More exact balance change reasons in tracing #2692
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Merge Checks | |
| on: | |
| # Using pull_request_target for security. If we had used pull_request, then it | |
| # would be possible for malicious actors to create Pull Requests which would | |
| # trigger workflows that they could have modified locally to extract secrets. | |
| # For this reason, the pins below must be updated and merged in a separate PR | |
| # before the PR that changes the actual submodule pins. | |
| pull_request_target: | |
| branches: [ master ] | |
| types: [synchronize, opened, reopened] | |
| permissions: | |
| statuses: write | |
| jobs: | |
| submodule-pin-check: | |
| name: Check Submodule Pin | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| submodules: true | |
| persist-credentials: false | |
| ref: "${{ github.event.pull_request.head.sha }}" | |
| - name: Check all submodules are ancestors of origin/HEAD or configured branch | |
| run: | | |
| status_state="pending" | |
| declare -Ar exceptions=( | |
| [contracts]=origin/develop | |
| [contracts-legacy]=origin/v2-main | |
| [nitro-testnode]=origin/master | |
| [bold]=origin/main | |
| [arbitrator/langs/c]=origin/vm-storage-cache | |
| [arbitrator/tools/wasmer]=origin/stylus | |
| ) | |
| divergent=0 | |
| for mod in `git submodule --quiet foreach 'echo $name'`; do | |
| branch=origin/HEAD | |
| if [[ -v exceptions[$mod] ]]; then | |
| branch=${exceptions[$mod]} | |
| fi | |
| if ! git -C $mod merge-base --is-ancestor HEAD $branch; then | |
| echo $mod diverges from $branch | |
| divergent=1 | |
| fi | |
| done | |
| if [ $divergent -eq 0 ]; then | |
| status_state="success" | |
| else | |
| resp="$(curl -sSL --fail-with-body \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "https://api.github.com/repos/$GITHUB_REPOSITORY/commits/${{ github.event.pull_request.head.sha }}/statuses")" | |
| if ! jq -e '.[] | select(.context == "Submodule Pin Check")' > /dev/null <<< "$resp"; then | |
| # Submodule pin check is failling and no status exists | |
| # Keep it without a status to keep the green checkmark appearing | |
| # Otherwise, the commit and PR's CI will appear to be indefinitely pending | |
| # Merging will still be blocked until the required status appears | |
| exit 0 | |
| fi | |
| fi | |
| curl -sSL --fail-with-body \ | |
| -X POST \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "https://api.github.com/repos/$GITHUB_REPOSITORY/statuses/${{ github.event.pull_request.head.sha }}" \ | |
| -d '{"context":"Submodule Pin Check","state":"'"$status_state"'"}' |