From 09ddb1a8a0f94409ae121116b5d4b0f9a02915c0 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Wed, 18 Jun 2025 20:43:03 +0200 Subject: [PATCH] workflows: sync merge commits This fixes a problem where each workflow would get their own merge commit. This happens frequently when the target branch is merged into a the same time, different workflows in the same run will run get-merge-commit at different times and thus have different merge commits. Since the jobs don't really depend on each other, this doesn't cause practical problems, yet. But it has already led to strange CI failures in a still unmerged PR, which can be prevented from happening with this clean approach. And yes, this saves a few API calls on every run. --- .github/actions/get-merge-commit/action.yml | 15 +++++++++++---- .github/workflows/build.yml | 5 +++++ .github/workflows/lint.yml | 11 +++++++++++ .github/workflows/pr.yml | 7 +++++++ 4 files changed, 34 insertions(+), 4 deletions(-) diff --git a/.github/actions/get-merge-commit/action.yml b/.github/actions/get-merge-commit/action.yml index 3766ad4f4ea0..aec17bf76858 100644 --- a/.github/actions/get-merge-commit/action.yml +++ b/.github/actions/get-merge-commit/action.yml @@ -3,9 +3,15 @@ name: Get merge commit description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.' inputs: + mergedSha: + description: "The merge commit SHA, previously collected." + type: string merged-as-untrusted: description: "Whether to checkout the merge commit in the ./untrusted folder." type: boolean + targetSha: + description: "The target commit SHA, previously collected." + type: string target-as-trusted: description: "Whether to checkout the target commit in the ./trusted folder." type: boolean @@ -22,6 +28,7 @@ runs: using: composite steps: - id: commits + if: ${{ !inputs.mergedSha && !inputs.targetSha }} uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | @@ -72,17 +79,17 @@ runs: } throw new Error("Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com.") - - if: inputs.merged-as-untrusted && steps.commits.outputs.mergedSha + - if: inputs.merged-as-untrusted && (inputs.mergedSha || steps.commits.outputs.mergedSha) # Would be great to do the checkouts in git worktrees of the existing spare checkout instead, # but Nix is broken with them: # https://github.com/NixOS/nix/issues/6073 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - ref: ${{ steps.commits.outputs.mergedSha }} + ref: ${{ inputs.mergedSha || steps.commits.outputs.mergedSha }} path: untrusted - - if: inputs.target-as-trusted && steps.commits.outputs.targetSha + - if: inputs.target-as-trusted && (inputs.targetSha || steps.commits.outputs.targetSha) uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - ref: ${{ steps.commits.outputs.targetSha }} + ref: ${{ inputs.targetSha || steps.commits.outputs.targetSha }} path: trusted diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 897bde43b645..594081924604 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,6 +2,10 @@ name: Build on: workflow_call: + inputs: + mergedSha: + required: true + type: string secrets: CACHIX_AUTH_TOKEN: required: true @@ -39,6 +43,7 @@ jobs: - name: Check if the PR can be merged and checkout the merge commit uses: ./.github/actions/get-merge-commit with: + mergedSha: ${{ inputs.mergedSha }} merged-as-untrusted: true - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 19540306148a..4bf917d800db 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,6 +2,13 @@ name: Lint on: workflow_call: + inputs: + mergedSha: + required: true + type: string + targetSha: + required: true + type: string permissions: {} @@ -19,6 +26,7 @@ jobs: - name: Check if the PR can be merged and checkout the merge commit uses: ./.github/actions/get-merge-commit with: + mergedSha: ${{ inputs.mergedSha }} merged-as-untrusted: true - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31 @@ -50,6 +58,7 @@ jobs: - name: Check if the PR can be merged and checkout the merge commit uses: ./.github/actions/get-merge-commit with: + mergedSha: ${{ inputs.mergedSha }} merged-as-untrusted: true - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31 @@ -72,7 +81,9 @@ jobs: - name: Check if the PR can be merged and checkout merged and target commits uses: ./.github/actions/get-merge-commit with: + mergedSha: ${{ inputs.mergedSha }} merged-as-untrusted: true + targetSha: ${{ inputs.targetSha }} target-as-trusted: true - uses: cachix/install-nix-action@17fe5fb4a23ad6cbbe47d6b3f359611ad276644c # v31 diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index df2573b39414..51828270178f 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -48,7 +48,11 @@ jobs: lint: name: Lint + needs: [prepare] uses: ./.github/workflows/lint.yml + with: + mergedSha: ${{ needs.prepare.outputs.mergedSha }} + targetSha: ${{ needs.prepare.outputs.targetSha }} eval: name: Eval @@ -68,6 +72,9 @@ jobs: build: name: Build + needs: [prepare] uses: ./.github/workflows/build.yml secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} + with: + mergedSha: ${{ needs.prepare.outputs.mergedSha }}