fix(container): resolve worktree conflict when building merged PRs

[myakove]

When a PR is merged, the repository is cloned with the target branch
(e.g., main) already checked out. Attempting to create a worktree for
the same branch failed with "fatal: 'main' is already used by worktree".

Changes:

• Check if target branch is already checked out before creating worktree
• Use main clone directly when branch matches (no worktree needed)
• Add fail-fast error handling to abort when repo preparation fails
• Remove unused container_utils.py and its test (duplicate code)

Fixes container build failures for merged PRs (hook 706b7b50-c3e3-11f0-92cc-fcdca537e918)

Summary by CodeRabbit

• Performance Improvements

  • Optimized branch checkout to skip worktree creation when the target branch is already checked out on the main repository.

• Bug Fixes

  • Enhanced container build failure handling to ensure failures are recorded before process exit, improving error tracking and observability.

[coderabbitai]

Walkthrough

Refactoring of worktree and container build logic: added a pre-check in _checkout_worktree to reuse the main clone when the target branch is already checked out (with "origin/" prefix normalization), modified run_build_container to properly await the failure handler before returning, and removed the get_container_repository_and_tag utility function with its associated test suite.

Changes

Cohort / File(s)	Change Summary
Handler refactoring webhook_server/libs/handlers/runner_handler.py	Added pre-check in _checkout_worktree to detect and reuse main clone when checkout target matches current branch; normalized "origin/" prefixes for comparison. Modified run_build_container to await failure handler before returning rather than returning its response directly.
Utility removal webhook_server/utils/container_utils.py	Deleted get_container_repository_and_tag function entirely, which previously computed container image references based on PR state, merge status, and branch information.
Test cleanup webhook_server/tests/test_container_utils.py	Removed complete test suite for TestGetContainerRepositoryAndTag class, including fixtures and comprehensive test cases covering tag handling, PR states, branch scenarios, and edge cases.
Test additions webhook_server/tests/test_runner_handler.py	Added four async test cases: two for _checkout_worktree behavior (branch already checked out with and without "origin/" prefix, and different branch requiring worktree creation), and two for run_build_container failure path validation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Areas requiring attention:
  • Control flow change in run_build_container: verify that awaiting set_container_build_failure without returning its result properly records the failure and doesn't alter expected behavior
  • Worktree pre-check logic: confirm that "origin/" prefix normalization correctly handles all branch reference formats
  • Test coverage: validate that new test cases adequately cover the refactored logic paths and edge cases
  • Function removal impact: ensure get_container_repository_and_tag has no remaining internal dependencies after deletion

Possibly related issues

• fix(container): resolve worktree conflict when building merged PRs - 909 #910: Addresses worktree conflicts during container builds for merged PRs by adding a pre-check to avoid redundant worktree creation when the main clone is already on the target branch.

Suggested labels

size/XL, branch-main

Suggested reviewers

• rnetser

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 71.43% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: adding logic to detect when the target branch is already checked out and skip worktree creation, which resolves the worktree conflict when building merged PRs.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/worktree-conflict-merged-pr

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining why this PR is needed, why this solution was chosen, and what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[myakove-bot]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the "
  "OWNERS file in the repository root
  "
  "* Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are "
  "automatically applied based on changes
  "
  f"* Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
  "
  "* Pre-commit Checks: pre-commit runs "
  "automatically if .pre-commit-config.yaml exists
  "
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /automerge - Enable automatic merging when all requirements are met (maintainers and approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest build-container - Rebuild and test container image
• /retest python-module-install - Test Python package installation
• /retest pre-commit - Run pre-commit hooks and checks
• /retest conventional-title - Validate commit message format
• /retest all - Run all available tests

Container Operations

• /build-and-push-container - Build and push container image (tagged with PR number)
  • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 1 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No WIP, hold, or conflict labels
5. Verified: PR must be marked as verified (if verification is enabled)

📊 Review Process

Approvers and Reviewers

Approvers:

• myakove
• rnetser

Reviewers:

• myakove
• rnetser

Available Labels

• hold
• verified
• wip
• lgtm
• approve
• automerge

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is automatically removed on each new commit
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Container Builds: Container images are automatically tagged with the PR number
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

webhook_server/libs/handlers/runner_handler.py (1)

93-114: Branch reuse optimization in _checkout_worktree looks good; consider tightening normalization & freshness checks

The short‑circuit on matching current_branch vs checkout_target is a clean way to avoid the “already used by worktree” error and matches the merged‑PR use case well.

A couple of small nits you might want to consider:

• To avoid surprising behavior if a branch name itself contains "origin/" somewhere in the middle, it’s slightly safer to strip only a leading prefix instead of a blind replace:

•        target = checkout_target.replace("origin/", "")
  

•        if checkout_target.startswith("origin/"):
  

•            target = checkout_target[len("origin/") :]
  

•        else:
  

•            target = checkout_target
  

• When we reuse repo_dir instead of going through git_worktree_checkout, we also skip whatever fetch/refresh logic that helper might encapsulate. Please double‑check that clone_repo_dir is always kept up to date before calling _checkout_worktree in the merged‑branch path so we don’t accidentally build/test against a stale base branch.

webhook_server/tests/test_runner_handler.py (2)

900-975: New _checkout_worktree tests nicely pin the branch‑reuse behavior; you could also assert worktree creation/avoidance explicitly

These tests do a good job of exercising:

• reuse of the main clone when checkout="main" and when checkout="origin/main", and
• falling back to git_worktree_checkout when targeting a different branch.

If you want to make them even more robust against regressions, consider patching webhook_server.utils.helpers.git_worktree_checkout in the “branch already checked out” cases and asserting it is not called, while keeping the existing assertion in test_checkout_worktree_different_branch that it is called. That would explicitly lock in the intended contract of “reuse main clone vs create worktree”.

---

976-1011: Container build prepare‑failure test is good; avoid hard‑coding source line numbers in comments

The new test_run_build_container_prepare_failure cleanly verifies that:

• we mark the build check as in‑progress,
• we record a failure when checkout fails, and
• we do not invoke run_podman_command.

The in‑body comment referencing “lines 385‑392” in the implementation is brittle, though; it will drift as the file evolves. I’d rephrase it to describe the behavior (“tests early return on repository preparation failure”) without tying it to specific line numbers.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5439c0f and f559fc1.

📒 Files selected for processing (4)

• webhook_server/libs/handlers/runner_handler.py (2 hunks)
• webhook_server/tests/test_container_utils.py (0 hunks)
• webhook_server/tests/test_runner_handler.py (1 hunks)
• webhook_server/utils/container_utils.py (0 hunks)

💤 Files with no reviewable changes (2)

• webhook_server/utils/container_utils.py
• webhook_server/tests/test_container_utils.py

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: myakove
Repo: myk-org/github-webhook-server PR: 612
File: webhook_server_container/libs/github_api.py:2089-2100
Timestamp: 2024-10-29T08:09:57.157Z
Learning: In `webhook_server_container/libs/github_api.py`, when the function `_keep_approved_by_approvers_after_rebase` is called, existing approval labels have already been cleared after pushing new changes, so there's no need to check for existing approvals within this function.

Learnt from: myakove
Repo: myk-org/github-webhook-server PR: 878
File: webhook_server/libs/handlers/runner_handler.py:491-571
Timestamp: 2025-10-28T13:04:00.466Z
Learning: In webhook_server/libs/handlers/runner_handler.py, the run_build_container method is designed with the pattern that push=True is always called with set_check=False in production code, so no check-run status needs to be finalized after push operations.

📚 Learning: 2025-10-28T13:04:00.466Z

Learnt from: myakove
Repo: myk-org/github-webhook-server PR: 878
File: webhook_server/libs/handlers/runner_handler.py:491-571
Timestamp: 2025-10-28T13:04:00.466Z
Learning: In webhook_server/libs/handlers/runner_handler.py, the run_build_container method is designed with the pattern that push=True is always called with set_check=False in production code, so no check-run status needs to be finalized after push operations.

Applied to files:

• webhook_server/tests/test_runner_handler.py
• webhook_server/libs/handlers/runner_handler.py

📚 Learning: 2024-10-29T08:09:57.157Z

Learnt from: myakove
Repo: myk-org/github-webhook-server PR: 612
File: webhook_server_container/libs/github_api.py:2089-2100
Timestamp: 2024-10-29T08:09:57.157Z
Learning: In `webhook_server_container/libs/github_api.py`, when the function `_keep_approved_by_approvers_after_rebase` is called, existing approval labels have already been cleared after pushing new changes, so there's no need to check for existing approvals within this function.

Applied to files:

• webhook_server/libs/handlers/runner_handler.py

🧬 Code graph analysis (2)

webhook_server/tests/test_runner_handler.py (1)

webhook_server/libs/handlers/runner_handler.py (2)

• _checkout_worktree (46-138)
• run_build_container (307-479)

webhook_server/libs/handlers/runner_handler.py (2)

webhook_server/utils/helpers.py (1)

• run_command (270-378)

webhook_server/libs/handlers/check_run_handler.py (1)

• set_container_build_failure (196-197)

🪛 Ruff (0.14.5)

webhook_server/tests/test_runner_handler.py

962-962: Probable insecure usage of temporary file or directory: "/tmp/worktree-path"

(S108)

---

972-972: Probable insecure usage of temporary file or directory: "/tmp/worktree-path"

(S108)

---

1001-1001: Probable insecure usage of temporary file or directory: "/tmp/worktree-path"

(S108)

🔇 Additional comments (1)

webhook_server/libs/handlers/runner_handler.py (1)

384-392: Early return on checkout failure in run_build_container is a solid fail‑fast improvement

The updated path correctly:

• logs and populates output["text"],
• records a build‑failure check only when pull_request and set_check are truthy,
• and then unconditionally returns so we don’t attempt a container build with a failed checkout.

This also keeps the existing production pattern where push=True is paired with set_check=False, so push‑only flows still avoid check‑run updates while now safely aborting on repo prep failure. Based on learnings.

[myakove-bot]

New container for ghcr.io/myk-org/github-webhook-server:latest published