feat: restting branches and pr in audit fix removed#111
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the audit_fix GitHub Actions workflow to stop reusing/updating an existing open audit-fix PR, instead failing early and requiring the existing PR to be merged/closed before re-running.
Changes:
- Add a step to hard-fail the workflow when an open PR already exists for the audit-fix branch.
- Adjust branch creation/reset logging and sequencing.
- Remove the “reopen PR if it was closed” path and make PR creation run whenever changes are detected.
Comments suppressed due to low confidence (1)
.github/workflows/audit_fix.yml:239
Create PRnow runs unconditionally whenenv.changes == 'true'. If an open PR exists but wasn’t detected (pagination/race), the GitHub API will return a 422 and this step will fail the workflow. To make this resilient, either gate this step onenv.EXISTING_PR_NUMBER == ''(and keepSkip If PR Already Open), or handle the 422 “pull request already exists” response by fetching the existing PR number/URL and continuing.
- name: Create PR
if: env.changes == 'true'
run: |
echo "No existing PR found. Creating new PR..."
PR_RESPONSE=$(curl -s -X POST -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github.v3+json" \
-d "{ \"title\": \"fix: Security updates\", \"head\": \"${{ env.BRANCH_NAME }}\", \"base\": \"${{ inputs.base_branch }}\", \"draft\": false }" \
"https://api.github.com/repos/${{ github.repository }}/pulls")
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Skip If PR Already Open | ||
| if: env.EXISTING_PR_NUMBER != '' | ||
| run: | | ||
| echo "::error::Open PR #${{ env.EXISTING_PR_NUMBER }} exists for branch ${{ env.BRANCH_NAME }}. Please merge or close it first before running audit fix." | ||
| exit 1 |
There was a problem hiding this comment.
The new “Skip If PR Already Open” behavior depends on EXISTING_PR_NUMBER being detected correctly, but the preceding PR lookup uses the default /pulls?state=open listing which is paginated (30 items) and may miss an open PR for this branch. If that happens, this step won’t trip and later steps can still reset the branch and/or fail PR creation with a duplicate-PR error. Consider querying by head branch directly (e.g., pulls?state=open&head=<owner>:<branch>, optionally with per_page=100) or implementing pagination.
There was a problem hiding this comment.
rereview
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Create PR | ||
| if: env.changes == 'true' | ||
| run: | | ||
| echo "No existing PR found. Creating new PR..." |
There was a problem hiding this comment.
The log line “No existing PR found. Creating new PR...” is now unconditional within the Create PR step, but earlier logic only checked for open PRs (and may have also exited early). Consider rewording this message to avoid implying that no PR exists at all (e.g., closed PRs may exist) and to reflect the actual condition for creation.
| echo "No existing PR found. Creating new PR..." | |
| echo "Attempting to create a new PR for the current changes..." |
There was a problem hiding this comment.
The log is fine. "No existing PR" clearly means "no existing open PR" in context.
we can ignore this as well.
| "https://api.github.com/repos/${{ github.repository }}/pulls?state=open" \ | ||
| | jq -r --arg branch "${{ env.BRANCH_NAME }}" '.[] | select(.head.ref == $branch) | .number') | ||
| "https://api.github.com/repos/${{ github.repository }}/pulls?state=open&head=${{ github.repository_owner }}:${{ env.BRANCH_NAME }}" \ | ||
| | jq -r '.[0].number // empty') |
There was a problem hiding this comment.
The PR lookup now filters by head=owner:branch, but it doesn’t ensure the PR targets the requested inputs.base_branch. If there’s an open PR from the same head branch to a different base, this will still set EXISTING_PR_NUMBER and the workflow will hard-fail even though there is no conflicting PR for the configured base. Consider filtering the returned PRs by .base.ref == inputs.base_branch (and then extracting .number) so the “already open” guard is accurate.
| | jq -r '.[0].number // empty') | |
| | jq -r --arg base_branch "${{ inputs.base_branch }}" '[.[] | select(.base.ref == $base_branch)][0].number // empty') |
There was a problem hiding this comment.
Pr will always target to main, hence this comment can be ignored.
| BASE_COMMIT_SHA=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | ||
| "https://api.github.com/repos/${{ github.repository }}/git/refs/heads/${{ inputs.base_branch }}" | jq -r '.object.sha') | ||
|
|
There was a problem hiding this comment.
BASE_COMMIT_SHA is derived from a GitHub API response but isn’t validated before being used to reset/create refs. If the base branch ref lookup fails (404, permission, rate limiting), jq -r '.object.sha' will yield null and subsequent ref updates will fail in a non-obvious way. Suggest checking that BASE_COMMIT_SHA is non-empty and not null, and failing the step with a clear error when it can’t be resolved (optionally also use curl options that fail on non-2xx).
| BASE_COMMIT_SHA=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| "https://api.github.com/repos/${{ github.repository }}/git/refs/heads/${{ inputs.base_branch }}" | jq -r '.object.sha') | |
| if ! BASE_REF_RESPONSE=$(curl -fsS -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| "https://api.github.com/repos/${{ github.repository }}/git/refs/heads/${{ inputs.base_branch }}"); then | |
| echo "::error::Failed to resolve base branch ref '${{ inputs.base_branch }}' for repository '${{ github.repository }}'." | |
| exit 1 | |
| fi | |
| BASE_COMMIT_SHA=$(echo "$BASE_REF_RESPONSE" | jq -r '.object.sha // empty') | |
| if [[ -z "$BASE_COMMIT_SHA" || "$BASE_COMMIT_SHA" == "null" ]]; then | |
| echo "::error::Could not determine a valid base commit SHA for branch '${{ inputs.base_branch }}'." | |
| exit 1 | |
| fi |
There was a problem hiding this comment.
this is over engineering the flow.
realistically The GITHUB_TOKEN is provided by the workflow, main always exists, and rate limiting on the Actions token within the same repo is effectively impossible.
In the worst case the workflow will anyway fail at this step. I feel unnecessary to address.
Till now for more than a year this audit fix is running, never caused an issue
| curl -s -X PATCH -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | ||
| -H "Accept: application/vnd.github.v3+json" \ | ||
| -d "{\"sha\": \"$BASE_COMMIT_SHA\", \"force\": true}" \ | ||
| "https://api.github.com/repos/${{ github.repository }}/git/refs/heads/${{ env.BRANCH_NAME }}" | ||
| echo "✅ Branch ${{ env.BRANCH_NAME }} reset successfully." | ||
| else | ||
| echo "🆕 Branch ${{ env.BRANCH_NAME }} does not exist. Creating from ${{ inputs.base_branch }}..." | ||
| echo "Creating branch ${{ env.BRANCH_NAME }} from ${{ inputs.base_branch }}..." | ||
| curl -s -X POST -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | ||
| -H "Accept: application/vnd.github.v3+json" \ | ||
| -d "{\"ref\": \"refs/heads/${{ env.BRANCH_NAME }}\", \"sha\": \"$BASE_COMMIT_SHA\"}" \ | ||
| "https://api.github.com/repos/${{ github.repository }}/git/refs" |
There was a problem hiding this comment.
The branch reset/create API calls don’t check HTTP status codes or API error messages. Because curl -s doesn’t fail the shell on non-2xx, this step can silently continue even if the ref update/create failed (which would later make the commit/PR steps behave unpredictably). Consider capturing the response + status code and exiting non-zero on failure.
There was a problem hiding this comment.
not required.
| - name: Skip If PR Already Open | ||
| if: env.EXISTING_PR_NUMBER != '' | ||
| run: | | ||
| echo "::error::Open PR #${{ env.EXISTING_PR_NUMBER }} exists for branch ${{ env.BRANCH_NAME }}. Please merge or close it first before running audit fix." | ||
| exit 1 |
There was a problem hiding this comment.
Step name says “Skip If PR Already Open”, but the step emits ::error:: and exits 1, which fails the workflow rather than skipping work. Either rename the step to reflect that this is an intentional failure/block, or change the behavior to a true skip (e.g., exit 0 / use conditional gating on subsequent steps).
There was a problem hiding this comment.
fair, we can update the name to Fail If PR Already Open
No description provided.