Add GitHub Actions workflows for upstream sync and release automation#544
Closed
evil9369 wants to merge 2 commits intoC4illin:mainfrom
Closed
Add GitHub Actions workflows for upstream sync and release automation#544evil9369 wants to merge 2 commits intoC4illin:mainfrom
evil9369 wants to merge 2 commits intoC4illin:mainfrom
Conversation
added 2 commits
March 4, 2026 17:19
- Add auto-upstream-sync workflow with dedup protection for conflict issues - Add upstream-sync build + smoke test workflow - Add smoke-test script and test files - Add upstream sync issue template and documentation - Fix: use --allow-unrelated-histories for merge command - Fix: check for existing open merge-conflict issues before creating duplicates
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
10 issues found across 100 files
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="api-server/target/debug/.fingerprint/async-graphql-50c2194afb1f7c76/invoked.timestamp">
<violation number="1" location="api-server/target/debug/.fingerprint/async-graphql-50c2194afb1f7c76/invoked.timestamp:1">
P1: A generated Cargo build artifact under `target/debug/.fingerprint` was committed, introducing non-deterministic build-output files into version control.</violation>
</file>
<file name="api-server/target/debug/.fingerprint/aes-46ff51c14d9c783a/lib-aes">
<violation number="1" location="api-server/target/debug/.fingerprint/aes-46ff51c14d9c783a/lib-aes:1">
P2: Cargo-generated fingerprint artifact under `target/debug/.fingerprint` was committed to source control.</violation>
</file>
<file name="api-server/target/debug/.fingerprint/anyhow-cdd2d151b866d3f3/invoked.timestamp">
<violation number="1" location="api-server/target/debug/.fingerprint/anyhow-cdd2d151b866d3f3/invoked.timestamp:1">
P2: A non-deterministic Cargo build artifact (`target/debug/.fingerprint/.../invoked.timestamp`) was committed; build outputs should not be versioned.</violation>
</file>
<file name="api-server/target/debug/.fingerprint/async-graphql-value-61b404229afcc799/lib-async_graphql_value.json">
<violation number="1" location="api-server/target/debug/.fingerprint/async-graphql-value-61b404229afcc799/lib-async_graphql_value.json:1">
P2: Generated Cargo build artifact in `target/` is committed, causing environment-specific repository noise and brittle diffs.</violation>
</file>
<file name="api-server/target/debug/.fingerprint/async-graphql-value-61b404229afcc799/invoked.timestamp">
<violation number="1" location="api-server/target/debug/.fingerprint/async-graphql-value-61b404229afcc799/invoked.timestamp:1">
P2: Generated Rust `target/.fingerprint` timestamp artifact was committed; this is non-deterministic build output and should not be versioned.</violation>
</file>
<file name="api-server/target/debug/.fingerprint/async-graphql-derive-95fc7e79e5506b71/invoked.timestamp">
<violation number="1" location="api-server/target/debug/.fingerprint/async-graphql-derive-95fc7e79e5506b71/invoked.timestamp:1">
P2: Rust build artifact from `target/` was committed, introducing non-source generated files into version control.</violation>
</file>
<file name=".github/workflows/auto-upstream-sync.yml">
<violation number="1" location=".github/workflows/auto-upstream-sync.yml:210">
P1: Unescaped upstream commit messages are interpolated directly into a JavaScript template literal in `github-script`, enabling script injection via `${...}` or backticks in commit subjects.</violation>
</file>
<file name="api-server/target/debug/.fingerprint/adler2-078a33b69696d731/lib-adler2">
<violation number="1" location="api-server/target/debug/.fingerprint/adler2-078a33b69696d731/lib-adler2:1">
P2: A generated Cargo fingerprint artifact was committed under `target/debug/.fingerprint`, adding non-source build output noise and maintainability churn.</violation>
</file>
<file name="api-server/target/debug/.fingerprint/async-graphql-axum-8925e86c7fe75ae0/lib-async_graphql_axum.json">
<violation number="1" location="api-server/target/debug/.fingerprint/async-graphql-axum-8925e86c7fe75ae0/lib-async_graphql_axum.json:1">
P2: Generated Rust fingerprint artifact is committed under `target/`, causing non-deterministic repository churn and maintenance overhead.</violation>
</file>
<file name="api-server/target/debug/.fingerprint/aho-corasick-04a2059c77299fac/lib-aho_corasick.json">
<violation number="1" location="api-server/target/debug/.fingerprint/aho-corasick-04a2059c77299fac/lib-aho_corasick.json:1">
P2: Cargo build artifact under `target/debug/.fingerprint` is committed, introducing generated/non-source files into VCS.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Add one-off context when rerunning by tagging
@cubic-dev-aiwith guidance or docs links (includingllms.txt) - Ask questions if you need clarification on any suggestion
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| @@ -0,0 +1 @@ | |||
| This file has an mtime of when this was started. No newline at end of file | |||
Contributor
There was a problem hiding this comment.
P1: A generated Cargo build artifact under target/debug/.fingerprint was committed, introducing non-deterministic build-output files into version control.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At api-server/target/debug/.fingerprint/async-graphql-50c2194afb1f7c76/invoked.timestamp, line 1:
<comment>A generated Cargo build artifact under `target/debug/.fingerprint` was committed, introducing non-deterministic build-output files into version control.</comment>
<file context>
@@ -0,0 +1 @@
+This file has an mtime of when this was started.
\ No newline at end of file
</file context>
| ### 📝 變更摘要 | ||
|
|
||
| \`\`\` | ||
| ${{ steps.check.outputs.new_commits }} |
Contributor
There was a problem hiding this comment.
P1: Unescaped upstream commit messages are interpolated directly into a JavaScript template literal in github-script, enabling script injection via ${...} or backticks in commit subjects.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/auto-upstream-sync.yml, line 210:
<comment>Unescaped upstream commit messages are interpolated directly into a JavaScript template literal in `github-script`, enabling script injection via `${...}` or backticks in commit subjects.</comment>
<file context>
@@ -0,0 +1,281 @@
+ ### 📝 變更摘要
+
+ \`\`\`
+ ${{ steps.check.outputs.new_commits }}
+ \`\`\`
+
</file context>
| @@ -0,0 +1 @@ | |||
| 75d0fef4ea175b09 No newline at end of file | |||
Contributor
There was a problem hiding this comment.
P2: Cargo-generated fingerprint artifact under target/debug/.fingerprint was committed to source control.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At api-server/target/debug/.fingerprint/aes-46ff51c14d9c783a/lib-aes, line 1:
<comment>Cargo-generated fingerprint artifact under `target/debug/.fingerprint` was committed to source control.</comment>
<file context>
@@ -0,0 +1 @@
+75d0fef4ea175b09
\ No newline at end of file
</file context>
| @@ -0,0 +1 @@ | |||
| This file has an mtime of when this was started. No newline at end of file | |||
Contributor
There was a problem hiding this comment.
P2: A non-deterministic Cargo build artifact (target/debug/.fingerprint/.../invoked.timestamp) was committed; build outputs should not be versioned.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At api-server/target/debug/.fingerprint/anyhow-cdd2d151b866d3f3/invoked.timestamp, line 1:
<comment>A non-deterministic Cargo build artifact (`target/debug/.fingerprint/.../invoked.timestamp`) was committed; build outputs should not be versioned.</comment>
<file context>
@@ -0,0 +1 @@
+This file has an mtime of when this was started.
\ No newline at end of file
</file context>
| @@ -0,0 +1 @@ | |||
| {"rustc":6817557220965521185,"features":"[]","declared_features":"[\"raw_value\"]","target":10661596236603337415,"profile":2225463790103693989,"path":8990675500918696092,"deps":[[6355489020061627772,"bytes",false,4644264492487322509],[12821780872552529316,"indexmap",false,16116546893193662599],[13548984313718623784,"serde",false,12811126017819717224],[13795362694956882968,"serde_json",false,1792181729374358887]],"local":[{"CheckDepInfo":{"dep_info":"debug\\.fingerprint\\async-graphql-value-61b404229afcc799\\dep-lib-async_graphql_value","checksum":false}}],"rustflags":[],"config":2069994364910194474,"compile_kind":0} No newline at end of file | |||
Contributor
There was a problem hiding this comment.
P2: Generated Cargo build artifact in target/ is committed, causing environment-specific repository noise and brittle diffs.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At api-server/target/debug/.fingerprint/async-graphql-value-61b404229afcc799/lib-async_graphql_value.json, line 1:
<comment>Generated Cargo build artifact in `target/` is committed, causing environment-specific repository noise and brittle diffs.</comment>
<file context>
@@ -0,0 +1 @@
+{"rustc":6817557220965521185,"features":"[]","declared_features":"[\"raw_value\"]","target":10661596236603337415,"profile":2225463790103693989,"path":8990675500918696092,"deps":[[6355489020061627772,"bytes",false,4644264492487322509],[12821780872552529316,"indexmap",false,16116546893193662599],[13548984313718623784,"serde",false,12811126017819717224],[13795362694956882968,"serde_json",false,1792181729374358887]],"local":[{"CheckDepInfo":{"dep_info":"debug\\.fingerprint\\async-graphql-value-61b404229afcc799\\dep-lib-async_graphql_value","checksum":false}}],"rustflags":[],"config":2069994364910194474,"compile_kind":0}
\ No newline at end of file
</file context>
| @@ -0,0 +1 @@ | |||
| This file has an mtime of when this was started. No newline at end of file | |||
Contributor
There was a problem hiding this comment.
P2: Generated Rust target/.fingerprint timestamp artifact was committed; this is non-deterministic build output and should not be versioned.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At api-server/target/debug/.fingerprint/async-graphql-value-61b404229afcc799/invoked.timestamp, line 1:
<comment>Generated Rust `target/.fingerprint` timestamp artifact was committed; this is non-deterministic build output and should not be versioned.</comment>
<file context>
@@ -0,0 +1 @@
+This file has an mtime of when this was started.
\ No newline at end of file
</file context>
| @@ -0,0 +1 @@ | |||
| This file has an mtime of when this was started. No newline at end of file | |||
Contributor
There was a problem hiding this comment.
P2: Rust build artifact from target/ was committed, introducing non-source generated files into version control.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At api-server/target/debug/.fingerprint/async-graphql-derive-95fc7e79e5506b71/invoked.timestamp, line 1:
<comment>Rust build artifact from `target/` was committed, introducing non-source generated files into version control.</comment>
<file context>
@@ -0,0 +1 @@
+This file has an mtime of when this was started.
\ No newline at end of file
</file context>
| @@ -0,0 +1 @@ | |||
| 2f3b549c0a4079e3 No newline at end of file | |||
Contributor
There was a problem hiding this comment.
P2: A generated Cargo fingerprint artifact was committed under target/debug/.fingerprint, adding non-source build output noise and maintainability churn.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At api-server/target/debug/.fingerprint/adler2-078a33b69696d731/lib-adler2, line 1:
<comment>A generated Cargo fingerprint artifact was committed under `target/debug/.fingerprint`, adding non-source build output noise and maintainability churn.</comment>
<file context>
@@ -0,0 +1 @@
+2f3b549c0a4079e3
\ No newline at end of file
</file context>
| @@ -0,0 +1 @@ | |||
| {"rustc":6817557220965521185,"features":"[]","declared_features":"[\"tracing\"]","target":9487080672713489165,"profile":2241668132362809309,"path":10077849331564615995,"deps":[[784494742817713399,"tower_service",false,8717637764607505675],[1527615631266860061,"async_graphql",false,5038051299795629522],[3163899731817361221,"tokio_util",false,15890149353791368928],[6355489020061627772,"bytes",false,616288863985964805],[8889446427035620327,"axum",false,16321080390350109600],[10257923056054025583,"tokio_stream",false,14261809717459859790],[10629569228670356391,"futures_util",false,5911470110384015946],[12891030758458664808,"tokio",false,17647294063356797268],[13795362694956882968,"serde_json",false,13330878558389722557]],"local":[{"CheckDepInfo":{"dep_info":"debug\\.fingerprint\\async-graphql-axum-8925e86c7fe75ae0\\dep-lib-async_graphql_axum","checksum":false}}],"rustflags":[],"config":2069994364910194474,"compile_kind":0} No newline at end of file | |||
Contributor
There was a problem hiding this comment.
P2: Generated Rust fingerprint artifact is committed under target/, causing non-deterministic repository churn and maintenance overhead.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At api-server/target/debug/.fingerprint/async-graphql-axum-8925e86c7fe75ae0/lib-async_graphql_axum.json, line 1:
<comment>Generated Rust fingerprint artifact is committed under `target/`, causing non-deterministic repository churn and maintenance overhead.</comment>
<file context>
@@ -0,0 +1 @@
+{"rustc":6817557220965521185,"features":"[]","declared_features":"[\"tracing\"]","target":9487080672713489165,"profile":2241668132362809309,"path":10077849331564615995,"deps":[[784494742817713399,"tower_service",false,8717637764607505675],[1527615631266860061,"async_graphql",false,5038051299795629522],[3163899731817361221,"tokio_util",false,15890149353791368928],[6355489020061627772,"bytes",false,616288863985964805],[8889446427035620327,"axum",false,16321080390350109600],[10257923056054025583,"tokio_stream",false,14261809717459859790],[10629569228670356391,"futures_util",false,5911470110384015946],[12891030758458664808,"tokio",false,17647294063356797268],[13795362694956882968,"serde_json",false,13330878558389722557]],"local":[{"CheckDepInfo":{"dep_info":"debug\\.fingerprint\\async-graphql-axum-8925e86c7fe75ae0\\dep-lib-async_graphql_axum","checksum":false}}],"rustflags":[],"config":2069994364910194474,"compile_kind":0}
\ No newline at end of file
</file context>
| @@ -0,0 +1 @@ | |||
| {"rustc":6817557220965521185,"features":"[\"perf-literal\", \"std\"]","declared_features":"[\"default\", \"logging\", \"perf-literal\", \"std\"]","target":7534583537114156500,"profile":2241668132362809309,"path":13250958677226174633,"deps":[[198136567835728122,"memchr",false,4392013446016140701]],"local":[{"CheckDepInfo":{"dep_info":"debug\\.fingerprint\\aho-corasick-04a2059c77299fac\\dep-lib-aho_corasick","checksum":false}}],"rustflags":[],"config":2069994364910194474,"compile_kind":0} No newline at end of file | |||
Contributor
There was a problem hiding this comment.
P2: Cargo build artifact under target/debug/.fingerprint is committed, introducing generated/non-source files into VCS.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At api-server/target/debug/.fingerprint/aho-corasick-04a2059c77299fac/lib-aho_corasick.json, line 1:
<comment>Cargo build artifact under `target/debug/.fingerprint` is committed, introducing generated/non-source files into VCS.</comment>
<file context>
@@ -0,0 +1 @@
+{"rustc":6817557220965521185,"features":"[\"perf-literal\", \"std\"]","declared_features":"[\"default\", \"logging\", \"perf-literal\", \"std\"]","target":7534583537114156500,"profile":2241668132362809309,"path":13250958677226174633,"deps":[[198136567835728122,"memchr",false,4392013446016140701]],"local":[{"CheckDepInfo":{"dep_info":"debug\\.fingerprint\\aho-corasick-04a2059c77299fac\\dep-lib-aho_corasick","checksum":false}}],"rustflags":[],"config":2069994364910194474,"compile_kind":0}
\ No newline at end of file
</file context>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a comprehensive upstream auto-sync mechanism for the project, including workflow automation, documentation, reporting templates, and a robust smoke test script. The changes are focused on automating the process of syncing with the upstream repository, tracking changes, validating Docker images, and documenting the entire workflow for maintainers.
Upstream Sync Automation
.github/workflows/auto-upstream-sync.ymlto automate checking for upstream updates every 6 hours or on manual trigger, perform auto-merge todev, generate changelogs, push changes, and create issues for both successful syncs and merge conflicts..github/ISSUE_TEMPLATE/upstream-sync.mdfor auto-generated sync report issues, detailing commit lists, Docker image status, and required follow-up actions.Documentation & Workflow Transparency
.github/UPSTREAM_SYNC.mdwith detailed explanation of the upstream sync mechanism, workflow diagrams, smoke test details, configuration instructions, manual operation steps, and Docker image tagging rules.Quality Assurance
.github/scripts/smoke-test.sh, a shell script to validate Docker image health, critical tool availability, minimal conversion functionality, and API endpoints, with clear pass/fail output for CI pipelines..github/test-files/test.txtas a multilingual test file for quick smoke test validation.Summary by cubic
Adds automated upstream sync and release workflows with smoke tests, changelogs, and issue templates to keep dev up to date and publish only tested Docker images. This reduces manual maintenance and ensures safer image releases.
New Features
Migration
Written for commit 171cca9. Summary will update on new commits.