Update dependency lucide-react to v1.23.0 #706
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: main-red-guard | |
| # Blocks PR merges while the most recent CI run on main is failed or | |
| # cancelled and main HEAD has NOT yet advanced past the failing SHA. | |
| # | |
| # The auto-merge flow on this repo previously allowed PRs to merge into a | |
| # red main when the CI gate ran on a stale SHA: the rapid burst of merges | |
| # cancelled each other's CI runs, leaving "green" only on a SHA that was | |
| # never actually committed. Adding this guard as a required check forces | |
| # the operator to either: | |
| # | |
| # * Wait for the next push to main that produces a green CI run, or | |
| # * Roll forward main with a fix commit that supersedes the failing SHA. | |
| # | |
| # Either way, the next PR merge happens on top of a known-good main. | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, ready_for_review, auto_merge_enabled] | |
| concurrency: | |
| group: main-red-guard-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| actions: read | |
| jobs: | |
| guard: | |
| name: main-red-guard | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| permissions: | |
| contents: read | |
| actions: read | |
| # Only enforce when the PR is targeting main. PRs against other branches | |
| # (release branches, hotfix branches) are out of scope for this gate. | |
| if: github.event.pull_request.base.ref == 'main' | |
| steps: | |
| - name: Harden runner (audit mode) | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Inspect the most recent completed CI run on main | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| REPO: ${{ github.repository }} | |
| run: | | |
| set -euo pipefail | |
| # Query the last 10 CI runs on main and pick the most recent one | |
| # whose top-level status is 'completed'. Pending / in-progress | |
| # runs are ignored - they will be observed on the next PR event. | |
| API_PATH="repos/${REPO}/actions/workflows/ci.yml/runs?branch=main&per_page=10" | |
| RUNS_JSON="$(gh api "${API_PATH}")" | |
| # Filter to completed runs. | |
| LATEST="$(printf '%s' "${RUNS_JSON}" | jq -r ' | |
| [.workflow_runs[] | select(.status == "completed")] | |
| | sort_by(.run_started_at) | reverse | |
| | .[0] // empty | |
| ')" | |
| if [ -z "${LATEST}" ] || [ "${LATEST}" = "null" ]; then | |
| echo "::notice::No completed CI run on main was found in the last 10 runs; gate is a no-op PASS." | |
| { | |
| echo "## main-red-guard" | |
| echo "" | |
| echo "Status: PASS (no completed CI run on main found in the last 10 runs)" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| exit 0 | |
| fi | |
| CONCLUSION="$(printf '%s' "${LATEST}" | jq -r '.conclusion')" | |
| RUN_SHA="$(printf '%s' "${LATEST}" | jq -r '.head_sha')" | |
| RUN_URL="$(printf '%s' "${LATEST}" | jq -r '.html_url')" | |
| RUN_ID="$(printf '%s' "${LATEST}" | jq -r '.id')" | |
| echo "Latest completed CI on main: conclusion=${CONCLUSION} sha=${RUN_SHA} run=${RUN_ID}" | |
| # Resolve current main HEAD via the refs API (no checkout needed). | |
| MAIN_HEAD="$(gh api "repos/${REPO}/commits/main" --jq '.sha')" | |
| echo "Current main HEAD: ${MAIN_HEAD}" | |
| # PASS when the latest completed CI on main succeeded. | |
| if [ "${CONCLUSION}" = "success" ]; then | |
| { | |
| echo "## main-red-guard" | |
| echo "" | |
| echo "Status: PASS" | |
| echo "" | |
| echo "Latest CI on main conclusion: \`success\` (sha \`${RUN_SHA}\`)" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| exit 0 | |
| fi | |
| # PASS when main has rolled forward past the failing SHA (a | |
| # subsequent push produced a newer commit that we expect the | |
| # operator to validate before this PR merges). | |
| if [ "${MAIN_HEAD}" != "${RUN_SHA}" ]; then | |
| { | |
| echo "## main-red-guard" | |
| echo "" | |
| echo "Status: PASS (main rolled forward past the failing SHA)" | |
| echo "" | |
| echo "- Latest completed CI on main: \`${CONCLUSION}\` (sha \`${RUN_SHA}\`)" | |
| echo "- Current main HEAD: \`${MAIN_HEAD}\`" | |
| echo "- Run URL: ${RUN_URL}" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| exit 0 | |
| fi | |
| # FAIL: main HEAD still pins the failing SHA. Block the merge | |
| # until either a green run lands or main rolls forward. | |
| { | |
| echo "## main-red-guard" | |
| echo "" | |
| echo "Status: FAIL" | |
| echo "" | |
| echo "Most recent completed CI on main is \`${CONCLUSION}\` and main HEAD still points at the failing SHA." | |
| echo "" | |
| echo "- Failing SHA: \`${RUN_SHA}\`" | |
| echo "- Current main HEAD: \`${MAIN_HEAD}\`" | |
| echo "- Failing run: ${RUN_URL}" | |
| echo "" | |
| echo "Either land a fix commit on main, or wait for a fresh green CI run, before this PR can merge." | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| echo "::error::main is red (CI conclusion=${CONCLUSION} on ${RUN_SHA}); blocking merge. See ${RUN_URL}." | |
| exit 1 |