fix: drive hotfix finalize via trigger-capable state token merge#202
Merged
Conversation
The generated hotfix workflow merged the clean-cherry-pick resolution PR with gh pr merge --auto under the default GITHUB_TOKEN. GitHub completes auto-merge as github-actions[bot], and merges authored by that token do not emit pull_request events, so the pull_request(closed) finalize chain never ran and the target environment state was never recorded after an automated hotfix. Merge the clean resolution PR in a dedicated step authenticated with the configured state token (the same trigger-capable token used for state writes). The step polls PR mergeability before merging, so a protected env branch with a required status check still gates the merge until the check is green, and an unprotected branch merges on the first poll. A state-token-authored merge emits pull_request(closed), so context, build, deploy, and finalize run. Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
joshua-temple
force-pushed
the
fix/hotfix-finalize-trigger
branch
from
4c72a20 to
1a2bf8c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The generated hotfix workflow gates its FINALIZE chain (context, build, deploy, finalize) on
pull_request: closedintoenv/*. The apply job merged the clean cherry-pick resolution PR withgh pr merge --auto --squashunder the defaultGITHUB_TOKEN. GitHub completes auto-merge as github-actions[bot], and merges authored by that token do not emitpull_request/pushevents (recursion suppression). So the finalize chain never ran andstate.<env>was never recorded after any automated hotfix merge. The previous direct-merge fallback underGITHUB_TOKENhad the identical gap.Fix
Merge the clean resolution PR in a dedicated step authenticated with the configured state token (
config.GetStateToken(), the same trigger-capable token already used for state-write commits). A state-token-authored merge emitspull_request: closed, so the finalize chain runs. The step polls PR mergeability before merging, so a protected env branch with a required status check still gates the merge until the check is green; an unprotected branch reports mergeable on the first poll and merges immediately (subsuming the old fallback). On timeout it fails loudly. The conflict path (human merges via UI) is unchanged.When no
state_tokenis configured it defaults toGITHUB_TOKEN, documented in the step comment as the case where finalize will not fire; operators needing post-hotfix finalize must configure a trigger-capable token.Verification
go build ./...,go test ./...(23 packages),golangci-lint run ./...all green.TestHotfixGenerator_CleanPathPATMergeasserting the merge step carries the state token, polls mergeability, and no longer usesgh pr merge --auto), then implementation to green.