From 4f381dc1033fcd6a1c02bff3a6703ae5aebf0043 Mon Sep 17 00:00:00 2001 From: ZdenekSrotyr <139972147+ZdenekSrotyr@users.noreply.github.com> Date: Tue, 21 Apr 2026 21:59:10 +0200 Subject: [PATCH] fix(ci): propagate-infra-tag fail-soft on branch push / missing secret (#24) Job-level 'if: secrets.X != ""' did not prevent workflow from being scheduled on branch pushes (GitHub reports failure with 0 jobs in that case). Refactored: first step is a guard that checks both the tag ref pattern and the secret presence; downstream steps skip when the guard says no. Result: workflow now reports success with a clear warning annotation on branch pushes or when the secret is absent; only real infra-v* tag pushes with the secret set perform the bump. --- .github/workflows/propagate-infra-tag.yml | 35 +++++++++++++++++------ 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/.github/workflows/propagate-infra-tag.yml b/.github/workflows/propagate-infra-tag.yml index 5ffb516..9e74883 100644 --- a/.github/workflows/propagate-infra-tag.yml +++ b/.github/workflows/propagate-infra-tag.yml @@ -23,18 +23,34 @@ permissions: jobs: propagate: runs-on: ubuntu-latest - if: ${{ secrets.TEMPLATE_REPO_TOKEN != '' }} env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" steps: - - name: Extract tag name - id: tag + - name: Guard — tag ref + secret presence + id: guard + env: + SECRET_VALUE: ${{ secrets.TEMPLATE_REPO_TOKEN }} run: | + # Belt-and-braces tag-only check (workflow-level filter should handle it, + # but GitHub occasionally schedules this workflow on adjacent events with + # 0 jobs — explicit guard keeps the report clean). + if [[ ! "$GITHUB_REF" =~ ^refs/tags/infra-v ]]; then + echo "Not an infra-v* tag push (ref=$GITHUB_REF) — nothing to do." + echo "proceed=false" >> $GITHUB_OUTPUT + exit 0 + fi + if [ -z "$SECRET_VALUE" ]; then + echo "::warning::TEMPLATE_REPO_TOKEN secret not set — skipping propagation. Renovate on the template repo will pick up the new tag on its next poll as a fallback." + echo "proceed=false" >> $GITHUB_OUTPUT + exit 0 + fi TAG="${GITHUB_REF#refs/tags/}" echo "name=$TAG" >> $GITHUB_OUTPUT + echo "proceed=true" >> $GITHUB_OUTPUT echo "Propagating tag: $TAG" - name: Checkout template repo + if: steps.guard.outputs.proceed == 'true' uses: actions/checkout@v5 with: repository: keboola/agnes-infra-template @@ -42,29 +58,30 @@ jobs: path: template - name: Bump module ref in template + if: steps.guard.outputs.proceed == 'true' working-directory: template env: - NEW_TAG: ${{ steps.tag.outputs.name }} + NEW_TAG: ${{ steps.guard.outputs.name }} run: | file=terraform/main.tf - # Replace any existing ref=infra-vX.Y.Z with the new tag sed -i "s|ref=infra-v[0-9]\+\.[0-9]\+\.[0-9]\+\"|ref=$NEW_TAG\"|g" "$file" echo "--- diff ---" git diff "$file" || true - name: Create PR + if: steps.guard.outputs.proceed == 'true' uses: peter-evans/create-pull-request@v7 with: path: template token: ${{ secrets.TEMPLATE_REPO_TOKEN }} - branch: bump-module-${{ steps.tag.outputs.name }} - title: "infra: bump module ref to ${{ steps.tag.outputs.name }}" + branch: bump-module-${{ steps.guard.outputs.name }} + title: "infra: bump module ref to ${{ steps.guard.outputs.name }}" body: | - Automated bump triggered by release of [`${{ steps.tag.outputs.name }}`](https://github.com/keboola/agnes-the-ai-analyst/releases/tag/${{ steps.tag.outputs.name }}) in the upstream `keboola/agnes-the-ai-analyst` repo. + Automated bump triggered by release of [`${{ steps.guard.outputs.name }}`](https://github.com/keboola/agnes-the-ai-analyst/releases/tag/${{ steps.guard.outputs.name }}) in the upstream `keboola/agnes-the-ai-analyst` repo. Auto-merge is enabled for patch/minor bumps (via Renovate config + this repo's `allow_auto_merge`). A `breaking` label on major bumps blocks auto-merge for human review. If CI validate fails, fix the module upstream before retrying. - commit-message: "infra: bump module ref to ${{ steps.tag.outputs.name }}" + commit-message: "infra: bump module ref to ${{ steps.guard.outputs.name }}" labels: renovate delete-branch: true