nightly-merge #410
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: nightly-merge | |
| permissions: # Principle of least privilege | |
| contents: read | |
| actions: read | |
| on: | |
| push: | |
| branches: [nightly-merge-test] | |
| schedule: | |
| - cron: '0 14 * * *' # At 14:00 UTC daily | |
| jobs: | |
| check-develop-status: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| outputs: | |
| develop_sha: ${{ steps.check-workflow.outputs.sha }} | |
| has_changes: ${{ steps.check-workflow.outputs.has_changes }} | |
| steps: | |
| # https://github.com/step-security/harden-runner | |
| - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| # https://github.com/actions/checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| persist-credentials: false | |
| token: ${{ secrets.NIGHTLY_TOKEN }} | |
| fetch-depth: 0 # Fetch all history for all tags and branches | |
| - name: Fetch develop branch workflows | |
| id: fetch-workflows | |
| run: | | |
| set -eo pipefail | |
| url="https://api.github.com/repos/nautechsystems/nautilus_trader/actions/runs?branch=develop&per_page=50" | |
| echo "Fetching workflows from: $url" | |
| if ! curl -sS --retry 5 --retry-delay 2 --retry-all-errors --connect-timeout 5 --max-time 60 \ | |
| -H "Authorization: token ${{ secrets.NIGHTLY_TOKEN }}" "$url" > workflow_runs.json; then | |
| echo "Failed to fetch workflows, exiting" | |
| exit 1 | |
| fi | |
| echo "Fetched workflow runs:" | |
| jq '.' workflow_runs.json | |
| - name: Check develop branch workflow status | |
| id: check-workflow | |
| run: | | |
| set -eo pipefail | |
| # Find the most recent successful build workflow | |
| successful_workflow=$(jq ' | |
| .workflow_runs | |
| | map( | |
| select( | |
| .name == "build" | |
| and .head_branch == "develop" | |
| and .event == "push" | |
| and .conclusion == "success" | |
| ) | |
| ) | |
| | sort_by(.created_at) | |
| | reverse | |
| | .[0] | |
| ' workflow_runs.json) || { | |
| echo "Error parsing workflow data" | |
| exit 1 | |
| } | |
| if [[ -z "$successful_workflow" || "$successful_workflow" == "null" ]]; then | |
| echo "No successful workflows found for the develop branch" | |
| exit 1 | |
| fi | |
| echo "Last successful workflow:" | |
| echo "$successful_workflow" | jq '.' | |
| develop_sha=$(echo "$successful_workflow" | jq -r '.head_sha') | |
| echo "sha=$develop_sha" >> "$GITHUB_OUTPUT" | |
| echo "Last successful develop commit: $develop_sha" | |
| # Check if there are changes between nightly and this develop commit | |
| if ! git ls-remote --exit-code --heads origin nightly; then | |
| echo "ERROR: nightly branch does not exist" | |
| exit 1 | |
| fi | |
| git fetch origin nightly:nightly | |
| git fetch origin develop | |
| nightly_sha=$(git rev-parse nightly) | |
| echo "Current nightly HEAD: $nightly_sha" | |
| if [[ "$nightly_sha" == "$develop_sha" ]]; then | |
| echo "Nightly is already at the last successful develop commit" | |
| echo "has_changes=false" >> "$GITHUB_OUTPUT" | |
| else | |
| # Check if develop commit is ahead of nightly | |
| if git merge-base --is-ancestor "$nightly_sha" "$develop_sha"; then | |
| echo "Develop has new changes to merge" | |
| echo "has_changes=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "ERROR: nightly branch has diverged from develop" | |
| echo "Nightly contains commits not in the develop chain" | |
| exit 1 | |
| fi | |
| fi | |
| - name: Cleanup temporary files | |
| run: rm -f workflow_runs.json | |
| nightly-merge: | |
| needs: check-develop-status | |
| if: needs.check-develop-status.outputs.has_changes == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| # https://github.com/step-security/harden-runner | |
| - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| # https://github.com/actions/checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| persist-credentials: false | |
| token: ${{ secrets.NIGHTLY_TOKEN }} | |
| fetch-depth: 0 # Fetch all history for all tags and branches | |
| - name: Configure authenticated git remote | |
| run: | | |
| git remote set-url origin \ | |
| "https://x-access-token:${{ secrets.NIGHTLY_TOKEN }}@github.com/${{ github.repository }}" | |
| - name: Configure Git user | |
| run: | | |
| git config --global user.name "nautilus-trader-bot" | |
| git config --global user.email "[email protected]" | |
| - name: Merge last successful develop commit into nightly | |
| id: merge | |
| run: | | |
| set -eo pipefail | |
| develop_sha="${{ needs.check-develop-status.outputs.develop_sha }}" | |
| echo "Merging develop commit $develop_sha into nightly" | |
| if ! git ls-remote --exit-code --heads origin nightly; then | |
| echo "ERROR: nightly branch does not exist" | |
| exit 1 | |
| fi | |
| git fetch origin nightly:nightly | |
| git fetch origin develop | |
| git checkout nightly | |
| # Fast-forward merge from the successful develop commit | |
| if git merge --ff-only "$develop_sha"; then | |
| echo "Successfully merged $develop_sha into nightly" | |
| git push origin nightly | |
| echo "Changes pushed to nightly" | |
| else | |
| echo "ERROR: Fast-forward merge failed - nightly may have diverged from develop" | |
| exit 1 | |
| fi | |
| - name: Check merge result | |
| run: | | |
| develop_sha="${{ needs.check-develop-status.outputs.develop_sha }}" | |
| nightly_sha=$(git rev-parse HEAD) | |
| if [[ "$nightly_sha" == "$develop_sha" ]]; then | |
| echo "Nightly is now at develop commit $develop_sha" | |
| else | |
| echo "Warning: Nightly HEAD does not match expected develop commit" | |
| exit 1 | |
| fi |