training-operator/.github/workflows/approve-ocean-gate.yml at dev · opendatahub-io/training-operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# This workflow handles "/approve" comments on PRs with "ocean-gate" label
# It performs a fast-forward merge of the rhoai branch to point to the same commit as the temporary branch
#
# This workflow uses the built-in GITHUB_TOKEN with the required permissions set below.

name: Approve Ocean Gate PR

on:
  issue_comment:
    types: [created]

permissions:
  contents: write
  pull-requests: write

jobs:
  approve-ocean-gate:
    runs-on: ubuntu-latest
    if: github.event.issue.pull_request && contains(github.event.comment.body, '/approve') && contains(github.event.issue.labels.*.name, 'ocean-gate')

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      with:
        fetch-depth: 0
        token: ${{ secrets.GITHUB_TOKEN }}

    - name: Disallow forks
      run: |
        set -euo pipefail
        PR_NUMBER="${{ github.event.issue.number }}"
        IS_CROSS=$(gh pr view "$PR_NUMBER" --json isCrossRepository --jq '.isCrossRepository')
        if [ "$IS_CROSS" = "true" ]; then
          gh pr comment "$PR_NUMBER" --body "❌ Cannot approve: fork-based PRs are not supported for ocean-gate. Please open the PR from a branch in the main repository."
          exit 1
        fi
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - name: Check if user is authorized to approve
      run: |
        set -euo pipefail
        COMMENT_USER="${{ github.event.comment.user.login }}"
        echo "Checking authorization for user: $COMMENT_USER"

        # Check if the user is in the approve-ocean-gate alias in OWNERS_ALIASES file
        if yq eval '.aliases.approve-ocean-gate[] | select(. == "'${COMMENT_USER}'")' OWNERS_ALIASES | grep -q "${COMMENT_USER}"; then
          echo "✅ User ${COMMENT_USER} is authorized to approve ocean-gate PRs"
        else
          echo "❌ User ${COMMENT_USER} is not authorized to approve ocean-gate PRs"

          # Show available approvers for debugging
          echo "Available approve-ocean-gate users:"
          yq eval '.aliases.approve-ocean-gate[]' OWNERS_ALIASES || echo "No approve-ocean-gate alias found"

          gh pr comment "${{ github.event.issue.number }}" --body "❌ @${COMMENT_USER} is not authorized to approve ocean-gate PRs. Only users listed in the approve-ocean-gate alias in OWNERS_ALIASES file can approve."
          exit 1
        fi
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - name: Configure Git
      run: |
        git config --global user.name "github-actions[bot]"
        git config --global user.email "github-actions[bot]@users.noreply.github.com"

    - name: Get PR details and perform fast-forward merge
      run: |
        set -euo pipefail
        PR_NUMBER="${{ github.event.issue.number }}"

        # Get PR details
        PR_DATA=$(gh pr view "$PR_NUMBER" --json headRefName,baseRefName)
        HEAD_BRANCH=$(echo "$PR_DATA" | jq -r '.headRefName')
        BASE_BRANCH=$(echo "$PR_DATA" | jq -r '.baseRefName')

        echo "PR #$PR_NUMBER details:"
        echo "  Head branch: $HEAD_BRANCH"
        echo "  Base branch: $BASE_BRANCH"

        # Ensure we're working with the rhoai branch as base
        if [ "$BASE_BRANCH" != "rhoai" ]; then
          echo "Error: PR base branch is not 'rhoai'. Expected 'rhoai', got '$BASE_BRANCH'"
          exit 1
        fi

        # Fetch all refs
        git fetch origin

        # Switch to and update rhoai branch
        git switch rhoai
        git reset --hard origin/rhoai

        # Switch to the temporary branch from the PR
        git switch "$HEAD_BRANCH"
        git reset --hard origin/"$HEAD_BRANCH"

        # Get the commit that the temporary branch points to
        TEMP_BRANCH_COMMIT=$(git rev-parse HEAD)
        echo "Temporary branch commit: $TEMP_BRANCH_COMMIT"

        # Switch back to rhoai and perform fast-forward merge
        git switch rhoai

        # Check if we can fast-forward merge
        if git merge-base --is-ancestor rhoai "$TEMP_BRANCH_COMMIT"; then
          echo "Performing fast-forward merge of rhoai to $TEMP_BRANCH_COMMIT"
          git reset --hard "$TEMP_BRANCH_COMMIT"

          # Push the updated rhoai branch
          git push origin rhoai

          echo "✅ Successfully fast-forwarded rhoai branch to commit $TEMP_BRANCH_COMMIT"

          # Wait a moment for GitHub to process the push
          sleep 2

          # Check PR status and close if still open
          PR_STATE=$(gh pr view "$PR_NUMBER" --json state --jq '.state')
          if [ "$PR_STATE" = "OPEN" ]; then
            echo "PR is still open, closing it manually..."
            gh pr close "$PR_NUMBER" --comment "✅ Approved and merged! The rhoai branch has been fast-forwarded to point to the same commit as this temporary branch."
          else
            echo "PR was automatically closed by GitHub (state: $PR_STATE)"
            # Add a comment to the already-closed PR
            gh pr comment "$PR_NUMBER" --body "✅ Approved and merged! The rhoai branch has been fast-forwarded to point to the same commit as this temporary branch."
          fi

          # Clean up the temporary branch after some delay
          sleep 5  # Brief pause to ensure PR operations complete
          echo "Cleaning up temporary branch: $HEAD_BRANCH"

          # Guard: Only delete branches that match the expected ocean-gate pattern
          if [[ "$HEAD_BRANCH" =~ ^ocean-gate- ]]; then
            echo "Branch matches ocean-gate pattern, proceeding with deletion..."
            git push origin --delete "$HEAD_BRANCH" || {
              echo "Warning: Failed to delete branch $HEAD_BRANCH (it may have already been deleted)"
            }
          else
            echo "Warning: Branch '$HEAD_BRANCH' does not match expected ocean-gate pattern (ocean-gate-*). Skipping deletion to prevent accidental removal of non-ocean-gate branches."
          fi

        else
          echo "Error: Cannot fast-forward merge. The rhoai branch is not an ancestor of the temporary branch commit."
          gh pr comment "$PR_NUMBER" --body "❌ Cannot approve: Fast-forward merge is not possible. The rhoai branch is not an ancestor of the temporary branch. Please rebase or recreate the PR."
          exit 1
        fi
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    - name: Summary
      run: |
        echo "✅ Ocean-gate PR approved and merged successfully via fast-forward merge."