workflows: sync merge commits

This fixes a problem where each workflow would get their own merge commit. This happens frequently when the target branch is merged into a the same time, different workflows in the same run will run get-merge-commit at different times and thus have different merge commits. Since the jobs don't really depend on each other, this doesn't cause practical problems, yet. But it has already led to strange CI failures in a still unmerged PR, which can be prevented from happening with this clean approach. And yes, this saves a few API calls on every run.
2025-06-18 20:43:03 +02:00 · 2025-06-18 20:43:03 +02:00 · 09ddb1a8a0
commit 09ddb1a8a0
parent 9422f30e47
4 changed files with 34 additions and 4 deletions
--- a/.github/actions/get-merge-commit/action.yml
+++ b/.github/actions/get-merge-commit/action.yml
@ -3,9 +3,15 @@ name: Get merge commit
 description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'

 inputs:
+  mergedSha:
+    description: "The merge commit SHA, previously collected."
+    type: string
  merged-as-untrusted:
    description: "Whether to checkout the merge commit in the ./untrusted folder."
    type: boolean
+  targetSha:
+    description: "The target commit SHA, previously collected."
+    type: string
  target-as-trusted:
    description: "Whether to checkout the target commit in the ./trusted folder."
    type: boolean
@ -22,6 +28,7 @@ runs:
  using: composite
  steps:
    - id: commits
+      if: ${{ !inputs.mergedSha && !inputs.targetSha }}
      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
      with:
        script: |
@ -72,17 +79,17 @@ runs:
          }
          throw new Error("Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com.")

-    - if: inputs.merged-as-untrusted && steps.commits.outputs.mergedSha
+    - if: inputs.merged-as-untrusted && (inputs.mergedSha || steps.commits.outputs.mergedSha)
      # Would be great to do the checkouts in git worktrees of the existing spare checkout instead,
      # but Nix is broken with them:
      # https://github.com/NixOS/nix/issues/6073
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
-        ref: ${{ steps.commits.outputs.mergedSha }}
+        ref: ${{ inputs.mergedSha || steps.commits.outputs.mergedSha }}
        path: untrusted

-    - if: inputs.target-as-trusted && steps.commits.outputs.targetSha
+    - if: inputs.target-as-trusted && (inputs.targetSha || steps.commits.outputs.targetSha)
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
-        ref: ${{ steps.commits.outputs.targetSha }}
+        ref: ${{ inputs.targetSha || steps.commits.outputs.targetSha }}
        path: trusted
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -2,6 +2,10 @@ name: Build

 on:
  workflow_call:
+    inputs:
+      mergedSha:
+        required: true
+        type: string
    secrets:
      CACHIX_AUTH_TOKEN:
        required: true
@ -39,6 +43,7 @@ jobs:
      - name: Check if the PR can be merged and checkout the merge commit
        uses: ./.github/actions/get-merge-commit
        with:
+          mergedSha: ${{ inputs.mergedSha }}
          merged-as-untrusted: true

      - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -2,6 +2,13 @@ name: Lint

 on:
  workflow_call:
+    inputs:
+      mergedSha:
+        required: true
+        type: string
+      targetSha:
+        required: true
+        type: string

 permissions: {}

@ -19,6 +26,7 @@ jobs:
      - name: Check if the PR can be merged and checkout the merge commit
        uses: ./.github/actions/get-merge-commit
        with:
+          mergedSha: ${{ inputs.mergedSha }}
          merged-as-untrusted: true

      - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31
@ -50,6 +58,7 @@ jobs:
      - name: Check if the PR can be merged and checkout the merge commit
        uses: ./.github/actions/get-merge-commit
        with:
+          mergedSha: ${{ inputs.mergedSha }}
          merged-as-untrusted: true

      - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31
@ -72,7 +81,9 @@ jobs:
      - name: Check if the PR can be merged and checkout merged and target commits
        uses: ./.github/actions/get-merge-commit
        with:
+          mergedSha: ${{ inputs.mergedSha }}
          merged-as-untrusted: true
+          targetSha: ${{ inputs.targetSha }}
          target-as-trusted: true

      - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@ -48,7 +48,11 @@ jobs:

  lint:
    name: Lint
+    needs: [prepare]
    uses: ./.github/workflows/lint.yml
+    with:
+      mergedSha: ${{ needs.prepare.outputs.mergedSha }}
+      targetSha: ${{ needs.prepare.outputs.targetSha }}

  eval:
    name: Eval
@ -68,6 +72,9 @@ jobs:

  build:
    name: Build
+    needs: [prepare]
    uses: ./.github/workflows/build.yml
    secrets:
      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+    with:
+      mergedSha: ${{ needs.prepare.outputs.mergedSha }}