Browse code
gha/validate-milestone: Handle PR updating versions.yaml
When a PR bumps the version in releases/versions.yaml, reading from the
base branch sees the old value and fails spuriously. Now we detect if
the PR touches versions.yaml and read from the head SHA in that case, so
PRs based on an older branch state don't fail.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Paweł Gronowski authored on 2026/04/24 03:34:05Showing 1 changed files
| ... | ... |
@@ -2,6 +2,7 @@ name: validate-milestone |
| 2 | 2 |
|
| 3 | 3 |
permissions: |
| 4 | 4 |
contents: read |
| 5 |
+ pull-requests: read |
|
| 5 | 6 |
|
| 6 | 7 |
on: |
| 7 | 8 |
pull_request: |
| ... | ... |
@@ -18,11 +19,25 @@ jobs: |
| 18 | 18 |
MILESTONE: ${{ github.event.pull_request.milestone.title }}
|
| 19 | 19 |
with: |
| 20 | 20 |
script: | |
| 21 |
+ const files = await github.paginate(github.rest.pulls.listFiles, {
|
|
| 22 |
+ owner: context.repo.owner, |
|
| 23 |
+ repo: context.repo.repo, |
|
| 24 |
+ pull_number: context.payload.pull_request.number, |
|
| 25 |
+ }); |
|
| 26 |
+ const touchesVersions = files.some(f => f.filename === 'releases/versions.yaml'); |
|
| 27 |
+ |
|
| 28 |
+ // Use the PR's version when it bumps the file, base branch otherwise. |
|
| 29 |
+ // It's fine to trust the author in this case, it's not meant to be |
|
| 30 |
+ // a security gate, just a helpful check for maintainers. |
|
| 31 |
+ const ref = touchesVersions |
|
| 32 |
+ ? context.payload.pull_request.head.sha |
|
| 33 |
+ : context.payload.pull_request.base.sha; |
|
| 34 |
+ |
|
| 21 | 35 |
const resp = await github.rest.repos.getContent({
|
| 22 | 36 |
owner: context.repo.owner, |
| 23 | 37 |
repo: context.repo.repo, |
| 24 | 38 |
path: 'releases/versions.yaml', |
| 25 |
- ref: context.payload.pull_request.base.sha, |
|
| 39 |
+ ref, |
|
| 26 | 40 |
}); |
| 27 | 41 |
const content = Buffer.from(resp.data.content, resp.data.encoding).toString('utf8');
|
| 28 | 42 |
const line = content.split('\n').find(l => l.includes('next:'));
|