Upstream-sync → protected master #792
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Upstream-sync → protected master | |
| on: | |
| schedule: # run every night | |
| - cron: '7 2 * * *' | |
| workflow_dispatch: # (optional) manual trigger | |
| permissions: # minimum perms the job needs | |
| contents: write # push the sync branch | |
| pull-requests: write # open, approve & merge the PR | |
| concurrency: # never let two syncs race | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| sync: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # 1. full clone so we always have the latest tip | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # 2. fetch upstream & copy it to a side branch | |
| - name: Update upstream-sync branch | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Configure git identity | |
| git config --global user.email "[email protected]" | |
| git config --global user.name "GitHub Action" | |
| git remote add upstream https://github.com/openjdk/jdk17u-dev.git | |
| git fetch upstream master | |
| echo "=== Current branch status ===" | |
| git log --oneline -5 | |
| echo "=== Upstream status ===" | |
| git log --oneline -5 upstream/master | |
| # Create sync branch from current master to preserve workflows | |
| git checkout -B upstream-sync origin/master | |
| echo "=== About to merge upstream changes ===" | |
| git log --oneline -1 HEAD | |
| git log --oneline -1 upstream/master | |
| # Simple merge approach - let's see what happens | |
| if git merge upstream/master --no-edit --allow-unrelated-histories; then | |
| echo "=== Merge successful ===" | |
| git log --oneline -5 | |
| else | |
| echo "=== Merge failed, trying alternative approach ===" | |
| git merge --abort || true | |
| git reset --hard upstream/master | |
| # Restore our workflow files after taking upstream | |
| git checkout origin/master -- .github/workflows/ | |
| git add .github/workflows/ | |
| git commit -m "Preserve local workflow files during upstream sync" | |
| echo "=== Alternative approach completed ===" | |
| git log --oneline -5 | |
| fi | |
| echo "=== Final branch status before push ===" | |
| git log --oneline -10 | |
| git push -f origin upstream-sync | |
| # 3. Open or update the PR `upstream-sync -> master` | |
| - name: Create or update pull request | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Check if PR already exists | |
| if gh pr view upstream-sync 2>/dev/null; then | |
| echo "PR already exists, updating it" | |
| gh pr edit upstream-sync --title "Automated upstream merge" --body "Nightly sync of openjdk/jdk17u-dev:master into this fork" | |
| else | |
| echo "Creating new PR" | |
| gh pr create --head upstream-sync --base master --title "Automated upstream merge" --body "Nightly sync of openjdk/jdk17u-dev:master into this fork" | |
| fi | |
| # 4. Auto-approve that PR | |
| - name: Auto-approve PR | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| if gh pr view upstream-sync 2>/dev/null; then | |
| gh pr review upstream-sync --approve --body "Auto-approved upstream sync" | |
| echo "Approved PR for upstream-sync branch" | |
| fi | |
| # 5. Enable auto-merge so GitHub merges as soon as | |
| # branch protection requirements are satisfied | |
| - name: Enable auto-merge | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| if gh pr view upstream-sync 2>/dev/null; then | |
| gh pr merge upstream-sync --auto --merge | |
| echo "Enabled auto-merge for upstream-sync branch" | |
| fi |