From 3a7f622b4735f1bc13482bbf4e84dd02d0ecb51e Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Fri, 5 Jun 2026 00:40:25 +0200 Subject: [PATCH] ci: release after trusted windows definitions merge --- .github/workflows/chack-agent-pr-triage.yml | 22 ++++++++++++++++--- .../update_windows_version_definitions.yml | 13 +---------- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/.github/workflows/chack-agent-pr-triage.yml b/.github/workflows/chack-agent-pr-triage.yml index f81ce58..2933473 100644 --- a/.github/workflows/chack-agent-pr-triage.yml +++ b/.github/workflows/chack-agent-pr-triage.yml @@ -10,6 +10,7 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'success' }} runs-on: ubuntu-latest permissions: + actions: write contents: write pull-requests: write @@ -93,17 +94,32 @@ jobs: COMMIT_TITLE: ${{ steps.bot_pr.outputs.title }} run: | if [ -z "$GH_TOKEN" ]; then - echo "CHACK_AGENT_FIXER_TOKEN is required to merge this PR because github.token merges do not trigger the release workflow." + echo "CHACK_AGENT_FIXER_TOKEN is required to merge this PR and dispatch the release workflow." exit 1 fi for attempt in {1..6}; do - if gh api \ + if response="$(gh api \ -X PUT \ -H "Accept: application/vnd.github+json" \ "/repos/${{ github.repository }}/pulls/${PR_NUMBER}/merge" \ -f merge_method=squash \ - -f commit_title="$COMMIT_TITLE"; then + -f commit_title="$COMMIT_TITLE")"; then + merge_sha="$(jq -r '.sha // empty' <<<"$response")" + echo "Merged trusted windows definitions bot PR #$PR_NUMBER as $merge_sha." + + for wait_attempt in {1..12}; do + master_sha="$(gh api "/repos/${{ github.repository }}/git/ref/heads/master" --jq .object.sha)" + if [ -z "$merge_sha" ] || [ "$master_sha" = "$merge_sha" ]; then + break + fi + + echo "Waiting for master to point at merge commit $merge_sha ($wait_attempt/12)." + sleep 5 + done + + gh workflow run CI-master_tests.yml --ref master + echo "Dispatched CI-master_test to build and publish the PEASS release." exit 0 fi diff --git a/.github/workflows/update_windows_version_definitions.yml b/.github/workflows/update_windows_version_definitions.yml index 45936cb..219a717 100644 --- a/.github/workflows/update_windows_version_definitions.yml +++ b/.github/workflows/update_windows_version_definitions.yml @@ -39,7 +39,6 @@ jobs: - name: Create validated update pull request env: GH_TOKEN: ${{ github.token }} - MERGE_TOKEN: ${{ secrets.CHACK_AGENT_FIXER_TOKEN }} run: | title="chore(winpeas): update windows version vulnerability definitions" branch="bot/update-windows-version-definitions" @@ -75,15 +74,5 @@ jobs: exit 1 fi - if [ -z "$MERGE_TOKEN" ]; then - echo "CHACK_AGENT_FIXER_TOKEN is required to merge this PR because github.token merges do not trigger the release workflow." - exit 1 - fi - gh workflow run PR-tests.yml --ref "$branch" - - if GH_TOKEN="$MERGE_TOKEN" gh pr merge "$pr_number" --squash --auto --subject "$title"; then - echo "Auto-merge enabled for PR #$pr_number." - else - echo "Could not enable GitHub auto-merge for PR #$pr_number; the PR-tests workflow_run merge job will still merge it after tests pass." - fi + echo "PR-tests dispatched for PR #$pr_number. The trusted workflow_run merge job will merge it and dispatch CI-master_test after tests pass."