Merge pull request #2586 from Molecule-AI/fix/auto-promote-app-token
fix(auto-promote): use App token for auto-merge to fire downstream cascade (#2357)
This commit is contained in:
Hongming Wang
GitHub
commit
b4e45374bf
85
.github/workflows/auto-promote-staging.yml
vendored
85
.github/workflows/auto-promote-staging.yml
vendored
@ -209,10 +209,25 @@ jobs:
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Mint the App token BEFORE the promote-PR step so the auto-merge
|
||||||
|
# call can use it. GITHUB_TOKEN-initiated merges suppress the
|
||||||
|
# downstream `push` event on main, breaking the
|
||||||
|
# publish-workspace-server-image → canary-verify → redeploy-tenants
|
||||||
|
# chain (issue #2357). Using the App token here means the
|
||||||
|
# merge-queue-landed merge IS able to fire the cascade naturally;
|
||||||
|
# the polling tail below stays as defense-in-depth.
|
||||||
|
- name: Mint App token for promote-PR + downstream dispatch
|
||||||
|
if: ${{ vars.AUTO_PROMOTE_ENABLED == 'true' || github.event.inputs.force == 'true' }}
|
||||||
|
id: app-token
|
||||||
|
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
|
||||||
|
with:
|
||||||
|
app-id: ${{ secrets.MOLECULE_AI_APP_ID }}
|
||||||
|
private-key: ${{ secrets.MOLECULE_AI_APP_PRIVATE_KEY }}
|
||||||
|
|
||||||
- name: Open (or reuse) staging → main promote PR + enable auto-merge
|
- name: Open (or reuse) staging → main promote PR + enable auto-merge
|
||||||
if: ${{ vars.AUTO_PROMOTE_ENABLED == 'true' || github.event.inputs.force == 'true' }}
|
if: ${{ vars.AUTO_PROMOTE_ENABLED == 'true' || github.event.inputs.force == 'true' }}
|
||||||
env:
|
env:
|
||||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
||||||
REPO: ${{ github.repository }}
|
REPO: ${{ github.repository }}
|
||||||
TARGET_SHA: ${{ needs.check-all-gates-green.outputs.head_sha }}
|
TARGET_SHA: ${{ needs.check-all-gates-green.outputs.head_sha }}
|
||||||
run: |
|
run: |
|
||||||
@ -267,52 +282,34 @@ jobs:
|
|||||||
echo "promote_pr_num=${PR_NUM}" >> "$GITHUB_OUTPUT"
|
echo "promote_pr_num=${PR_NUM}" >> "$GITHUB_OUTPUT"
|
||||||
id: promote_pr
|
id: promote_pr
|
||||||
|
|
||||||
# Mint a short-lived GitHub App installation token for the dispatch
|
# The App token minted above (before the promote-PR step) is
|
||||||
# step below. We CANNOT use `secrets.GITHUB_TOKEN` to dispatch the
|
# also used by the polling tail below. Defense-in-depth: with
|
||||||
# downstream publish chain — workflow runs created by GITHUB_TOKEN
|
# the merge-queue-landed merge now using the App token, the
|
||||||
# do not fire `workflow_run` triggers on completion (the
|
# main-branch push event SHOULD fire the publish/canary/redeploy
|
||||||
# documented "no recursion" rule —
|
# cascade naturally — but if for any reason it doesn't (e.g. an
|
||||||
# https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow).
|
# unrelated event-suppression edge case), the explicit dispatches
|
||||||
#
|
# below still wake the chain.
|
||||||
# Symptom this caused (root-caused on 2026-04-30): publish-image
|
|
||||||
# ran successfully twice (21313dc 14:41Z, 59dec57 15:21Z) but
|
|
||||||
# canary-verify and redeploy-tenants-on-main never chained,
|
|
||||||
# because the publish run's `triggering_actor` was
|
|
||||||
# `github-actions[bot]` (i.e. GITHUB_TOKEN). A manual dispatch
|
|
||||||
# earlier in the day with the operator's PAT (d850ec7 06:52Z) did
|
|
||||||
# chain — same workflow file, only the actor differed.
|
|
||||||
#
|
|
||||||
# An App token's triggering_actor is the App user (e.g.
|
|
||||||
# `molecule-ai[bot]`), which IS allowed to fire downstream
|
|
||||||
# workflow_run cascades.
|
|
||||||
- name: Mint App token for downstream dispatch
|
|
||||||
if: steps.promote_pr.outputs.promote_pr_num != ''
|
|
||||||
id: app-token
|
|
||||||
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
|
|
||||||
with:
|
|
||||||
app-id: ${{ secrets.MOLECULE_AI_APP_ID }}
|
|
||||||
private-key: ${{ secrets.MOLECULE_AI_APP_PRIVATE_KEY }}
|
|
||||||
|
|
||||||
- name: Wait for promote merge, then dispatch publish + redeploy (#2357)
|
- name: Wait for promote merge, then dispatch publish + redeploy (#2357)
|
||||||
# GITHUB_TOKEN-initiated merges suppress downstream `push` events
|
# Defense-in-depth dispatch. With the auto-merge call above
|
||||||
# (https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow).
|
# now using the App token (this commit), the merge-queue-landed
|
||||||
# Result: when the merge queue lands the promote PR, the resulting
|
# merge SHOULD fire publish-workspace-server-image naturally
|
||||||
# main-branch push DOES NOT fire publish-workspace-server-image,
|
# via on:push:[main] — App-token-initiated pushes DO trigger
|
||||||
# so canary-verify and redeploy-tenants-on-main never run and
|
# workflow_run cascades, unlike GITHUB_TOKEN-initiated ones
|
||||||
# tenants stay on stale code (issue #2357).
|
# (the documented "no recursion" rule —
|
||||||
|
# https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow).
|
||||||
#
|
#
|
||||||
# Workaround: poll for the merge to land, then explicitly
|
# This explicit dispatch stays as belt-and-suspenders for any
|
||||||
# `gh workflow run` publish-workspace-server-image. The dispatch
|
# edge case where the natural cascade misfires. If it never
|
||||||
# MUST authenticate as the molecule-ai App (App token minted
|
# observably fires after this token swap (i.e. the publish
|
||||||
# above) — not GITHUB_TOKEN — so that the resulting publish
|
# workflow has already started by the time we get here), the
|
||||||
# run's completion event can fire the workflow_run cascade
|
# second dispatch is a harmless no-op (publish-workspace-server-image
|
||||||
# into canary-verify + redeploy-tenants-on-main. See the prior
|
# has its own concurrency group that dedupes).
|
||||||
# step's comment for the GITHUB_TOKEN no-recursion details.
|
|
||||||
#
|
#
|
||||||
# Long-term fix: switch the auto-merge call above to use the
|
# See PR for #2357: pre-fix the merge action was via
|
||||||
# same App token, so the merge's push event fires
|
# GITHUB_TOKEN, suppressing the cascade and forcing this tail
|
||||||
# publish-workspace-server-image naturally and this polling tail
|
# to be the SOLE chain trigger. With the auto-merge token swap
|
||||||
# becomes unnecessary. Tracked in #2357.
|
# the tail becomes redundant in the happy path; keep until
|
||||||
|
# we've observed >=10 successful natural cascades, then drop.
|
||||||
if: steps.promote_pr.outputs.promote_pr_num != ''
|
if: steps.promote_pr.outputs.promote_pr_num != ''
|
||||||
env:
|
env:
|
||||||
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
GH_TOKEN: ${{ steps.app-token.outputs.token }}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user