Skip to content

deployment: adds workflow which injects a check-box to PR description case of changes in services.rs #12948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
idan-starkware wants to merge 1 commit into
base: main-v0.14.2
Choose a base branch
from
Open

deployment: adds workflow which injects a check-box to PR description case of changes in services.rs #12948

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions .github/workflows/sync_check.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: Cross-Repo Sync Check

on:
pull_request:
# 'edited' allows the check to pass the moment the dev clicks the box
# 'synchronize' handles new commits
types: [opened, synchronize, edited]
paths:
- "crates/apollo_deployments/src/service.rs"
- ".github/workflows/sync_check.yaml"
Copy link

@cursor cursor bot Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Paths filter ineffective for PR edited events

Medium Severity

The paths filter is not reliably enforced for pull_request edited events. When anyone edits any PR's body or title, the workflow may fire regardless of whether the PR touches service.rs. This can inject the sync checkbox into unrelated PRs and fail their checks unexpectedly.

Fix in Cursor Fix in Web


jobs:
manage-sync:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Sync Checkbox Logic
uses: actions/github-script@v7
with:
script: |
const checkbox = "- [ ] I have synced these changes to **Private Repo Y**";
const checked = "- [x] I have synced these changes to **Private Repo Y**";
Copy link

@cursor cursor bot Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Placeholder "Private Repo Y" not replaced with actual name

High Severity

The strings "Private Repo Y" throughout this workflow appear to be template placeholders that were never replaced with the actual private repository name. The checkbox text, error messages, and descriptive note all reference this generic name. This will be shown to developers in their PR descriptions and CI failure messages, making it unclear which repository actually needs syncing.

Additional Locations (2)

Fix in Cursor Fix in Web


// 1. Fetch the latest PR body (don't rely on the 'context' which might be stale)
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number
});

const body = pr.body || "";
const hasCheckbox = body.includes("- [ ] I have synced") || body.includes("- [x] I have synced");

// 2. If Cursor BOT or the Dev hasn't added the checkbox, append it.
if (!hasCheckbox) {
const newBody = body + "\n\n---\n### ⚠️ Cross-Repo Sync Required\n" + checkbox + "\n*The private repo Y depends on these config changes.*";
await github.rest.pulls.update({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
body: newBody
});
core.setFailed("Added sync checklist. Please update Private Repo Y and check the box.");
return;
}

// 3. Final enforcement: Is it checked?
if (body.includes(checked)) {
console.log("Sync confirmed!");
} else {
core.setFailed("Please check the 'Sync to Private Repo Y' box once the private repo is aligned.");
}
Loading