✨ Add post-merge build verification workflow#4345
Conversation
Adds a GitHub Actions workflow that runs automatically when a PR is merged. It verifies both Go and frontend builds compile successfully against the merge commit. If either build fails, it creates a GitHub issue with the error output, changed files, and links to the PR. If builds pass, it posts a confirmation comment on the merged PR. Fixes #4276 Signed-off-by: Andrew Anderson <andy@clubanderson.com>
kubestellar-prow
bot
added
the
dco-signoff: yes
✅ Deploy Preview for kubestellarconsole canceled.
|
kubestellar-prow
bot
added
the
size/L
|
👋 Hey @clubanderson — thanks for opening this PR!
This is an automated message. |
|
/lgtm |
|
@clubanderson: you cannot LGTM your own PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: clubanderson The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubestellar-prow
bot
added
the
approved
There was a problem hiding this comment.
Pull request overview
Adds a post-merge GitHub Actions workflow that runs on PR close (merged only) to verify the merged commit still compiles for both the Go backend and the web frontend, and to automatically open an issue or comment on success.
Changes:
- Introduces
pr-closed-verification.ymlworkflow triggered on merged PRs (pull_request.closedwithmerged == true). - Runs
go build ./...,npm ci, andnpm run buildagainst the merge commit SHA and captures failure output. - On failure, creates a labeled issue (with basic dedupe); on success, comments on the merged PR.
| name: Post-Merge Build Verification | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [closed] |
There was a problem hiding this comment.
The PR body says Fixes #4276, but this workflow only runs post-merge build compilation checks. Issue #4276’s acceptance criteria describe an MCP-backed verifier that parses Fixes #NNN links and performs issue reproduction / research follow-ups, which isn’t implemented here. Consider changing the issue linkage (e.g., “Refs #4276”) or updating the scope to match the issue requirements.
| env: | ||
| NODE_VERSION: '20' | ||
| # Timeout for the entire verification job (minutes) | ||
| JOB_TIMEOUT_MINUTES: 15 | ||
|
|
There was a problem hiding this comment.
JOB_TIMEOUT_MINUTES is defined but not used (the job hard-codes timeout-minutes: 15). This can drift over time; either remove the env var or wire it into timeout-minutes so there’s a single source of truth.
| - name: Checkout merged code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.merge_commit_sha }} |
There was a problem hiding this comment.
The checkout step leaves persisted git credentials enabled by default. Since subsequent steps execute repository-controlled build scripts (npm ci / npm run build), this increases the risk of the workflow token being exfiltrated from git config headers. Set persist-credentials: false on actions/checkout to reduce token exposure (and keep GH_TOKEN scoped only to the gh steps).
| ref: ${{ github.event.pull_request.merge_commit_sha }} | |
| ref: ${{ github.event.pull_request.merge_commit_sha }} | |
| persist-credentials: false |
| run: | | ||
| echo "::group::Go build output" | ||
| go build ./... 2>&1 | tee /tmp/go-build-output.txt | ||
| EXIT_CODE=${PIPESTATUS[0]} | ||
| echo "::endgroup::" | ||
| echo "exit_code=$EXIT_CODE" >> "$GITHUB_OUTPUT" | ||
| exit "$EXIT_CODE" |
There was a problem hiding this comment.
These commands are inside a bash script that runs with -e and pipefail by default on GitHub Actions. If go build fails, the script will exit at the pipeline before EXIT_CODE=..., ::endgroup::, and the output write run, leaving the log group unclosed and skipping any intended output capture. Use set +e/set -e (or an EXIT trap to always print ::endgroup::) around the pipeline so the group is closed and outputs are reliably written on failure.
| echo "::group::npm ci output" | ||
| cd web && npm ci 2>&1 | tee /tmp/npm-install-output.txt | ||
| EXIT_CODE=${PIPESTATUS[0]} |
There was a problem hiding this comment.
Same bash -e/pipefail issue here: if npm ci fails, the script exits at the pipeline and won’t run the ::endgroup:: or output lines. Wrap the pipeline with explicit error handling (e.g., temporarily disable -e, capture the exit status, then re-enable) so failure logs remain grouped and any outputs are still set.
| echo "::group::npm ci output" | |
| cd web && npm ci 2>&1 | tee /tmp/npm-install-output.txt | |
| EXIT_CODE=${PIPESTATUS[0]} | |
| echo "::group::npm ci output" | |
| set +e | |
| cd web && npm ci 2>&1 | tee /tmp/npm-install-output.txt | |
| EXIT_CODE=${PIPESTATUS[0]} | |
| set -e |
| --repo "${{ github.repository }}" \ | ||
| --state open \ | ||
| --label "kind/bug" \ | ||
| --search "in:title \"${SEARCH_TITLE}\"" \ |
There was a problem hiding this comment.
The idempotency check uses gh issue list without an explicit --limit, so it will only search the CLI default (typically 30). If older duplicate issues exist beyond that window, this can still create duplicates for the same PR. Add a higher --limit (or query by a more unique marker in the body) to make deduplication reliable.
| --search "in:title \"${SEARCH_TITLE}\"" \ | |
| --search "in:title \"${SEARCH_TITLE}\"" \ | |
| --limit 1000 \ |
🔄 Auto-Applying Copilot Code ReviewCopilot code review found 3 code suggestion(s) and 3 general comment(s). @copilot Please apply all of the following code review suggestions:
Also address these general comments:
Push all fixes in a single commit. Run Auto-generated by copilot-review-apply workflow. |
|
Thank you for your contribution! Your PR has been merged. Check out what's new:
Stay connected: Slack #kubestellar-dev | Multi-Cluster Survey |
|
Post-merge build verification passed ✅ Both Go and frontend builds compiled successfully against merge commit |
All 6 review suggestions have been addressed in commit
Note: the original PR (#4345) was merged just as these fixes were being applied, so these improvements are ready to land as a follow-up if needed. |
persist-credentials: falseto checkout stepJOB_TIMEOUT_MINUTESenv var-e/pipefailissue in all three build steps withset +e/set -e--limit 1000to gh issue list idempotency check