Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ on:
branches:
- main
- "pull-request/[0-9]+"
- "feat/*"
tags:
- "v[0-9]*.[0-9]*.[0-9]*"
- "v[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]*"
Expand Down Expand Up @@ -164,6 +165,23 @@ jobs:
HELM_VERSION_BASE="${VERSION#v}"
HELM_VERSION=$(echo "$HELM_VERSION_BASE" | sed 's/\(.*\)-/\1./')

# Feature branch support
IS_FEATURE_BRANCH=false
if [[ "${GITHUB_REF}" =~ ^refs/heads/feat/ ]]; then
IS_FEATURE_BRANCH=true
FIRST_PARENT_TAG=$(git describe --tags --first-parent --abbrev=0 HEAD 2>/dev/null || echo "")

# error if feature branch made not using /feature-branch command
if [[ "${FIRST_PARENT_TAG}" != *"feat-"* ]]; then
FEAT_BRANCH=$(echo "${GITHUB_REF#refs/heads/}" | tr '/' '-')
echo "## ❌ Feature Branch Tag Generation Failed" >> $GITHUB_STEP_SUMMARY
echo "First parent tag does not contain \`feat-\`, tag found: \`${FIRST_PARENT_TAG}\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**To fix:** ask a maintainer to delete this branch, then use \`/feature-branch ${FEAT_BRANCH#feat-}\` in a GitHub issue to recreate it correctly." >> $GITHUB_STEP_SUMMARY
exit 1
fi
fi

echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "helm_version=${HELM_VERSION}" >> $GITHUB_OUTPUT
echo "Calculated VERSION: ${VERSION}"
Expand Down
69 changes: 69 additions & 0 deletions .github/workflows/feature-branch.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
name: Create Feature Branch

on:
issue_comment:
types:
- created

jobs:
create-feat-branch:
if: startsWith(github.event.comment.body, '/feature-branch ')
runs-on: ubuntu-latest
permissions:
contents: write
issues: write
steps:
- name: Checkout main
uses: actions/checkout@v4
with:
ref: main
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}

- name: Create feature branch with empty commit
env:
COMMENT_BODY: ${{ github.event.comment.body }}
ISSUE_NUMBER: ${{ github.event.issue.number }}
ISSUE_URL: ${{ github.event.issue.html_url }}
REQUESTER: ${{ github.event.comment.user.login }}
REPOSITORY: ${{ github.repository }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail

BRANCH_NAME=$(echo "${COMMENT_BODY}" | sed 's|^/feature-branch ||' | tr -d '[:space:]')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to strictly validate the branch name here instead of only stripping whitespace? Git refs may contain shell special characters, and this value later becomes VERSION and is interpolated directly into run: scripts, which can lead to command injection on self-hosted runners. maybe a bounded, single-segment slug such as ^[a-z0-9]+(-[a-z0-9]+)*$ would prevent shell inject and ensure compatibility with the downstream version and Helm workflows.


if [[ -z "${BRANCH_NAME}" ]]; then
echo "No branch name provided"
exit 1
fi

FULL_BRANCH="feat/${BRANCH_NAME}"

git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"

TAG_PREFIX=$(git describe --tags --long HEAD | sed 's/-g[0-9a-f]*$//')
FEAT_SLUG=$(echo "${FULL_BRANCH}" | tr '/' '-')
TAG="${TAG_PREFIX}-${FEAT_SLUG}"

git checkout -b "${FULL_BRANCH}"
COMMIT_MSG="feat: initialize ${FULL_BRANCH}"
COMMIT_MSG+=$'\n\n'
COMMIT_MSG+="Requested by @${REQUESTER} on issue #${ISSUE_NUMBER}"
git commit --allow-empty -m "${COMMIT_MSG}"

git tag "${TAG}"
git push origin "${FULL_BRANCH}" "${TAG}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current Github ruleset setting blocks GITHUB_TOKEN from creating feat/*: only repository admins and copy-pr-bot can bypass it. We may need to create a GitHub Actions App and update the ruleset to bypass the rule.


BRANCH_URL="https://github.com/${REPOSITORY}/tree/${FULL_BRANCH}"
COMMENT_BODY="Branch created: [${FULL_BRANCH}](${BRANCH_URL})"
COMMENT_BODY+=$'\n\n'
COMMENT_BODY+="To check out locally:"
COMMENT_BODY+=$'\n'
COMMENT_BODY+='```'
COMMENT_BODY+=$'\n'
COMMENT_BODY+="git fetch upstream && git checkout -b ${FULL_BRANCH} upstream/${FULL_BRANCH}"
COMMENT_BODY+=$'\n'
COMMENT_BODY+='```'
gh issue comment "${ISSUE_NUMBER}" --body "${COMMENT_BODY}"
1 change: 1 addition & 0 deletions .github/workflows/rest-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ on:
branches:
- main
- 'pull-request/[0-9]+'
- 'feat/*'
tags:
- "v[0-9]*.[0-9]*.[0-9]*"
- "v[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]*"
Expand Down