From bba0f2e557d6bc23b3b9bf7ef3a8cb15be9546f6 Mon Sep 17 00:00:00 2001
From: matt korwel <matt.korwel@gmail.com>
Date: Fri, 19 Sep 2025 01:08:59 -0700
Subject: [PATCH] breaking apart steps for permissions (#8880)

Co-authored-by: gemini-cli-robot <gemini-cli-robot@google.com>
---
 .../workflows/release-patch-1-create-pr.yml   | 42 +++++++---
 scripts/releasing/create-patch-pr.js          | 84 ++++++++++++++++++-
 2 files changed, 113 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/release-patch-1-create-pr.yml b/.github/workflows/release-patch-1-create-pr.yml
index 43b6eef050..eccf359c67 100644
--- a/.github/workflows/release-patch-1-create-pr.yml
+++ b/.github/workflows/release-patch-1-create-pr.yml
@@ -68,19 +68,36 @@ jobs:
           # Configure git to use GITHUB_TOKEN for remote operations (has actions:write for workflow files)
           git remote set-url origin "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
 
-      - name: 'Create Patch'
-        id: 'create_patch'
+      - name: 'Create Branches'
+        id: 'create_branches'
         env:
           GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+        continue-on-error: true
+        run: |
+          # Capture output and display it in logs using tee
+          {
+            node scripts/releasing/create-patch-pr.js --commit=${{ github.event.inputs.commit }} --channel=${{ github.event.inputs.channel }} --dry-run=${{ github.event.inputs.dry_run }} --skip-pr-creation
+            echo "BRANCH_EXIT_CODE=$?" >> "$GITHUB_OUTPUT"
+          } 2>&1 | tee >(
+            echo "BRANCH_LOG_CONTENT<<EOF" >> "$GITHUB_ENV"
+            cat >> "$GITHUB_ENV"
+            echo "EOF" >> "$GITHUB_ENV"
+          )
+
+      - name: 'Create Pull Request'
+        id: 'create_pr'
+        if: 'always() && steps.create_branches.outputs.BRANCH_EXIT_CODE == 0'
+        env:
           GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
         continue-on-error: true
         run: |
           # Capture output and display it in logs using tee
           {
-            node scripts/releasing/create-patch-pr.js --commit=${{ github.event.inputs.commit }} --channel=${{ github.event.inputs.channel }} --dry-run=${{ github.event.inputs.dry_run }}
-            echo "EXIT_CODE=$?" >> "$GITHUB_OUTPUT"
+            node scripts/releasing/create-patch-pr.js --commit=${{ github.event.inputs.commit }} --channel=${{ github.event.inputs.channel }} --dry-run=${{ github.event.inputs.dry_run }} --pr-only
+            echo "PR_EXIT_CODE=$?" >> "$GITHUB_OUTPUT"
           } 2>&1 | tee >(
-            echo "LOG_CONTENT<<EOF" >> "$GITHUB_ENV"
+            echo "PR_LOG_CONTENT<<EOF" >> "$GITHUB_ENV"
             cat >> "$GITHUB_ENV"
             echo "EOF" >> "$GITHUB_ENV"
           )
@@ -90,20 +107,25 @@ jobs:
         env:
           GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
           ORIGINAL_PR: '${{ github.event.inputs.original_pr }}'
-          EXIT_CODE: '${{ steps.create_patch.outputs.EXIT_CODE }}'
+          EXIT_CODE: '${{ steps.create_branches.outputs.BRANCH_EXIT_CODE != 0 && steps.create_branches.outputs.BRANCH_EXIT_CODE || steps.create_pr.outputs.PR_EXIT_CODE }}'
           COMMIT: '${{ github.event.inputs.commit }}'
           CHANNEL: '${{ github.event.inputs.channel }}'
           REPOSITORY: '${{ github.repository }}'
           GITHUB_RUN_ID: '${{ github.run_id }}'
-          LOG_CONTENT: '${{ env.LOG_CONTENT }}'
+          LOG_CONTENT: '${{ steps.create_branches.outputs.BRANCH_EXIT_CODE != 0 && env.BRANCH_LOG_CONTENT || env.PR_LOG_CONTENT }}'
         continue-on-error: true
         run: |
           git checkout '${{ github.event.inputs.ref }}'
           node scripts/releasing/patch-create-comment.js
 
-      - name: 'Fail Workflow if Main Task Failed'
-        if: 'always() && steps.create_patch.outputs.EXIT_CODE != 0'
+      - name: 'Fail Workflow if Tasks Failed'
+        if: 'always() && (steps.create_branches.outputs.BRANCH_EXIT_CODE != 0 || steps.create_pr.outputs.PR_EXIT_CODE != 0)'
         run: |
-          echo "Patch creation failed with exit code: ${{ steps.create_patch.outputs.EXIT_CODE }}"
+          if [[ "${{ steps.create_branches.outputs.BRANCH_EXIT_CODE }}" != "0" ]]; then
+            echo "Branch creation failed with exit code: ${{ steps.create_branches.outputs.BRANCH_EXIT_CODE }}"
+          fi
+          if [[ "${{ steps.create_pr.outputs.PR_EXIT_CODE }}" != "0" ]]; then
+            echo "PR creation failed with exit code: ${{ steps.create_pr.outputs.PR_EXIT_CODE }}"
+          fi
           echo "Check the logs above and the comment posted to the original PR for details."
           exit 1
diff --git a/scripts/releasing/create-patch-pr.js b/scripts/releasing/create-patch-pr.js
index ceff7b49d7..0d7173dfb4 100644
--- a/scripts/releasing/create-patch-pr.js
+++ b/scripts/releasing/create-patch-pr.js
@@ -29,18 +29,44 @@ async function main() {
       type: 'boolean',
       default: false,
     })
+    .option('skip-pr-creation', {
+      description: 'Only create branches, skip PR creation.',
+      type: 'boolean',
+      default: false,
+    })
+    .option('pr-only', {
+      description: 'Only create PR, skip branch creation.',
+      type: 'boolean',
+      default: false,
+    })
     .help()
     .alias('help', 'h').argv;
 
-  const { commit, channel, dryRun } = argv;
+  const { commit, channel, dryRun, skipPrCreation, prOnly } = argv;
+
+  // Validate mutually exclusive flags
+  if (skipPrCreation && prOnly) {
+    console.error(
+      'Error: --skip-pr-creation and --pr-only are mutually exclusive.',
+    );
+    process.exit(1);
+  }
 
   console.log(`Starting patch process for commit: ${commit}`);
   console.log(`Targeting channel: ${channel}`);
   if (dryRun) {
     console.log('Running in dry-run mode.');
   }
+  if (skipPrCreation) {
+    console.log('Mode: Branch creation only (skipping PR creation)');
+  }
+  if (prOnly) {
+    console.log('Mode: PR creation only (skipping branch creation)');
+  }
 
-  run('git fetch --all --tags --prune', dryRun);
+  if (!prOnly) {
+    run('git fetch --all --tags --prune', dryRun);
+  }
 
   const latestTag = getLatestTag(channel);
   console.log(`Found latest tag for ${channel}: ${latestTag}`);
@@ -48,6 +74,22 @@ async function main() {
   const releaseBranch = `release/${latestTag}`;
   const hotfixBranch = `hotfix/${latestTag}/${channel}/cherry-pick-${commit.substring(0, 7)}`;
 
+  // If PR-only mode, skip all branch creation logic
+  if (prOnly) {
+    console.log(
+      'PR-only mode: Skipping branch creation, proceeding to PR creation...',
+    );
+    // Jump to PR creation section
+    return await createPullRequest(
+      hotfixBranch,
+      releaseBranch,
+      commit,
+      channel,
+      dryRun,
+      false,
+    );
+  }
+
   // Create the release branch from the tag if it doesn't exist.
   if (!branchExists(releaseBranch)) {
     console.log(
@@ -154,7 +196,43 @@ async function main() {
   console.log(`Pushing hotfix branch ${hotfixBranch} to origin...`);
   run(`git push --set-upstream origin ${hotfixBranch}`, dryRun);
 
-  // Create the pull request.
+  // If skip-pr-creation mode, stop here
+  if (skipPrCreation) {
+    console.log(
+      '✅ Branch creation completed! Skipping PR creation as requested.',
+    );
+    if (hasConflicts) {
+      console.log(
+        '⚠️  Note: Conflicts were detected during cherry-pick - manual resolution required before PR creation!',
+      );
+    }
+    return {
+      newBranch: hotfixBranch,
+      created: true,
+      hasConflicts,
+      skippedPR: true,
+    };
+  }
+
+  // Create the pull request
+  return await createPullRequest(
+    hotfixBranch,
+    releaseBranch,
+    commit,
+    channel,
+    dryRun,
+    hasConflicts,
+  );
+}
+
+async function createPullRequest(
+  hotfixBranch,
+  releaseBranch,
+  commit,
+  channel,
+  dryRun,
+  hasConflicts,
+) {
   console.log(
     `Creating pull request from ${hotfixBranch} to ${releaseBranch}...`,
   );