breaking apart steps for permissions (#8880)

Co-authored-by: gemini-cli-robot <gemini-cli-robot@google.com>
2026-03-10 22:21:22 -07:00 · 2025-09-19 01:08:59 -07:00
parent b1fb68bb06
commit bba0f2e557
2 changed files with 113 additions and 13 deletions
--- a/.github/workflows/release-patch-1-create-pr.yml
+++ b/.github/workflows/release-patch-1-create-pr.yml
@@ -68,19 +68,36 @@ jobs:
          # Configure git to use GITHUB_TOKEN for remote operations (has actions:write for workflow files)
          git remote set-url origin "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"

-      - name: 'Create Patch'
-        id: 'create_patch'
+      - name: 'Create Branches'
+        id: 'create_branches'
        env:
          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+        continue-on-error: true
+        run: |
+          # Capture output and display it in logs using tee
+          {
+            node scripts/releasing/create-patch-pr.js --commit=${{ github.event.inputs.commit }} --channel=${{ github.event.inputs.channel }} --dry-run=${{ github.event.inputs.dry_run }} --skip-pr-creation
+            echo "BRANCH_EXIT_CODE=$?" >> "$GITHUB_OUTPUT"
+          } 2>&1 | tee >(
+            echo "BRANCH_LOG_CONTENT<<EOF" >> "$GITHUB_ENV"
+            cat >> "$GITHUB_ENV"
+            echo "EOF" >> "$GITHUB_ENV"
+          )
+
+      - name: 'Create Pull Request'
+        id: 'create_pr'
+        if: 'always() && steps.create_branches.outputs.BRANCH_EXIT_CODE == 0'
+        env:
          GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
        continue-on-error: true
        run: |
          # Capture output and display it in logs using tee
          {
-            node scripts/releasing/create-patch-pr.js --commit=${{ github.event.inputs.commit }} --channel=${{ github.event.inputs.channel }} --dry-run=${{ github.event.inputs.dry_run }}
-            echo "EXIT_CODE=$?" >> "$GITHUB_OUTPUT"
+            node scripts/releasing/create-patch-pr.js --commit=${{ github.event.inputs.commit }} --channel=${{ github.event.inputs.channel }} --dry-run=${{ github.event.inputs.dry_run }} --pr-only
+            echo "PR_EXIT_CODE=$?" >> "$GITHUB_OUTPUT"
          } 2>&1 | tee >(
-            echo "LOG_CONTENT<<EOF" >> "$GITHUB_ENV"
+            echo "PR_LOG_CONTENT<<EOF" >> "$GITHUB_ENV"
            cat >> "$GITHUB_ENV"
            echo "EOF" >> "$GITHUB_ENV"
          )
@@ -90,20 +107,25 @@ jobs:
        env:
          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
          ORIGINAL_PR: '${{ github.event.inputs.original_pr }}'
-          EXIT_CODE: '${{ steps.create_patch.outputs.EXIT_CODE }}'
+          EXIT_CODE: '${{ steps.create_branches.outputs.BRANCH_EXIT_CODE != 0 && steps.create_branches.outputs.BRANCH_EXIT_CODE || steps.create_pr.outputs.PR_EXIT_CODE }}'
          COMMIT: '${{ github.event.inputs.commit }}'
          CHANNEL: '${{ github.event.inputs.channel }}'
          REPOSITORY: '${{ github.repository }}'
          GITHUB_RUN_ID: '${{ github.run_id }}'
-          LOG_CONTENT: '${{ env.LOG_CONTENT }}'
+          LOG_CONTENT: '${{ steps.create_branches.outputs.BRANCH_EXIT_CODE != 0 && env.BRANCH_LOG_CONTENT || env.PR_LOG_CONTENT }}'
        continue-on-error: true
        run: |
          git checkout '${{ github.event.inputs.ref }}'
          node scripts/releasing/patch-create-comment.js

-      - name: 'Fail Workflow if Main Task Failed'
-        if: 'always() && steps.create_patch.outputs.EXIT_CODE != 0'
+      - name: 'Fail Workflow if Tasks Failed'
+        if: 'always() && (steps.create_branches.outputs.BRANCH_EXIT_CODE != 0 || steps.create_pr.outputs.PR_EXIT_CODE != 0)'
        run: |
-          echo "Patch creation failed with exit code: ${{ steps.create_patch.outputs.EXIT_CODE }}"
+          if [[ "${{ steps.create_branches.outputs.BRANCH_EXIT_CODE }}" != "0" ]]; then
+            echo "Branch creation failed with exit code: ${{ steps.create_branches.outputs.BRANCH_EXIT_CODE }}"
+          fi
+          if [[ "${{ steps.create_pr.outputs.PR_EXIT_CODE }}" != "0" ]]; then
+            echo "PR creation failed with exit code: ${{ steps.create_pr.outputs.PR_EXIT_CODE }}"
+          fi
          echo "Check the logs above and the comment posted to the original PR for details."
          exit 1
--- a/scripts/releasing/create-patch-pr.js
+++ b/scripts/releasing/create-patch-pr.js
@@ -29,18 +29,44 @@ async function main() {
      type: 'boolean',
      default: false,
    })
+    .option('skip-pr-creation', {
+      description: 'Only create branches, skip PR creation.',
+      type: 'boolean',
+      default: false,
+    })
+    .option('pr-only', {
+      description: 'Only create PR, skip branch creation.',
+      type: 'boolean',
+      default: false,
+    })
    .help()
    .alias('help', 'h').argv;

-  const { commit, channel, dryRun } = argv;
+  const { commit, channel, dryRun, skipPrCreation, prOnly } = argv;
+
+  // Validate mutually exclusive flags
+  if (skipPrCreation && prOnly) {
+    console.error(
+      'Error: --skip-pr-creation and --pr-only are mutually exclusive.',
+    );
+    process.exit(1);
+  }

  console.log(`Starting patch process for commit: ${commit}`);
  console.log(`Targeting channel: ${channel}`);
  if (dryRun) {
    console.log('Running in dry-run mode.');
  }
+  if (skipPrCreation) {
+    console.log('Mode: Branch creation only (skipping PR creation)');
+  }
+  if (prOnly) {
+    console.log('Mode: PR creation only (skipping branch creation)');
+  }

-  run('git fetch --all --tags --prune', dryRun);
+  if (!prOnly) {
+    run('git fetch --all --tags --prune', dryRun);
+  }

  const latestTag = getLatestTag(channel);
  console.log(`Found latest tag for ${channel}: ${latestTag}`);
@@ -48,6 +74,22 @@ async function main() {
  const releaseBranch = `release/${latestTag}`;
  const hotfixBranch = `hotfix/${latestTag}/${channel}/cherry-pick-${commit.substring(0, 7)}`;

+  // If PR-only mode, skip all branch creation logic
+  if (prOnly) {
+    console.log(
+      'PR-only mode: Skipping branch creation, proceeding to PR creation...',
+    );
+    // Jump to PR creation section
+    return await createPullRequest(
+      hotfixBranch,
+      releaseBranch,
+      commit,
+      channel,
+      dryRun,
+      false,
+    );
+  }
+
  // Create the release branch from the tag if it doesn't exist.
  if (!branchExists(releaseBranch)) {
    console.log(
@@ -154,7 +196,43 @@ async function main() {
  console.log(`Pushing hotfix branch ${hotfixBranch} to origin...`);
  run(`git push --set-upstream origin ${hotfixBranch}`, dryRun);

-  // Create the pull request.
+  // If skip-pr-creation mode, stop here
+  if (skipPrCreation) {
+    console.log(
+      '✅ Branch creation completed! Skipping PR creation as requested.',
+    );
+    if (hasConflicts) {
+      console.log(
+        '⚠️  Note: Conflicts were detected during cherry-pick - manual resolution required before PR creation!',
+      );
+    }
+    return {
+      newBranch: hotfixBranch,
+      created: true,
+      hasConflicts,
+      skippedPR: true,
+    };
+  }
+
+  // Create the pull request
+  return await createPullRequest(
+    hotfixBranch,
+    releaseBranch,
+    commit,
+    channel,
+    dryRun,
+    hasConflicts,
+  );
+}
+
+async function createPullRequest(
+  hotfixBranch,
+  releaseBranch,
+  commit,
+  channel,
+  dryRun,
+  hasConflicts,
+) {
  console.log(
    `Creating pull request from ${hotfixBranch} to ${releaseBranch}...`,
  );