Skip to content

workflows: fix allowlist update race (#866)#876

Open
potiuk wants to merge 1 commit into
mainfrom
fix-866-allowlist-race
Open

workflows: fix allowlist update race (#866)#876
potiuk wants to merge 1 commit into
mainfrom
fix-866-allowlist-race

Conversation

@potiuk
Copy link
Copy Markdown
Member

@potiuk potiuk commented May 22, 2026

Summary

Consolidates update_actions.yml (composite → actions.yml) and
update_composite_action.yml (actions.yml → composite) into a single
update_allowlist.yml. The previous pair ran in separate concurrency
groups and could overlap, silently clobbering one direction's edit —
see #866 for raboof's reconstruction of how a dependabot bump got
downgraded.

The combined workflow:

  • Triggers on push to main when either file changes
  • Single concurrency group so only one run touches the allowlist at a time
  • Always runs both directions: merge composite → actions.yml (additive),
    then regenerate composite + approved_patterns.yml from actions.yml
  • Checks out latest main HEAD (not the trigger SHA) so a queued run
    sees the prior run's commit
  • Rebases and retries on push failure (the sync script is idempotent)

Also updates the README's three mermaid diagrams + prose to point at the
new workflow name. The two utils/check_cache_settings/*.py changes are
prek auto-inserting missing Apache license headers on pre-existing
files — unrelated to #866 but caught by prek run --all-files; CI would
have auto-fixed them anyway.

Fixes #866

Test plan

  • uv run pytest gateway/ — 8 passed
  • prek run --all-files clean
  • After merge: trigger via workflow_dispatch on an unchanged tree
    to confirm no-op behavior
  • Watch the next dependabot bump merge to confirm actions.yml +
    composite + approved_patterns.yml all update from a single workflow

@potiuk
workflows: merge update_actions + update_composite_action to fix race
7d2480f 
The two workflows ran in separate concurrency groups and could overlap
on a push that changed both actions.yml and the dependabot composite
action.yml, silently clobbering one direction's edit. The new
update_allowlist.yml runs both directions in order with a single
concurrency group, so neither edit is lost.

Fixes #866

Generated-by: Claude Opus 4.7 (1M context)
@potiuk potiuk requested review from dfoulks1 and ppkarwasz as code owners May 22, 2026 11:43
@potiuk potiuk requested a review from raboof May 22, 2026 11:43
@potiuk potiuk mentioned this pull request May 22, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dfoulks1 dfoulks1 Awaiting requested review from dfoulks1 dfoulks1 is a code owner

@ppkarwasz ppkarwasz Awaiting requested review from ppkarwasz ppkarwasz is a code owner

@raboof raboof Awaiting requested review from raboof

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

race condition in allowlist / action updates

1 participant

@potiuk