Skip to content

fix(ci): improve sync-manifest to handle branch protection#96

Merged
MoonBoi9001 merged 1 commit intomainfrom
fix/sync-manifest-forward-only
Jan 16, 2026
Merged

fix(ci): improve sync-manifest to handle branch protection#96
MoonBoi9001 merged 1 commit intomainfrom
fix/sync-manifest-forward-only

Conversation

@MoonBoi9001
Copy link
Member

@MoonBoi9001 MoonBoi9001 commented Jan 14, 2026
edited
Loading

Fixes sync-manifest to work with branch protection rules and prevent incorrect release PRs.

Changes

  • Forward-only sync: Only sync manifest when tag > manifest (never downgrade)
  • PR-based updates: Create PR instead of pushing directly to main
  • Duplicate prevention: Check for existing sync PR before creating new one
  • Release-please guard: Skip release-please while sync PR is open

Flow

Trigger: Push to main branch (via approved PR)

Job 1: sync-manifest

Condition: Only runs if github.actor != 'github-actions[bot]' (prevents infinite loops)

Step 1: Checkout - Gets full git history (fetch-depth: 0) to access all tags

Step 2: Check for manifest drift

  1. Get latest semver tag from git (e.g., v1.2.01.2.0)
  2. Get version from .release-please-manifest.json (e.g., 1.1.0)
  3. Compare them:
    • If tag > manifest → drift=true (manual deploy happened)
    • If manifest > tag → drift=false (release PR in progress, don't downgrade)
    • If equal → drift=false (all good)

Step 3: Update manifest if drifted (only if drift=true)

  1. Check if a sync PR already exists for this version → if yes, exit early
  2. Update .release-please-manifest.json with the tag version
  3. Create branch chore/sync-manifest-to-X.Y.Z
  4. Commit and push
  5. Create PR titled "chore: sync release-please manifest to X.Y.Z"

Job 2: release-please

Condition: Runs after sync-manifest completes (or is skipped for bot commits)

Step 1: Check for open sync PRs

  • Search for open PRs with "sync release-please manifest" in title
  • If found → skip=true and emit warning

Step 2: Run release-please (only if skip != 'true')

  • Creates/updates release PR with CHANGELOG, version bumps, etc.

Scenarios

State What happens
Everything in sync sync-manifest does nothing, release-please runs normally
Manual deploy (tag ahead) sync-manifest creates PR, release-please skips
Release PR in progress (manifest ahead) sync-manifest does nothing, release-please runs normally
Sync PR already open sync-manifest skips, release-please skips

@MoonBoi9001 @claude
fix(ci): improve sync-manifest to handle branch protection
5e7ab67 
- Only sync manifest when tag > manifest (forward-only, never downgrade)
- Create PR instead of pushing directly to main (respects branch protection)
- Check for existing sync PR to avoid duplicates
- Skip release-please while sync PR is open to prevent incorrect release PRs
- Update daily sync workflow comment and permissions

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@MoonBoi9001 MoonBoi9001 force-pushed the fix/sync-manifest-forward-only branch from 266077e to 5e7ab67 Compare January 14, 2026 21:44
@MoonBoi9001
Copy link
Member Author

MoonBoi9001 commented Jan 14, 2026

context @RembrandtK https://github.com/edgeandnode/gcp-access-control/issues/106

@MoonBoi9001 MoonBoi9001 merged commit 3b191c2 into main Jan 16, 2026
12 checks passed
@MoonBoi9001 MoonBoi9001 deleted the fix/sync-manifest-forward-only branch January 16, 2026 15:25
@MoonBoi9001 MoonBoi9001 mentioned this pull request Jan 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RembrandtK RembrandtK RembrandtK approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MoonBoi9001 @RembrandtK