backup

Author: sutaakar

.github/workflows/approve-lake-gate.yml

@@ -0,0 +1,153 @@
+# This workflow handles "/approve" comments on PRs with "lake-gate" label
+# It performs a fast-forward merge of the stable branch to point to the same commit as the temporary branch
+#
+# This workflow uses the built-in GITHUB_TOKEN with the required permissions set below.
+
+name: Approve Lake Gate PR
+
+on:
+  issue_comment:
+    types: [created]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  approve-lake-gate:
+    runs-on: ubuntu-latest
+    if: github.event.issue.pull_request && contains(github.event.comment.body, '/approve') && contains(github.event.issue.labels.*.name, 'lake-gate')
+    
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Disallow forks
+      run: |
+        set -euo pipefail
+        PR_NUMBER="${{ github.event.issue.number }}"
+        IS_CROSS=$(gh pr view "$PR_NUMBER" --json isCrossRepository --jq '.isCrossRepository')
+        if [ "$IS_CROSS" = "true" ]; then
+          gh pr comment "$PR_NUMBER" --body "❌ Cannot approve: fork-based PRs are not supported for lake-gate. Please open the PR from a branch in the main repository."
+          exit 1
+        fi
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Check if user is authorized to approve
+      run: |
+        set -euo pipefail
+        COMMENT_USER="${{ github.event.comment.user.login }}"
+        echo "Checking authorization for user: $COMMENT_USER"
+
+        # Check if the user is in the approve-lake-gate alias in OWNERS_ALIASES file
+        if yq eval '.aliases.approve-lake-gate[] | select(. == "'${COMMENT_USER}'")' OWNERS_ALIASES | grep -q "${COMMENT_USER}"; then
+          echo "✅ User ${COMMENT_USER} is authorized to approve lake-gate PRs"
+        else
+          echo "❌ User ${COMMENT_USER} is not authorized to approve lake-gate PRs"
+
+          # Show available approvers for debugging
+          echo "Available approve-lake-gate users:"
+          yq eval '.aliases.approve-lake-gate[]' OWNERS_ALIASES || echo "No approve-lake-gate alias found"
+
+          gh pr comment "${{ github.event.issue.number }}" --body "❌ @${COMMENT_USER} is not authorized to approve lake-gate PRs. Only users listed in the approve-lake-gate alias in OWNERS_ALIASES file can approve."
+          exit 1
+        fi
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Configure Git
+      run: |
+        git config --global user.name "github-actions[bot]"
+        git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+    - name: Get PR details and perform fast-forward merge
+      run: |
+        set -euo pipefail
+        PR_NUMBER="${{ github.event.issue.number }}"
+        
+        # Get PR details
+        PR_DATA=$(gh pr view "$PR_NUMBER" --json headRefName,baseRefName)
+        HEAD_BRANCH=$(echo "$PR_DATA" | jq -r '.headRefName')
+        BASE_BRANCH=$(echo "$PR_DATA" | jq -r '.baseRefName')
+        
+        echo "PR #$PR_NUMBER details:"
+        echo "  Head branch: $HEAD_BRANCH"
+        echo "  Base branch: $BASE_BRANCH"
+        
+        # Ensure we're working with the stable branch as base
+        if [ "$BASE_BRANCH" != "stable" ]; then
+          echo "Error: PR base branch is not 'stable'. Expected 'stable', got '$BASE_BRANCH'"
+          exit 1
+        fi
+        
+        # Fetch all refs
+        git fetch origin
+        
+        # Switch to and update stable branch
+        git switch stable
+        git reset --hard origin/stable
+        
+        # Switch to the temporary branch from the PR
+        git switch "$HEAD_BRANCH"
+        git reset --hard origin/"$HEAD_BRANCH"
+        
+        # Get the commit that the temporary branch points to
+        TEMP_BRANCH_COMMIT=$(git rev-parse HEAD)
+        echo "Temporary branch commit: $TEMP_BRANCH_COMMIT"
+        
+        # Switch back to stable and perform fast-forward merge
+        git switch stable
+        
+        # Check if we can fast-forward merge
+        if git merge-base --is-ancestor stable "$TEMP_BRANCH_COMMIT"; then
+          echo "Performing fast-forward merge of stable to $TEMP_BRANCH_COMMIT"
+          git reset --hard "$TEMP_BRANCH_COMMIT"
+          
+          # Push the updated stable branch
+          git push origin stable
+          
+          echo "✅ Successfully fast-forwarded stable branch to commit $TEMP_BRANCH_COMMIT"
+          
+          # Wait a moment for GitHub to process the push
+          sleep 2
+          
+          # Check PR status and close if still open
+          PR_STATE=$(gh pr view "$PR_NUMBER" --json state --jq '.state')
+          if [ "$PR_STATE" = "OPEN" ]; then
+            echo "PR is still open, closing it manually..."
+            gh pr close "$PR_NUMBER" --comment "✅ Approved and merged! The stable branch has been fast-forwarded to point to the same commit as this temporary branch."
+          else
+            echo "PR was automatically closed by GitHub (state: $PR_STATE)"
+            # Add a comment to the already-closed PR
+            gh pr comment "$PR_NUMBER" --body "✅ Approved and merged! The stable branch has been fast-forwarded to point to the same commit as this temporary branch."
+          fi
+          
+          # Clean up the temporary branch after some delay
+          sleep 5  # Brief pause to ensure PR operations complete
+          echo "Cleaning up temporary branch: $HEAD_BRANCH"
+
+          # Guard: Only delete branches that match the expected lake-gate pattern
+          if [[ "$HEAD_BRANCH" =~ ^lake-gate- ]]; then
+            echo "Branch matches lake-gate pattern, proceeding with deletion..."
+            git push origin --delete "$HEAD_BRANCH" || {
+              echo "Warning: Failed to delete branch $HEAD_BRANCH (it may have already been deleted)"
+            }
+          else
+            echo "Warning: Branch '$HEAD_BRANCH' does not match expected lake-gate pattern (lake-gate-*). Skipping deletion to prevent accidental removal of non-lake-gate branches."
+          fi
+          
+        else
+          echo "Error: Cannot fast-forward merge. The stable branch is not an ancestor of the temporary branch commit."
+          gh pr comment "$PR_NUMBER" --body "❌ Cannot approve: Fast-forward merge is not possible. The stable branch is not an ancestor of the temporary branch. Please rebase or recreate the PR."
+          exit 1
+        fi
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Summary
+      run: |
+        echo "✅ Lake-gate PR approved and merged successfully via fast-forward merge."

.github/workflows/sync-main-to-stable.yml

@@ -0,0 +1,233 @@
+# This workflow automatically creates a temporary branch from main to sync with stable branch, for image related changes creates a PR with "lake-gate" label for verification
+# It runs every 4 hours and can be triggered manually
+#
+# This workflow uses the built-in GITHUB_TOKEN with the required permissions set below.
+
+name: Sync Main to Stable
+
+on:
+  schedule:
+    # Run every 4 hours
+    - cron: '0 */4 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+# Configuration: PR Reviewers
+# To modify who gets requested to review sync PRs, update the list below with comma-separated or space-separated GitHub usernames
+env:
+  PR_REVIEWERS: "sutaakar"
+
+jobs:
+  lake-gate:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Configure Git
+      run: |
+        git config --global user.name "github-actions[bot]"
+        git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+    - name: Check for differences between main and stable
+      id: check-diff
+      run: |
+        set -euo pipefail
+        # Ensure we have the latest refs
+        git fetch origin main
+        git fetch origin stable || {
+          echo "Error: stable branch doesn't exist. Please create the stable branch first."
+          exit 1
+        }
+        
+        # Update local refs to match remote
+        git checkout main
+        git reset --hard origin/main
+        git checkout -B stable origin/stable
+
+        # Get commits that are in main but not in stable
+        NEW_COMMITS=$(git rev-list stable..main --reverse)
+        
+        if [ -z "$NEW_COMMITS" ]; then
+          echo "No new commits to cherry-pick"
+          echo "new_commits=" >> $GITHUB_OUTPUT
+        else
+          echo "Found new commits to cherry-pick:"
+          echo "$NEW_COMMITS"
+          # Store commits as a single line with spaces
+          COMMITS_LINE=$(echo "$NEW_COMMITS" | tr '\n' ' ' | sed 's/ $//')
+          echo "new_commits=$COMMITS_LINE" >> $GITHUB_OUTPUT
+          
+          # Get the latest commit hash for PR title
+          LATEST_COMMIT=$(echo "$NEW_COMMITS" | tail -n1)
+          LATEST_COMMIT_SHORT=$(git rev-parse --short "$LATEST_COMMIT")
+          LATEST_COMMIT_MSG=$(git log --format=%s -n 1 "$LATEST_COMMIT")
+          echo "latest_commit=$LATEST_COMMIT" >> $GITHUB_OUTPUT
+          echo "latest_commit_short=$LATEST_COMMIT_SHORT" >> $GITHUB_OUTPUT
+          echo "latest_commit_msg=$LATEST_COMMIT_MSG" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Check for existing sync PRs
+      id: check-existing-pr
+      if: steps.check-diff.outputs.new_commits != ''
+      run: |
+        set -euo pipefail
+        # Look for existing PRs with the lake-gate label
+        EXISTING_PR_DATA=$(gh pr list --base stable --label "lake-gate" --state open --json number,headRefName,title | jq -r '.[0] // empty')
+        
+        if [ -n "$EXISTING_PR_DATA" ] && [ "$EXISTING_PR_DATA" != "null" ]; then
+          EXISTING_PR_NUMBER=$(echo "$EXISTING_PR_DATA" | jq -r '.number')
+          EXISTING_PR_BRANCH=$(echo "$EXISTING_PR_DATA" | jq -r '.headRefName')
+          echo "Found existing PR: #$EXISTING_PR_NUMBER (branch: $EXISTING_PR_BRANCH)"
+          echo "existing_pr_number=$EXISTING_PR_NUMBER" >> $GITHUB_OUTPUT
+          echo "existing_pr_branch=$EXISTING_PR_BRANCH" >> $GITHUB_OUTPUT
+          
+          # Check if the existing PR already contains the latest commit
+          PR_TITLE=$(echo "$EXISTING_PR_DATA" | jq -r '.title')
+          LATEST_COMMIT_SHORT="${{ steps.check-diff.outputs.latest_commit_short }}"
+          
+          if echo "$PR_TITLE" | grep -q "$LATEST_COMMIT_SHORT"; then
+            echo "Existing PR already contains the latest commit"
+            echo "pr_up_to_date=true" >> $GITHUB_OUTPUT
+          else
+            echo "Existing PR is outdated"
+            echo "pr_up_to_date=false" >> $GITHUB_OUTPUT
+          fi
+        else
+          echo "No existing cherry-pick PR found"
+          echo "existing_pr_number=" >> $GITHUB_OUTPUT
+          echo "existing_pr_branch=" >> $GITHUB_OUTPUT
+          echo "pr_up_to_date=false" >> $GITHUB_OUTPUT
+        fi
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Close outdated PR and delete branch
+      if: steps.check-diff.outputs.new_commits != '' && steps.check-existing-pr.outputs.existing_pr_number != '' && steps.check-existing-pr.outputs.pr_up_to_date == 'false'
+      run: |
+        set -euo pipefail
+        PR_NUMBER="${{ steps.check-existing-pr.outputs.existing_pr_number }}"
+        BRANCH_NAME="${{ steps.check-existing-pr.outputs.existing_pr_branch }}"
+        
+        # Safety check: Verify the branch matches automation pattern before closing/deleting
+        if [[ "$BRANCH_NAME" =~ ^lake-gate- ]]; then
+          echo "Branch matches automation pattern (lake-gate-*), proceeding with closure and deletion..."
+          echo "Closing outdated PR #$PR_NUMBER (branch: $BRANCH_NAME)"
+          gh pr close "$PR_NUMBER" --comment "Closing this PR as newer commits are available. A new PR will be created automatically."
+
+          sleep 5  # Brief pause to ensure PR operations complete
+
+          # Delete the temporary branch
+          if [ -n "$BRANCH_NAME" ]; then
+            echo "Deleting temporary branch: $BRANCH_NAME"
+            git push origin --delete "$BRANCH_NAME" || {
+              echo "Warning: Failed to delete branch $BRANCH_NAME (it may have already been deleted)"
+            }
+          else
+            echo "Warning: No branch name found for PR #$PR_NUMBER"
+          fi
+        else
+          echo "Warning: Branch '$BRANCH_NAME' does not match expected automation pattern (lake-gate-*). Skipping closure and deletion to prevent impacting user branches."
+          echo "PR #$PR_NUMBER will remain open. Manual intervention may be required."
+        fi
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Create sync branch and PR
+      if: steps.check-diff.outputs.new_commits != '' && steps.check-existing-pr.outputs.pr_up_to_date == 'false'
+      run: |
+        set -euo pipefail
+        # Create a unique branch name with timestamp
+        TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+        BRANCH_NAME="lake-gate-$TIMESTAMP"
+        
+        echo "Creating branch: $BRANCH_NAME from main"
+        git checkout main
+        git checkout -b "$BRANCH_NAME"
+
+        # Push the branch
+        git push origin "$BRANCH_NAME"
+        
+        # Prepare PR body
+        COMMITS="${{ steps.check-diff.outputs.new_commits }}"
+        LATEST_COMMIT="${{ steps.check-diff.outputs.latest_commit }}"
+        LATEST_COMMIT_SHORT="${{ steps.check-diff.outputs.latest_commit_short }}"
+        COMMIT_COUNT=$(echo "$COMMITS" | wc -w)
+
+        # Build PR body using here document
+        PR_BODY=$(cat << EOF
+        ## Automated Sync from main to stable
+
+        This PR automatically syncs the \`main\` branch to the \`stable\` branch by creating a temporary branch directly from main.
+
+        **Latest commit:** $LATEST_COMMIT_SHORT - ${{ steps.check-diff.outputs.latest_commit_msg }}
+        **Total commits to sync:** $COMMIT_COUNT
+
+        ## ⚠️ IMPORTANT: How to Merge
+
+        **🚫 DO NOT use the GitHub merge button!**
+
+        Once all checks are complete, comment **\`/approve\`** on this PR to automatically fast-forward merge the stable branch to point to the same commit as this temporary branch.
+
+        **Only use the \`/approve\` command - the GitHub merge button will not work correctly for this automated sync process.**
+
+        ## Pre-merge Checklist
+
+        Before approving this PR, please ensure the following tasks are completed:
+
+        - [ ] **PR checks**: PR checks passed
+        - [ ] **E2E tests**: Smoke and sanity tests passed against cluster with training operator image built from this PR
+
+        ### Commits to be synced:
+        EOF
+        )
+
+        for commit in $COMMITS; do
+          COMMIT_SHORT=$(git rev-parse --short "$commit")
+          COMMIT_MSG=$(git log --format=%s -n 1 "$commit")
+          PR_BODY="$PR_BODY"$'\n'"- $COMMIT_SHORT: $COMMIT_MSG"
+        done
+        
+        PR_BODY="$PR_BODY"$'\n\n'"---"$'\n'"*This PR was created automatically by the sync workflow.*"
+        
+        # Create the PR
+        PR_TITLE="Auto sync main to stable (up to $LATEST_COMMIT_SHORT)"
+        
+        # Normalize PR_REVIEWERS by replacing commas with spaces and create reviewer flags
+        REVIEWER_FLAGS=""
+        NORMALIZED_REVIEWERS=$(echo "$PR_REVIEWERS" | tr ',' ' ')
+        for reviewer in $NORMALIZED_REVIEWERS; do
+          if [ -n "$reviewer" ]; then
+            REVIEWER_FLAGS="$REVIEWER_FLAGS --reviewer $reviewer"
+          fi
+        done
+
+        gh pr create \
+          --title "$PR_TITLE" \
+          --body "$PR_BODY" \
+          --base stable \
+          --head "$BRANCH_NAME" \
+          --label "lake-gate" \
+          $REVIEWER_FLAGS \
+          --draft
+        
+        echo "Created PR: $PR_TITLE"
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Summary
+      run: |
+        if [ -z "${{ steps.check-diff.outputs.new_commits }}" ]; then
+          echo "✅ No new commits to sync. Stable branch is up to date."
+        elif [ "${{ steps.check-existing-pr.outputs.pr_up_to_date }}" == "true" ]; then
+          echo "✅ Existing PR already contains the latest commits. No action needed."
+        else
+          echo "✅ Sync process completed. New PR created or existing PR updated."
+        fi

OWNERS_ALIASES

@@ -0,0 +1,7 @@
+aliases:
+  approve-lake-gate:
+    - abhijeet-dhumal
+    - ChughShilpa
+    - efazal
+    - kapil27
+    - sutaakar