Unverified Commit d6d9c612 authored by Philip Taron's avatar Philip Taron Committed by GitHub
Browse files

Improve PR merge check for CI (#347786)

parents 90c3e1b2 e6a8855a

.github/workflows/nixpkgs-vet.yml

+9 −39
Original line number Diff line number Diff line
@@ -26,52 +26,22 @@ jobs: 
    # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.

    timeout-minutes: 10

    steps:

      # This step has to be in this file, because it's needed to determine which revision of the repository to fetch, and we can only use other files from the repository once it's fetched.

      # This checks out the base branch because of pull_request_target

      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

        with:

          path: base

          sparse-checkout: ci

      - name: Resolving the merge commit

        env:

          GH_TOKEN: ${{ github.token }}

        run: |

          # This checks for mergeability of a pull request as recommended in

          # https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests



          # Retry the API query this many times

          retryCount=5

          # Start with 5 seconds, but double every retry

          retryInterval=5

          while true; do

            echo "Checking whether the pull request can be merged"

            prInfo=$(gh api \

              -H "Accept: application/vnd.github+json" \

              -H "X-GitHub-Api-Version: 2022-11-28" \

              /repos/"$GITHUB_REPOSITORY"/pulls/${{ github.event.pull_request.number }})

            mergeable=$(jq -r .mergeable <<< "$prInfo")

            mergedSha=$(jq -r .merge_commit_sha <<< "$prInfo")



            if [[ "$mergeable" == "null" ]]; then

              if (( retryCount == 0 )); then

                echo "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"

                exit 1

              else

                (( retryCount -= 1 )) || true



                # null indicates that GitHub is still computing whether it's mergeable

                # Wait a couple seconds before trying again

                echo "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"

                sleep "$retryInterval"



                (( retryInterval *= 2 )) || true

              fi

            else

              break

            fi

          done



          if [[ "$mergeable" == "true" ]]; then

            echo "The PR can be merged, checking the merge commit $mergedSha"

          if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then

            echo "Checking the merge commit $mergedSha"

            echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"

          else

            echo "The PR cannot be merged, it has a merge conflict, skipping the rest.."

            echo "Skipping the rest..."

          fi

          rm -rf base

      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

        if: env.mergedSha

        with:

ci/README.md

+55 −0
Original line number Diff line number Diff line
@@ -41,3 +41,58 @@ Why not just build the tooling right from the PRs Nixpkgs version? 
- Because it improves security, since we don't have to build potentially untrusted code from PRs.

  The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).



## `get-merge-commit.sh GITHUB_REPO PR_NUMBER`



Check whether a PR is mergeable and return the test merge commit as

[computed by GitHub](https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests).



Arguments:

- `GITHUB_REPO`: The repository of the PR, e.g. `NixOS/nixpkgs`

- `PR_NUMBER`: The PR number, e.g. `1234`



Exit codes:

- 0: The PR can be merged, the test merge commit hash is returned on stdout

- 1: The PR cannot be merged because it's not open anymore

- 2: The PR cannot be merged because it has a merge conflict

- 3: The merge commit isn't being computed, GitHub is likely having internal issues, unknown if the PR is mergeable



### Usage



This script can be used in GitHub Actions workflows as follows:



```yaml

on: pull_request_target



# We need a token to query the API, but it doesn't need any special permissions

permissions: {}



jobs:

  build:

    name: Build

    runs-on: ubuntu-latest

    steps:

      # Important: Because of `pull_request_target`, this doesn't check out the PR,

      # but rather the base branch of the PR, which is needed so we don't run untrusted code

      - uses: actions/checkout@<VERSION>

        with:

          path: base

          sparse-checkout: ci

      - name: Resolving the merge commit

        env:

          GH_TOKEN: ${{ github.token }}

        run: |

          if mergedSha=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then

            echo "Checking the merge commit $mergedSha"

            echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"

          else

            # Skipping so that no notifications are sent

            echo "Skipping the rest..."

          fi

          rm -rf base

      - uses: actions/checkout@<VERSION>

        # Add this to _all_ subsequent steps to skip them

        if: env.mergedSha

        with:

          ref: ${{ env.mergedSha }}

      - ...

```

ci/get-merge-commit.sh

0 → 100755
+62 −0
Original line number Diff line number Diff line 
#!/usr/bin/env bash

# See ./README.md for docs



set -euo pipefail



log() {

    echo "$@" >&2

}



if (( $# < 2 )); then

    log "Usage: $0 GITHUB_REPO PR_NUMBER"

    exit 99

fi

repo=$1

prNumber=$2



# Retry the API query this many times

retryCount=5

# Start with 5 seconds, but double every retry

retryInterval=5



while true; do

    log "Checking whether the pull request can be merged"

    prInfo=$(gh api \

        -H "Accept: application/vnd.github+json" \

        -H "X-GitHub-Api-Version: 2022-11-28" \

        "/repos/$repo/pulls/$prNumber")



    # Non-open PRs won't have their mergeability computed no matter what

    state=$(jq -r .state <<< "$prInfo")

    if [[ "$state" != open ]]; then

        log "PR is not open anymore"

        exit 1

    fi



    mergeable=$(jq -r .mergeable <<< "$prInfo")

    if [[ "$mergeable" == "null" ]]; then

        if (( retryCount == 0 )); then

            log "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"

            exit 3

        else

            (( retryCount -= 1 )) || true



            # null indicates that GitHub is still computing whether it's mergeable

            # Wait a couple seconds before trying again

            log "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"

            sleep "$retryInterval"



            (( retryInterval *= 2 )) || true

        fi

    else

        break

    fi

done



if [[ "$mergeable" == "true" ]]; then

    log "The PR can be merged"

    jq -r .merge_commit_sha <<< "$prInfo"

else

    log "The PR has a merge conflict"

    exit 2

fi