mirror of
https://github.com/tiennm99/ccs.git
synced 2026-07-15 14:21:20 +00:00
Keep active CCS workflows on self-hosted runners, gate self-hosted PR execution to trusted authors, and scope privileged release credentials to the exact git operations that need them.
65 lines
2.3 KiB
YAML
65 lines
2.3 KiB
YAML
name: Sync Dev After Main Release
|
|
|
|
on:
|
|
release:
|
|
types: [published]
|
|
|
|
jobs:
|
|
sync-dev:
|
|
if: ${{ !github.event.release.prerelease && github.event.release.target_commitish == 'main' && startsWith(github.event.release.tag_name, 'v') && !contains(github.event.release.tag_name, '-') }}
|
|
runs-on: [self-hosted, linux, x64]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
|
|
- name: Harden Git workspace
|
|
run: |
|
|
rm -rf .git/hooks
|
|
mkdir -p .git/hooks
|
|
git config --local core.hooksPath /dev/null
|
|
|
|
- name: Configure Git
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
|
|
- name: Sync dev with main
|
|
run: |
|
|
git fetch origin main dev
|
|
git checkout dev
|
|
|
|
# Attempt merge, handle version conflicts by taking main's versions
|
|
if ! git merge origin/main --no-edit -m "chore(sync): merge main into dev after release"; then
|
|
echo "Merge conflicts detected, resolving version files..."
|
|
|
|
# For version files, take main's version (new stable base)
|
|
for file in VERSION package.json installers/install.sh installers/install.ps1 CHANGELOG.md; do
|
|
if git diff --name-only --diff-filter=U | grep -q "^${file}$"; then
|
|
git checkout --theirs "$file"
|
|
git add "$file"
|
|
fi
|
|
done
|
|
|
|
# Complete the merge
|
|
git commit --no-edit
|
|
fi
|
|
|
|
# PAT_TOKEN is required because this pushes to protected dev and must
|
|
# trigger follow-up Push CI / Dev Release workflows. Keep it scoped to
|
|
# the final push rather than persisting it in the checkout config.
|
|
auth_header=$(printf 'x-access-token:%s' "$PAT_TOKEN" | base64 | tr -d '\n')
|
|
echo "::add-mask::${auth_header}"
|
|
git -c core.hooksPath=/dev/null \
|
|
-c "http.https://github.com/kaitranntt/ccs.extraheader=AUTHORIZATION: basic ${auth_header}" \
|
|
-c "http.https://github.com/kaitranntt/ccs.git.extraheader=AUTHORIZATION: basic ${auth_header}" \
|
|
push origin dev
|
|
env:
|
|
PAT_TOKEN: ${{ secrets.PAT_TOKEN }}
|