ci: add Tekton Task for /rebase slash command#3247
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
tekton-robot
added
the
size/L
|
tekton-robot
added
the
kind/cleanup
|
Hi! I’ve implemented the |
There was a problem hiding this comment.
The task rebases and force-pushes without verifying that the person who typed /rebase has write access to the repo. Anyone who can comment on a PR could trigger a force-push. This should be validated either here or in the trigger layer.
We need to figure that one out.. I think there is some discussion around this in #3123.
Sorry for the late review 🙏🏼.
| description: Workspace where the repo will be cloned and rebased. | ||
| steps: | ||
| - name: rebase-pr | ||
| image: ghcr.io/github/cli/gh:latest |
There was a problem hiding this comment.
ghcr.io/github/cli/gh:latest is Alpine-based. mapfile is a bash builtin not available in Alpine's default /bin/sh. The shebang says #!/usr/bin/env bash but the image may not have bash — only sh/ash.
So this is likely to fail at runtime.
| @@ -0,0 +1,219 @@ | |||
| apiVersion: tekton.dev/v1beta1 | |||
There was a problem hiding this comment.
We should use tekton.dev/v1 here instead of v1beta1.
| token="${GH_TOKEN:-${GITHUB_TOKEN:-}}" | ||
| clone_url="https://github.com/${base_repo_full}.git" | ||
| if [[ -n "${token}" ]]; then | ||
| clone_url="https://x-access-token:${token}@github.com/${base_repo_full}.git" | ||
| fi | ||
|
|
||
| # Clone the base repo and fetch both base and head branches. | ||
| echo "Cloning ${base_repo_full}..." | ||
| git clone "${clone_url}" . | ||
| git remote -v |
There was a problem hiding this comment.
clone_url="https://x-access-token:${token}@github.com/..."The token is embedded in the clone URL. Since the script runs git remote -v right after cloning, the token will be printed to the task logs. Remove the git remote -v line, or use a credential helper / git config instead of embedding the token in the URL.
| git checkout "${head_ref}" | ||
|
|
||
| echo "Checking whether ${head_ref} is already up-to-date with ${base_ref}..." | ||
| git fetch origin "${base_ref}" |
There was a problem hiding this comment.
The base ref is fetched twice — once after clone and again before the up-to-date check. The second fetch is redundant since no time has passed.
3 participants
Changes
Implement a Tekton Task and Pipeline for the
/rebaseslash command as part of migrating chatops from GitHub Actions to Tekton.Fixes #3125
Part of #3121
This implementation focuses on providing a minimal, safe baseline for
/rebase, with further refinements (e.g., extended validation or conflict strategies) to be iterated in follow-up PRs.Add
slash-rebaseTask (tekton/ci/slash-commands/rebase-pipeline.yaml) that:gh api.GH_TOKEN/GITHUB_TOKENis available.tekton-bot <tekton-bot@users.noreply.github.com>.--force-with-lease.dry_runmode to log actions without pushing or commenting.Add
slash-rebasePipeline wrapper that passesrepository,pull_request_number, anddry_runto the Task and is intended for use from aTriggerTemplatebound to the/rebaseissue_comment event.Submitter Checklist
repository,pull_request_number, and PR metadata.--force-with-leaseis used for pushes; plain--forceis never used.dry_runmode leaves GitHub state unchanged while logging intended actions.tekton/ci/slash-commandsand follow existing CI patterns.Release Notes