Conversation
There was a problem hiding this comment.
Pull request overview
This PR consolidates mirror repository synchronization workflows by replacing two separate workflow files (gitee.yml and cnb.yml) with a single unified mirror.yml workflow that uses a matrix strategy to handle multiple mirror targets.
Key Changes:
- Created a unified mirror.yml workflow using matrix strategy to sync to both Gitee and CNB repositories
- Integrated mirror workflow call into the release.yml workflow
- Removed redundant gitee.yml and cnb.yml workflow files
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| .github/workflows/mirror.yml | New unified workflow with matrix strategy for syncing to multiple mirror repositories (Gitee and CNB) |
| .github/workflows/release.yml | Added step to invoke the new mirror workflow during release process |
| .github/workflows/gitee.yml | Removed - functionality consolidated into mirror.yml |
| .github/workflows/cnb.yml | Removed - functionality consolidated into mirror.yml |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| on: | ||
| workflow_dispatch: | ||
| workflow_call: | ||
| push: |
There was a problem hiding this comment.
The on.push trigger should specify branches to avoid running the mirror workflow on every push to any branch. Consider adding a branch filter like branches: [main, master] to avoid unnecessary workflow runs and potential race conditions when multiple branches are pushed simultaneously.
| push: | |
| push: | |
| branches: | |
| - main | |
| - master |
| name: Mirror to ${{ matrix.target.name }} | ||
| if: ${{ github.repository == 'HMCL-dev/HMCL' }} | ||
| runs-on: ubuntu-latest | ||
| steps: |
There was a problem hiding this comment.
The checkout step is missing. The git clone --mirror command needs to clone from GitHub, but there's no checkout of the source repository. While the command uses GITHUB_REPOSITORY environment variable, you should add a checkout step or ensure the GITHUB_REPOSITORY variable is properly set in the environment.
| steps: | |
| - name: Mirror GitHub to ${{ matrix.target.name }} | |
| env: | |
| GITHUB_REPOSITORY: ${{ github.repository }} |
| user: 'GITEE_SYNC_USERNAME' | ||
| token: 'GITEE_SYNC_TOKEN' | ||
| - name: CNB | ||
| repo: cnb.cool/HMCL-dev/HMCL | ||
| user: 'CNB_SYNC_USERNAME' | ||
| token: 'CNB_SYNC_TOKEN' |
There was a problem hiding this comment.
The matrix strategy contains string values for 'user' and 'token' fields, but these should reference the actual secret names without quotes. The current configuration will attempt to access secrets with literal string keys 'GITEE_SYNC_USERNAME' rather than the intended secret names. Change to user: GITEE_SYNC_USERNAME without quotes.
| user: 'GITEE_SYNC_USERNAME' | |
| token: 'GITEE_SYNC_TOKEN' | |
| - name: CNB | |
| repo: cnb.cool/HMCL-dev/HMCL | |
| user: 'CNB_SYNC_USERNAME' | |
| token: 'CNB_SYNC_TOKEN' | |
| user: GITEE_SYNC_USERNAME | |
| token: GITEE_SYNC_TOKEN | |
| - name: CNB | |
| repo: cnb.cool/HMCL-dev/HMCL | |
| user: CNB_SYNC_USERNAME | |
| token: CNB_SYNC_TOKEN |
| user: 'GITEE_SYNC_USERNAME' | ||
| token: 'GITEE_SYNC_TOKEN' | ||
| - name: CNB | ||
| repo: cnb.cool/HMCL-dev/HMCL | ||
| user: 'CNB_SYNC_USERNAME' | ||
| token: 'CNB_SYNC_TOKEN' |
There was a problem hiding this comment.
The matrix strategy contains string values for 'user' and 'token' fields, but these should reference the actual secret names without quotes. The current configuration will attempt to access secrets with literal string keys 'CNB_SYNC_USERNAME' rather than the intended secret names. Change to user: CNB_SYNC_USERNAME without quotes.
| user: 'GITEE_SYNC_USERNAME' | |
| token: 'GITEE_SYNC_TOKEN' | |
| - name: CNB | |
| repo: cnb.cool/HMCL-dev/HMCL | |
| user: 'CNB_SYNC_USERNAME' | |
| token: 'CNB_SYNC_TOKEN' | |
| user: GITEE_SYNC_USERNAME | |
| token: GITEE_SYNC_TOKEN | |
| - name: CNB | |
| repo: cnb.cool/HMCL-dev/HMCL | |
| user: CNB_SYNC_USERNAME | |
| token: CNB_SYNC_TOKEN |
| - name: Mirror GitHub to ${{ matrix.target.name }} | ||
| run: | | ||
| git clone --mirror "https://github.com/$GITHUB_REPOSITORY.git" -- repo | ||
| cd repo |
There was a problem hiding this comment.
Potential security risk: The mirror workflow exposes credentials in the git push URL. While GitHub masks secrets in logs, consider using git credential helpers or SSH keys for a more secure approach. Additionally, ensure the secrets have minimal required permissions (only repository write access).
| - name: Mirror GitHub to ${{ matrix.target.name }} | |
| run: | | |
| git clone --mirror "https://github.com/$GITHUB_REPOSITORY.git" -- repo | |
| cd repo | |
| env: | |
| MIRROR_USER: ${{ secrets[matrix.target.user] }} | |
| MIRROR_TOKEN: ${{ secrets[matrix.target.token] }} | |
| run: | | |
| git clone --mirror "https://github.com/$GITHUB_REPOSITORY.git" -- repo | |
| cd repo | |
| git config credential.username "$MIRROR_USER" | |
| git config credential.helper '!f() { echo "password=$MIRROR_TOKEN"; }; f' | |
| git push -f --prune "https://${{ matrix.target.repo }}.git" "refs/heads/*:refs/heads/*" "refs/tags/*:refs/tags/*" |
| repo: cnb.cool/HMCL-dev/HMCL | ||
| user: 'CNB_SYNC_USERNAME' | ||
| token: 'CNB_SYNC_TOKEN' | ||
| name: Mirror to ${{ matrix.target.name }} |
There was a problem hiding this comment.
Inconsistent repository check condition. The original gitee.yml checked github.repository_owner == 'HMCL-dev' while the new mirror.yml checks github.repository == 'HMCL-dev/HMCL'. The new condition is more restrictive (exact repository match vs owner match). If this change is intentional, it's fine, but if the goal was to preserve the original behavior, consider using github.repository_owner == 'HMCL-dev' to allow mirroring from forks within the same organization.
| GIT_CNB_VERSION: '1.1.2' | ||
| - name: Update mirror repositories | ||
| if: ${{ env.continue == 'true' }} | ||
| uses: ./.github/workflows/mirror.yml |
There was a problem hiding this comment.
The uses syntax is incorrect for calling a reusable workflow. The correct syntax should be uses: ./.github/workflows/mirror.yml@${{ github.ref }} or simply reference it without the local path prefix when calling from the same repository. However, since this is a local workflow file in the same repository, you should use the relative path without the ./ prefix: uses: .github/workflows/mirror.yml
| uses: ./.github/workflows/mirror.yml | |
| uses: .github/workflows/mirror.yml |
No description provided.