ |
| 88 | + --ref "${{ steps.pr-info.outputs.head-ref }}" \ |
53 | 89 | -f version="" \ |
54 | 90 | -f publish_to_pypi=true \ |
55 | 91 | -f publish_to_dockerhub=true \ |
|
63 | 99 | run: | |
64 | 100 | # Wait a moment for the workflow to be created |
65 | 101 | sleep 5 |
66 | | - # Get the most recent workflow run for publish.yml |
67 | | - WORKFLOW_RUN_URL=$(gh run list --workflow=publish.yml --limit=1 --json url --jq '.[0].url') |
| 102 | + # Query for the most recent publish workflow run on the PR branch |
| 103 | + # Filter by branch to avoid race conditions with concurrent runs |
| 104 | + WORKFLOW_RUN_URL=$(gh run list \ |
| 105 | + --workflow=publish.yml \ |
| 106 | + --branch "${{ steps.pr-info.outputs.head-ref }}" \ |
| 107 | + --limit=1 \ |
| 108 | + --json url \ |
| 109 | + --jq '.[0].url') |
| 110 | + |
| 111 | + if [ -z "$WORKFLOW_RUN_URL" ] || [ "$WORKFLOW_RUN_URL" = "null" ]; then |
| 112 | + echo "Warning: Could not find workflow run URL. Using fallback." |
| 113 | + WORKFLOW_RUN_URL="https://github.com/${{ github.repository }}/actions/workflows/publish.yml" |
| 114 | + fi |
| 115 | + |
68 | 116 | echo "workflow-run-url=${WORKFLOW_RUN_URL}" >> $GITHUB_OUTPUT |
69 | 117 | env: |
70 | 118 | GH_TOKEN: ${{ steps.get-app-token.outputs.token }} |
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?v=4&size=40){kind=avatar}
0 commit comments