Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add sync-upstream action #538

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add sync-upstream action #538

wants to merge 1 commit into from

Conversation

brooksn
Copy link
Contributor

@brooksn brooksn commented Feb 5, 2025

This PR adds a reusable action to sync a forked repo with any number of upstream branches

  • maintains upstream history
  • adds checks to branches

Intended workflow:

graph TB
    %% Upstream
    subgraph "Upstream"
        UP_Main["Main Branch"]
        UP_Release["Release Branch (1.2)"]
    end

    %% Fork
    subgraph "Fork"
        FORK_Main["Main Branch"]
        FORK_Release["Release Branch (1.2)"]
        FORK_CVE["CVE Patch Branch (release-1.2-cve1)"]
    end

    %% Sync Workflow (runs in main branch)
    subgraph "Sync Workflow"
        Sync_Action["GitHub Action: Sync Upstream Release"]
    end

    %% Security Patch Process
    subgraph "Security Patch Process"
        Step_Create["1. Create CVE Branch"]
        Step_PR["2. Open Pull Request"]
        Step_Merge["3. Squash & Merge"]
        Step_Tag["4. Tag Release"]
    end

    %% Sync Workflow Connections
    FORK_Main --> Sync_Action
    UP_Release -->|Sync| Sync_Action
    Sync_Action --> FORK_Release

    %% Security Patch Process Connections
    FORK_Release -->|Branch off to create| FORK_CVE
    Step_Create --> FORK_CVE
    FORK_CVE --> Step_PR
    Step_PR --> Step_Merge
    Step_Merge --> Step_Tag
Loading

@brooksn
add sync-upstream action
a44acf9 
Signed-off-by: Brooks Newberry <[email protected]>
@nicholasSUSE
Copy link
Contributor

Congratulations on the Mermaid Flowgram!

nicholasSUSE
nicholasSUSE requested changes Feb 6, 2025
View reviewed changes
Copy link
Contributor

@nicholasSUSE nicholasSUSE left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The secrets of GITHUB_TOKEN are being deprecated, we have to use from the vault.

actions/publish-image/sync-upstream/action.yml

- name: Update branch status
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

      GH_TOKEN: ${{ steps.app-token.outputs.token }}

actions/publish-image/sync-upstream/action.yml
run: |
git checkout -B ${{ matrix.branch }} upstream/${{ matrix.branch }}
git push -f origin ${{ matrix.branch }}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

  - name: Load Secrets from Vault
    continue-on-error: false
    uses: rancher-eio/read-vault-secrets@main
    with:
      secrets: |
        secret/data/github/repo/${{ github.repository }}/github/app-credentials appId | APP_ID ;
        secret/data/github/repo/${{ github.repository }}/github/app-credentials privateKey | PRIVATE_KEY ;

  - name: Create App Token
    continue-on-error: false
    uses: actions/create-github-app-token@v1
    id: app-token
    with:
      app-id: ${{ env.APP_ID }}
      private-key: ${{ env.PRIVATE_KEY }}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicholasSUSE nicholasSUSE nicholasSUSE requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brooksn @nicholasSUSE