core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity

Merge pull request #2360 from Molecule-AI/auto/2358-followup-permissions-concurrency

Browse Source 
fix(ci): close gaps in auto-promote dispatch tail (#2358 follow-up)
This commit is contained in:
Hongming Wang 2026-04-30 07:07:21 +00:00 committed by GitHub
commit 92a29bb37c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 34 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
.github/workflows/auto-promote-staging.yml vendored
View File

@ -76,6 +76,27 @@ on:
permissions: permissions:
contents: write contents: write
pull-requests: write pull-requests: write
# actions: write is needed by the post-merge dispatch tail step
# (#2358 / #2357) — `gh workflow run publish-workspace-server-image.yml`
# POSTs to /actions/workflows/.../dispatches which requires this scope.
# Without it the call 403s and the publish/canary/redeploy chain still
# doesn't run on staging→main promotions, undoing #2358.
actions: write
# Serialize auto-promote runs. Multiple staging gate completions can land
# in quick succession (CI + E2E + CodeQL all finish within seconds of
# each other on a green PR) — without this, two parallel runs both:
# 1. Open / re-use the same promote PR.
# 2. Both call `gh pr merge --auto` (idempotent — fine).
# 3. Both poll for the same mergedAt and both `gh workflow run` publish
# → 2× redundant publish builds racing for the same `:staging-latest`
# retag, and 2× canary-verify chains.
# cancel-in-progress: false because we don't want a brand-new run to kill
# a polling-tail that's about to dispatch — the polling tail's 30 min cap
# is the right backstop, not workflow-level cancel.
concurrency:
group: auto-promote-staging
cancel-in-progress: false
jobs: jobs:
check-all-gates-green: check-all-gates-green:
@ -271,19 +292,29 @@ jobs:
PR_NUM: ${{ steps.promote_pr.outputs.promote_pr_num }} PR_NUM: ${{ steps.promote_pr.outputs.promote_pr_num }}
run: | run: |
# Poll for merge — max 30 min (60 × 30s). The merge queue # Poll for merge — max 30 min (60 × 30s). The merge queue
# typically lands within 5-10 min when gates are green. # typically lands within 5-10 min when gates are green. Break
# early if the PR is closed without merging (operator action,
# gates flipped red post-approval, branch-protection rejection)
# so we don't tie up a runner for the full 30 min on a dead PR.
MERGED="" MERGED=""
STATE=""
for _ in $(seq 1 60); do for _ in $(seq 1 60); do
MERGED=$(gh pr view "$PR_NUM" --repo "$REPO" --json mergedAt --jq '.mergedAt // ""') VIEW=$(gh pr view "$PR_NUM" --repo "$REPO" --json mergedAt,state)
MERGED=$(echo "$VIEW" | jq -r '.mergedAt // ""')
STATE=$(echo "$VIEW" | jq -r '.state // ""')
if [ -n "$MERGED" ] && [ "$MERGED" != "null" ]; then if [ -n "$MERGED" ] && [ "$MERGED" != "null" ]; then
echo "::notice::Promote PR #${PR_NUM} merged at ${MERGED}" echo "::notice::Promote PR #${PR_NUM} merged at ${MERGED}"
break break
fi fi
if [ "$STATE" = "CLOSED" ]; then
echo "::warning::Promote PR #${PR_NUM} was closed without merging — skipping deploy dispatch."
exit 0
fi
sleep 30 sleep 30
done done
if [ -z "$MERGED" ] || [ "$MERGED" = "null" ]; then if [ -z "$MERGED" ] || [ "$MERGED" = "null" ]; then
echo "::warning::Promote PR #${PR_NUM} didn't merge within 30min — skipping deploy dispatch (manually run \`gh workflow run redeploy-tenants-on-main.yml\` once it lands)." echo "::warning::Promote PR #${PR_NUM} didn't merge within 30min — skipping deploy dispatch (manually run \`gh workflow run publish-workspace-server-image.yml --ref main\` once it lands)."
exit 0 exit 0
fi fi