Upstream-sync → protected master #793
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Upstream-sync → protected master | |
| on: | |
| schedule: # run every night | |
| - cron: '7 2 * * *' | |
| workflow_dispatch: # (optional) manual trigger | |
| permissions: # minimum perms the job needs | |
| contents: write # push the sync branch | |
| pull-requests: write # open, approve & merge the PR | |
| concurrency: # never let two syncs race | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| sync: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # 1. full clone so we always have the latest tip | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # 2. fetch upstream & copy it to a side branch | |
| - name: Update upstream-sync branch | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Configure git identity | |
| git config --global user.email "[email protected]" | |
| git config --global user.name "GitHub Action" | |
| git remote add upstream https://github.com/openjdk/jdk17u-dev.git | |
| git fetch upstream master | |
| echo "=== Current branch status ===" | |
| git log --oneline -5 | |
| echo "=== Upstream status ===" | |
| git log --oneline -5 upstream/master | |
| # Create sync branch from current master to preserve workflows | |
| git checkout -B upstream-sync origin/master | |
| echo "=== About to merge upstream changes ===" | |
| git log --oneline -1 HEAD | |
| git log --oneline -1 upstream/master | |
| # Simple merge approach - let's see what happens | |
| if git merge upstream/master --no-edit --allow-unrelated-histories; then | |
| echo "=== Merge successful ===" | |
| git log --oneline -5 | |
| else | |
| echo "=== Merge failed, trying alternative approach ===" | |
| git merge --abort || true | |
| git reset --hard upstream/master | |
| # Restore our workflow files after taking upstream | |
| git checkout origin/master -- .github/workflows/ | |
| git add .github/workflows/ | |
| git commit -m "Preserve local workflow files during upstream sync" | |
| echo "=== Alternative approach completed ===" | |
| git log --oneline -5 | |
| fi | |
| echo "=== Final branch status before push ===" | |
| git log --oneline -10 | |
| git push -f origin upstream-sync | |
| # 3. Open or update the PR `upstream-sync -> master` | |
| - name: Create or update pull request | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Check if PR already exists using REST API | |
| PR_EXISTS=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ | |
| "https://api.github.com/repos/${{ github.repository }}/pulls?head=${{ github.repository_owner }}:upstream-sync&base=master" \ | |
| | jq -r '.[0].number // empty') | |
| if [ -n "$PR_EXISTS" ]; then | |
| echo "PR #$PR_EXISTS already exists, updating it" | |
| curl -s -X PATCH -H "Authorization: token $GITHUB_TOKEN" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_EXISTS" \ | |
| -d '{ | |
| "title": "Automated upstream merge", | |
| "body": "Nightly sync of openjdk/jdk17u-dev:master into this fork" | |
| }' | |
| else | |
| echo "Creating new PR" | |
| PR_RESPONSE=$(curl -s -X POST -H "Authorization: token $GITHUB_TOKEN" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/repos/${{ github.repository }}/pulls" \ | |
| -d '{ | |
| "title": "Automated upstream merge", | |
| "body": "Nightly sync of openjdk/jdk17u-dev:master into this fork", | |
| "head": "upstream-sync", | |
| "base": "master" | |
| }') | |
| PR_NUMBER=$(echo "$PR_RESPONSE" | jq -r '.number') | |
| echo "Created PR #$PR_NUMBER" | |
| fi | |
| # 4. Auto-approve that PR | |
| - name: Auto-approve PR | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| PR_NUMBER=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ | |
| "https://api.github.com/repos/${{ github.repository }}/pulls?head=${{ github.repository_owner }}:upstream-sync&base=master" \ | |
| | jq -r '.[0].number') | |
| if [ "$PR_NUMBER" != "null" ] && [ -n "$PR_NUMBER" ]; then | |
| echo "Auto-approving PR #$PR_NUMBER" | |
| curl -s -X POST -H "Authorization: token $GITHUB_TOKEN" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER/reviews" \ | |
| -d '{ | |
| "event": "APPROVE", | |
| "body": "Auto-approved upstream sync" | |
| }' | |
| fi | |
| # 5. Enable auto-merge so GitHub merges as soon as | |
| # branch protection requirements are satisfied | |
| - name: Enable auto-merge | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| PR_NUMBER=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ | |
| "https://api.github.com/repos/${{ github.repository }}/pulls?head=${{ github.repository_owner }}:upstream-sync&base=master" \ | |
| | jq -r '.[0].number') | |
| if [ "$PR_NUMBER" != "null" ] && [ -n "$PR_NUMBER" ]; then | |
| echo "Enabling auto-merge for PR #$PR_NUMBER" | |
| curl -s -X PUT -H "Authorization: token $GITHUB_TOKEN" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER/merge" \ | |
| -d '{ | |
| "merge_method": "merge" | |
| }' || echo "Auto-merge may not be available or already enabled" | |
| fi |