Merge pull request #187 from microsoft/dilan/sync-main-createpr

dilanbhalla · web-flow · commit 6cbc80a69b78 · 2025-04-04T14:08:35.000-07:00
Policy update: Sync-Main Create PR (instead of direct push)
diff --git a/.github/workflows/sync-main.yml b/.github/workflows/sync-main.yml
@@ -1,14 +1,20 @@
 name: Sync Main
+
 on:
   schedule:
     - cron:  '55 * * * *'
+  
 jobs:
+
   sync-main:
+  
     name: Sync-main
     runs-on: ubuntu-latest
     if: github.repository == 'microsoft/codeql'
     permissions:
       contents: write
+      pull-requests: write
+      
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -18,16 +24,17 @@ jobs:
       - name: Git config
         shell: bash
         run: |
-          git config user.name Dilan Bhalla
-          git config user.email dilanbhalla@microsoft.com
-      - name: Sync Main
-        shell: bash
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+      - name: Add and fetch upstream
         run: |
-          set -x
-          git fetch
           git remote add upstream https://github.com/github/codeql.git
           git fetch upstream --tags --force
-          git merge codeql-cli/latest
+      - name: Create or reset sync branch
+        run: |
+          git fetch origin sync-main-pr || true
+          git checkout -B sync-main-pr origin/main
+          git merge upstream/codeql-cli/latest --no-edit || true
       - name: Setup CodeQL
         shell: bash
         run: |
@@ -41,9 +48,20 @@ jobs:
       - name: Compile PowerShell Queries
         run: |
           codeql query compile --check-only --keep-going powershell/ql/src
-      - name: Complete Sync
-        shell: bash
+      - name: Push sync branch
         run: |
-          git push origin main
-          git push origin --tags --force
-
+          git push origin sync-main-pr --force
+      - name: Create or update PR
+        run: |
+          PR_URL=$(gh pr list --head sync-main-pr --json url --jq '.[0].url')
+          if [ -z "$PR_URL" ]; then
+            gh pr create \
+              --title "Automated sync from upstream" \
+              --body "This PR syncs the latest changes from \`codeql-cli/latest\` into \`main\`." \
+              --head sync-main-pr \
+              --base main
+          else
+            echo "PR already exists: $PR_URL"
+          fi
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
