sync-team dry-run #2416
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow executes a dry-run of the sync-team tool after a push to any pull request. | |
| # This allows us to see which changes would be applied to live services after the PR | |
| # would be merged. | |
| # | |
| # The workflow uses the `workflow_run` trigger, which should always run in the default branch of | |
| # this repository. This is required so that the workflow has permissions to post PR comments. | |
| # We should not check out any code from the PR, as it could present a security hazard. | |
| # Instead, we simply download a GitHub artifact with a directory of JSON files and use that as | |
| # input for sync-team. | |
| # This artifact is created and uploaded on PR pushes using the CI workflow in `main.yml`. | |
| # Details about `workflow_run`: | |
| # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow_run: | |
| name: sync-team dry-run | |
| on: | |
| workflow_run: | |
| workflows: [ CI ] | |
| types: | |
| - completed | |
| jobs: | |
| dry-run: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' }} | |
| concurrency: | |
| # Only run this once at a time on any given PR | |
| group: dry-run-${{ github.event.workflow_run.head_branch }} | |
| cancel-in-progress: true | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # If the PR is from this repository, checkout the PR sha, | |
| # so that we can also test code changes. | |
| # If it is from a fork, then always checkout the 'main' branch, | |
| # to avoid checking out code of untrusted PRs. | |
| ref: ${{ github.event.workflow_run.head_repository.full_name != 'rust-lang/team' && 'main' || github.event.workflow_run.head_sha }} | |
| persist-credentials: false | |
| - name: Setup Rust | |
| uses: ./.github/actions/setup-rust | |
| - name: Download built JSON API | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: team-api-output | |
| path: team-api | |
| run-id: ${{ github.event.workflow_run.id }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate GitHub App tokens | |
| uses: ./.github/actions/generate-tokens | |
| id: generate-tokens | |
| with: | |
| app-id: ${{ secrets.SYNC_TEAM_GH_APP_ID }} | |
| private-key: ${{ secrets.SYNC_TEAM_GH_APP_PRIVATE_KEY }} | |
| - name: Run sync-team dry-run check | |
| env: | |
| GITHUB_TOKEN_RUST_LANG: ${{ steps.generate-tokens.outputs.rust-lang-token }} | |
| GITHUB_TOKEN_RUST_LANG_DEPRECATED: ${{ steps.generate-tokens.outputs.rust-lang-deprecated-token }} | |
| GITHUB_TOKEN_RUST_LANG_NURSERY: ${{ steps.generate-tokens.outputs.rust-lang-nursery-token }} | |
| GITHUB_TOKEN_BORS_RS: ${{ steps.generate-tokens.outputs.bors-rs-token }} | |
| GITHUB_TOKEN_RUST_ANALYZER: ${{ steps.generate-tokens.outputs.rust-analyzer-token }} | |
| GITHUB_TOKEN_RUST_EMBEDDED: ${{ steps.generate-tokens.outputs.rust-embedded-token }} | |
| GITHUB_TOKEN_RUST_DEV_TOOLS: ${{ steps.generate-tokens.outputs.rust-dev-tools-token }} | |
| # We do not want to use the full crates-io token in the dry-run. | |
| # However, even without a token, we can actually read most of the crates.io state that we | |
| # need to print a diff. | |
| CRATES_IO_TOKEN: "" | |
| CRATES_IO_USERNAME: "rust-lang-owner" | |
| # This applies pipefail, so that the tee pipeline below fails when sync-team fails. | |
| shell: bash | |
| run: | | |
| # Perform build and execution separately to avoid any potential output from | |
| # cargo leaking into the output file. | |
| cargo build --release | |
| ./target/release/rust-team sync print-plan \ | |
| --services crates-io,github \ | |
| --src team-api 2>&1 | tee -a output.txt | |
| - name: Prepare comment | |
| run: | | |
| cat > comment.txt << EOL | |
| <details> | |
| <summary>Dry-run check results</summary> | |
| <pre><code> | |
| EOL | |
| cat output.txt >> comment.txt | |
| printf "</pre></code>\n</details>\n" >> comment.txt | |
| cat comment.txt | |
| - name: Extract PR number | |
| run: | | |
| # We read the PR number that is stored in the uploaded archive | |
| # and check that it is an integer (as the workflow could upload whatever it wants). | |
| UNSANITIZED_PR=`cat team-api/pr.txt` | |
| if [[ ${UNSANITIZED_PR} =~ ^[0-9]+$ ]]; then | |
| echo "PR_NUMBER=${UNSANITIZED_PR}" >> $GITHUB_ENV | |
| else | |
| echo "Invalid PR number passed: ${UNSANITIZED_PR}" | |
| exit 1 | |
| fi | |
| - name: Send comment | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| PR=${PR_NUMBER} | |
| echo "Pull request ${PR}" | |
| gh pr comment ${PR} --repo rust-lang/team --body-file comment.txt \ | |
| --edit-last \ | |
| --create-if-none |