forked from sigstore/root-signing
74 lines (67 loc) · 2.69 KB
/
sync-ceremony-to-main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#
# Copyright 2023 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This workflow is triggered when a ceremony branch is completed,
# creating a PR that merges the completed ceremony branch to main
name: Sync Published Ceremony Branch to Main and Preprod
# Declare default permissions as none.
permissions: {}
on:
workflow_dispatch:
inputs:
branch:
description: 'The branch to sync to main, generally ceremony/YYYY-MM-DD'
required: true
type: string
push:
# When any published repository metadata is changed on a ceremony/**
# branch.
branches:
- ceremony/**
paths:
- 'repository/repository/**'
jobs:
push:
if: (github.event_name == 'schedule' && github.repository == 'sigstore/root-signing') || (github.event_name != 'schedule') # Don't run workflow in forks on cron
permissions:
pull-requests: 'write'
contents: 'write'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
fetch-depth: 0
ref: ${{ github.event.repository.default_branch }}
- name: create pull request
uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2.12.1
with:
github_token: ${{ secrets.SIGSTORE_ROOT_SIGNING_FINE_GRAINED_PAT }}
# Use the input branch on workflow_dispatch, or the triggering branch on push to a ceremony/** branch.
source_branch: ${{ inputs.branch || github.ref_name }}
destination_branch: ${{ github.event.repository.default_branch }}
pr_title: "Merge ceremony branch ${{ inputs.branch || github.ref_name }} into ${{ github.event.repository.default_branch }}"
pr_body: "Merge ceremony branch to main"
pr_reviewer: bobcallaway,haydentherapper,joshuagl,kommendorkapten
if-failed:
runs-on: ubuntu-latest
needs: [push]
permissions:
issues: 'write'
actions: 'read'
if: always() && needs.sync.result == 'failure'
steps:
- name: Open issue or add comment on failure
uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main
with:
comment_for_each_failure: true