Resolve merge conflict for tag 0.302.0.0#24
Conversation
This reverts commit b94391e.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if: github.event.pull_request.merged == true | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout the repository | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 # Fetch all branches and tags | ||
| token: ${{ secrets.EVCC_PAT }} | ||
|
|
||
| - name: Set up Git | ||
| run: | | ||
| git config user.name "GitHub Actions" | ||
| git config user.email "actions@github.com" | ||
|
|
||
| - name: Get merged branch name | ||
| id: get-branch | ||
| run: echo "BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV | ||
|
|
||
| - name: Validate branch name | ||
| id: validate-branch | ||
| run: | | ||
| # Extract the tag name from the branch name | ||
| TAG_NAME=$(echo "${{ env.BRANCH }}" | sed 's/tag-//') | ||
|
|
||
| # Check if the tag name matches the expected pattern | ||
| if [[ ! "$TAG_NAME" =~ ^0\.[0-9]+\.[0-9]+$ ]]; then | ||
| echo "Branch name does not match the expected pattern. Skipping tag creation." | ||
| exit 1 | ||
| else | ||
| echo "Valid branch name: $TAG_NAME Saving for next step" | ||
| echo "BRANCH=$TAG_NAME" >> $GITHUB_OUTPUT | ||
| fi | ||
| continue-on-error: true | ||
|
|
||
| - name: Tag the merged branch | ||
| if: success() && steps.validate-branch.outcome == 'success' | ||
| run: | | ||
| # Checkout the branch that was merged | ||
| git checkout "${{ env.BRANCH }}" | ||
|
|
||
| # Create the new tag | ||
| NEW_TAG="${{ steps.validate-branch.outputs.BRANCH }}.0" | ||
|
|
||
| # Tag the branch | ||
| git tag "${NEW_TAG}" | ||
|
|
||
| # Push the tag to the repository | ||
| git push origin "${NEW_TAG}" | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix the problem, the workflow should declare an explicit permissions: block at either the workflow or job level. The block should grant the minimum necessary permissions for the required operations. For this workflow, it needs to push tags, which requires contents: write. Unless other write scopes (e.g., pull-requests: write, issues: write) are needed, they can be omitted.
The best fix is to add permissions: at the job level (finalize:) as this targets only the job requiring the permission, avoiding possible future excess permissions for other jobs. Insert under jobs: finalize: (above if:) the following block:
permissions:
contents: writeThis makes the required permission explicit and limited. No changes to steps, imports, or other files are necessary.
| @@ -8,6 +8,8 @@ | ||
|
|
||
| jobs: | ||
| finalize: | ||
| permissions: | ||
| contents: write | ||
| if: github.event.pull_request.merged == true | ||
| runs-on: ubuntu-latest | ||
|
|
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout the repository | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 # Fetch all branches and tags | ||
| token: ${{ secrets.EVCC_PAT }} | ||
|
|
||
| - name: Set up Git | ||
| run: | | ||
| git config user.name "GitHub Actions" | ||
| git config user.email "actions@github.com" | ||
|
|
||
| - name: Add public repo as remote | ||
| run: | | ||
| git remote add public https://github.com/evcc-io/evcc.git | ||
|
|
||
| - name: Fetch tags from the public repo | ||
| run: | | ||
| git fetch public --tags | ||
|
|
||
| - name: Get all tags from the public repo | ||
| id: get-public-tags | ||
| run: | | ||
| git tag -l | grep -E '^0\.[0-9]+\.[0-9]+$' > public_tags.txt | ||
| echo "Public tags:" | ||
| cat public_tags.txt | ||
|
|
||
| - name: Get existing tags in the repo | ||
| id: get-existing-tags | ||
| run: | | ||
| git tag -l | grep -E '^0\.[0-9]+\.[0-9]+\.0$' > existing_tags.txt | ||
| echo "Existing tags:" | ||
| cat existing_tags.txt | ||
|
|
||
| - name: Sync missing tags | ||
| run: | | ||
| # Define the starting tag | ||
| START_TAG="0.130.7" | ||
|
|
||
| # Convert version to numeric format for comparison | ||
| tag_to_numeric() { | ||
| echo "$1" | sed 's/\./_/g' | awk -F'_' '{ printf("%d%03d%03d", $1, $2, $3) }' | ||
| } | ||
|
|
||
| START_NUMERIC=$(tag_to_numeric $START_TAG) | ||
|
|
||
| # Read tags from files | ||
| PUBLIC_TAGS=$(cat public_tags.txt) | ||
| EXISTING_TAGS=$(cat existing_tags.txt) | ||
|
|
||
| for TAG in $PUBLIC_TAGS; do | ||
| # Convert the current tag to numeric format | ||
| TAG_NUMERIC=$(tag_to_numeric $TAG) | ||
|
|
||
| # Check if the tag is greater than the starting tag | ||
| if [ "$TAG_NUMERIC" -gt "$START_NUMERIC" ]; then | ||
| # Generate the new tag name with .0 suffix | ||
| NEW_TAG="${TAG}.0" | ||
|
|
||
| # Check if the tag already exists | ||
| if ! echo "$EXISTING_TAGS" | grep -q "^${NEW_TAG}$"; then | ||
| echo "Processing new tag: $NEW_TAG" | ||
|
|
||
| # Create a new branch for the tag | ||
| git checkout -b "tag-${TAG}" ${TAG} | ||
|
|
||
| # Attempt to merge the master branch into the new branch | ||
| git merge master --no-edit || { | ||
| # If there's a merge conflict, create a pull request | ||
| echo "Merge conflict detected for tag ${TAG}. Creating pull request." | ||
| git push origin "tag-${TAG}" | ||
| gh pr create --title "Resolve merge conflict for tag ${NEW_TAG}" --body "A merge conflict was detected while syncing tag ${NEW_TAG}. Please resolve the conflict in this PR." --head master --base "tag-${TAG}" | ||
| continue | ||
| } | ||
| # Tag the branch with .0 appended to the original tag name | ||
| git tag "${NEW_TAG}" | ||
|
|
||
| # Push the new branch and tag to your repository | ||
| git push origin "tag-${TAG}" | ||
| git push origin "${NEW_TAG}" | ||
| fi | ||
| fi | ||
| done | ||
|
|
||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To resolve the problem, add a permissions block at the job or workflow root (above or at the same level as runs-on for the job), specifying only the minimal required permissions needed. Given the workflow pushes tags and branches (git push) and creates pull requests via the gh CLI (gh pr create), it requires contents: write (for pushing content) and pull-requests: write (for creating PRs). The permissions block should be added to the sync job in .github/workflows/sync-tags.yml, immediately before runs-on: ubuntu-latest. No additional methods or imports are required.
| @@ -8,6 +8,9 @@ | ||
|
|
||
| jobs: | ||
| sync: | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: |
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout the repository | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| # Fetch all branches | ||
| fetch-depth: 0 | ||
| token: ${{ secrets.EVCC_PAT }} | ||
|
|
||
| - name: Set up Git | ||
| run: | | ||
| git config user.name "GitHub Actions" | ||
| git config user.email "actions@github.com" | ||
|
|
||
| - name: Add public repo as remote | ||
| run: | | ||
| git remote add public https://github.com/evcc-io/evcc.git | ||
|
|
||
| - name: Fetch master branch from public repo | ||
| run: | | ||
| git fetch public master | ||
|
|
||
| - name: Checkout evcc-master branch | ||
| run: | | ||
| git checkout evcc-master | ||
|
|
||
| - name: Merge master branch from public repo into evcc-master | ||
| run: | | ||
| git merge public/master --no-edit | ||
|
|
||
| - name: Push changes to evcc-master | ||
| run: | | ||
| git push origin evcc-master |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
The best way to fix the problem is to add an explicit permissions block to the workflow, scoping the available permissions to the least amount necessary. Since this workflow only syncs branches and does not directly interact with issues, PRs, or perform any artifact uploads, the minimal required permission is likely just contents: read. Add the following under the top-level keys (name/on and before jobs:) in .github/workflows/sync-upstream.yml:
permissions:
contents: readThis limits the GITHUB_TOKEN to only read repository contents. If any future steps require additional permissions, those can be enabled on a per-job or per-step basis.
| @@ -6,6 +6,9 @@ | ||
| - cron: "0 20 * * *" | ||
| workflow_dispatch: # Allows manual trigger of the workflow | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| sync: | ||
| runs-on: ubuntu-latest |
2 participants
A merge conflict was detected while syncing tag 0.302.0.0. Please resolve the conflict in this PR.