IGNITE-28827 Run all PR checks even when the PR conflicts with the base branch#13287
Open
anton-vinogradov wants to merge 1 commit into
Open
IGNITE-28827 Run all PR checks even when the PR conflicts with the base branch#13287anton-vinogradov wants to merge 1 commit into
anton-vinogradov wants to merge 1 commit into
Conversation
anton-vinogradov
force-pushed
the
ignite-28827
branch
from
65924fd to
abd0792
Compare
anton-vinogradov
changed the title
…se branch The Code Style / Abandoned Tests / Javadocs and the .NET and ducktape checks were triggered by the pull_request event, which GitHub dispatches against the test-merge commit. For a PR that conflicts with the base branch GitHub cannot compute that merge commit, so the runs were never created and the PR got no feedback until the conflict was resolved. Switch commit-check.yml to the pull_request_target event, which runs in the base-branch context and does not depend on the test-merge commit, so the checks are dispatched regardless of merge conflicts. All jobs already check out pull_request.head.sha. Since these jobs build and run untrusted PR code, the token is downscoped to contents: read and no secrets are referenced, so a fork build gets no more privilege than it had under pull_request. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
anton-vinogradov
force-pushed
the
ignite-28827
branch
from
abd0792 to
0f96412
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The GitHub Actions checks in
commit-check.yml(Code Style, Abandoned Tests, Javadocs, .NET, ducktape) are not dispatched for a pull request that conflicts with the base branch. The status checks never appear, so a contributor whose PR is temporarily in conflict gets no CI feedback until the conflict is resolved.Root cause
These checks are triggered by the
pull_requestevent, which GitHub dispatches against the test-merge commit (PR head merged into base). When the PR conflicts (mergeable stateDIRTY), GitHub cannot compute that merge commit, so no run is created. This is independent of what the jobs check out — they already check outpull_request.head.sha.For comparison, the "Rolling Upgrade / Protected Classes" check runs fine on conflicting PRs because it is triggered by
pull_request_target, which runs in the base-branch context and does not depend on the test-merge commit.Change
Switch
commit-check.ymlfrompull_requesttopull_request_target. That event is the only PR-triggered event not gated on the merge commit, so it is the only way to dispatch these checks on a conflicting PR. All jobs already check outpull_request.head.sha.Security trade-off
These jobs build and run untrusted PR code (
mvnw test,dotnet build,tox). Running untrusted code underpull_request_targetis sensitive, so the workflow is hardened to grant no more privilege than thepull_requestevent already did:permissions: contents: read(no write);secrets.*are referenced;A code comment documents this invariant so that secrets / write permissions are not added later without revisiting the trade-off.
Notes / follow-ups
pull_request_targetthat builds and runs fork code goes against GitHub's default guidance for untrusted code; needs confirmation that ASF Infra policy permits it. Feedback welcome.JIRA: https://issues.apache.org/jira/browse/IGNITE-28827