name: Sync Dev After Main Release on: release: types: [published] jobs: sync-dev: if: ${{ !github.event.release.prerelease && github.event.release.target_commitish == 'main' && startsWith(github.event.release.tag_name, 'v') && !contains(github.event.release.tag_name, '-') }} runs-on: [self-hosted, linux, x64] permissions: contents: read steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 persist-credentials: false - name: Harden Git workspace run: | rm -rf .git/hooks mkdir -p .git/hooks git config --local core.hooksPath /dev/null - name: Configure Git run: | git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" - name: Sync dev with main run: | git fetch origin main dev git checkout dev # Attempt merge, handle version conflicts by taking main's versions if ! git merge origin/main --no-edit -m "chore(sync): merge main into dev after release"; then echo "Merge conflicts detected, resolving version files..." # For version files, take main's version (new stable base) for file in VERSION package.json installers/install.sh installers/install.ps1 CHANGELOG.md; do if git diff --name-only --diff-filter=U | grep -q "^${file}$"; then git checkout --theirs "$file" git add "$file" fi done # Complete the merge git commit --no-edit fi # PAT_TOKEN is required because this pushes to protected dev and must # trigger follow-up Push CI / Dev Release workflows. Keep it scoped to # the final push rather than persisting it in the checkout config. auth_header=$(printf 'x-access-token:%s' "$PAT_TOKEN" | base64 | tr -d '\n') echo "::add-mask::${auth_header}" git -c core.hooksPath=/dev/null \ -c "http.https://github.com/kaitranntt/ccs.extraheader=AUTHORIZATION: basic ${auth_header}" \ -c "http.https://github.com/kaitranntt/ccs.git.extraheader=AUTHORIZATION: basic ${auth_header}" \ push origin dev env: PAT_TOKEN: ${{ secrets.PAT_TOKEN }}