Skip to content

feat: automated dry-run gate on every PR #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nbrieussel merged 5 commits into from
Apr 14, 2026
Merged

feat: automated dry-run gate on every PR #11

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5e609d3
refactor: simplify dry-run gate — fail on changes, no JS parsing
Apr 14, 2026
1c21a45
fix: crash fails job, diffs are informational (continue-on-error)
Apr 14, 2026
2783eb9
fix: remove set -o pipefail, check_suite crash is expected and accepted
Apr 14, 2026
30e6414
fix: also print NOPCOMMAND entries alongside detected changes
Apr 14, 2026
1a3d346
fix: use grep -A 2 to show diff details after each "There are changes…
Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions .github/workflows/pr-dry-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
name: Dry-run gate

on:
pull_request:
branches: [main]

permissions:
contents: read

jobs:
dry-run:
name: Safe-settings dry-run
runs-on: ubuntu-24.04
timeout-minutes: 30
# Do not run on fork PRs — secrets are not available there
if: github.event.pull_request.head.repo.full_name == github.repository
env:
SAFE_SETTINGS_VERSION: 2.1.17
SAFE_SETTINGS_CODE_DIR: ${{ github.workspace }}/.safe-settings-code

steps:
- name: Checkout PR branch
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: Checkout safe-settings app
uses: actions/checkout@v4
with:
repository: github/safe-settings
ref: ${{ env.SAFE_SETTINGS_VERSION }}
path: ${{ env.SAFE_SETTINGS_CODE_DIR }}

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
cache: npm
cache-dependency-path: ${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json

- name: Install dependencies
run: npm ci
working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}

- name: Run dry-run (NOP)
run: npm run full-sync 2>&1 | tee /tmp/dry-run.log
working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }}
env:
GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }}
APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }}
PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }}
GITHUB_CLIENT_SECRET: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }}
WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
ADMIN_REPO: admin
DEPLOYMENT_CONFIG_FILE: ${{ github.workspace }}/deployment-settings.yml
FULL_SYNC_NOP: "true"
LOG_LEVEL: debug

# Runs even if the previous step crashed, so changes are always surfaced.
# continue-on-error: finding diffs is informational, not a merge blocker —
# a human must review but the PR is not blocked.
- name: Report config changes
if: always()
continue-on-error: true
run: |
if grep -q "There are changes for branch" /tmp/dry-run.log; then
echo "::warning::Config changes detected — human review required before merging"
grep -A 2 "There are changes for branch" /tmp/dry-run.log
exit 1
fi
Loading