66 run_id :
77 description : " Workflow run id that produced the NSC payload and manifests artifacts"
88 required : true
9+ source_repo :
10+ description : " Repository that owns the source workflow run"
11+ required : true
12+ default : " Devsh-Graphics-Programming/Nabla"
13+ source_branch :
14+ description : " Expected source branch for the workflow run"
15+ required : true
16+ default : " master"
17+ target_repo :
18+ description : " Repository that should receive the manifest update PR"
19+ required : true
20+ default : " Devsh-Graphics-Programming/Nabla"
921 target_branch :
1022 description : " Nabla branch that should receive the manifest update PR"
1123 required : true
1224 default : " master"
25+ asset_repo :
26+ description : " Repository that stores the promoted NSC channel releases"
27+ required : true
28+ default : " Devsh-Graphics-Programming/Nabla-Asset-Manifests"
1329 channel :
1430 description : " NSC manifest channel to promote"
1531 required : true
2339 promote :
2440 runs-on : ubuntu-latest
2541 env :
26- SOURCE_REPO : ${{ github.repository }}
27- ASSET_REPO : Devsh-Graphics-Programming/Nabla-Asset-Manifests
42+ SOURCE_REPO : ${{ inputs.source_repo }}
43+ SOURCE_BRANCH : ${{ inputs.source_branch }}
44+ TARGET_REPO : ${{ inputs.target_repo }}
45+ ASSET_REPO : ${{ inputs.asset_repo }}
46+ HEAD_REPO : ${{ github.repository }}
47+ HEAD_OWNER : ${{ github.repository_owner }}
2848 CHANNEL : ${{ inputs.channel }}
2949 TARGET_BRANCH : ${{ inputs.target_branch }}
3050 RUN_ID : ${{ inputs.run_id }}
3353 - name : Checkout target branch
3454 uses : actions/checkout@v4
3555 with :
56+ repository : ${{ inputs.target_repo }}
3657 ref : ${{ inputs.target_branch }}
3758 fetch-depth : 0
59+ persist-credentials : false
3860
3961 - name : Resolve source run metadata
4062 id : source-run
5577 echo "Run ${RUN_ID} is not promotable: status=${status} conclusion=${conclusion}" >&2
5678 exit 1
5779 fi
80+ if [[ "${head_branch}" != "${SOURCE_BRANCH}" ]]; then
81+ echo "Run ${RUN_ID} head branch ${head_branch} does not match expected ${SOURCE_BRANCH}" >&2
82+ exit 1
83+ fi
5884
5985 release_tag="${CHANNEL}-${head_sha}"
6086 target_branch_slug="$(printf '%s' "${TARGET_BRANCH}" | tr '/._' '-' | tr -cd '[:alnum:]-')"
76102 name : ${{ inputs.channel }}-payload
77103 path : ${{ runner.temp }}/nsc-payload
78104 github-token : ${{ secrets.READ_PAT }}
79- repository : ${{ github.repository }}
105+ repository : ${{ inputs.source_repo }}
80106
81107 - name : Download NSC manifests artifact
82108 uses : actions/download-artifact@v4
85111 name : ${{ inputs.channel }}-manifests
86112 path : ${{ runner.temp }}/nsc-manifests
87113 github-token : ${{ secrets.READ_PAT }}
88- repository : ${{ github.repository }}
114+ repository : ${{ inputs.source_repo }}
89115
90116 - name : Publish release to manifest backend
91117 env :
@@ -178,6 +204,8 @@ jobs:
178204
179205 git config user.name "github-actions[bot]"
180206 git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
207+ git remote rename origin upstream
208+ git remote add origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${HEAD_REPO}.git"
181209 git checkout -B "${PR_BRANCH}"
182210 git add tools/nsc/manifests
183211 git commit -m "Promote NSC channel ${SOURCE_SHA}"
@@ -187,18 +215,31 @@ jobs:
187215 if : steps.manifest-diff.outputs.has_changes == 'true'
188216 id : pr
189217 env :
190- GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
218+ GH_BUILTIN_TOKEN : ${{ github.token }}
219+ PR_PAT : ${{ secrets.PR_PAT }}
191220 PR_BRANCH : ${{ steps.source-run.outputs.pr_branch }}
192221 RELEASE_TAG : ${{ steps.source-run.outputs.release_tag }}
193222 SOURCE_SHA : ${{ steps.source-run.outputs.source_sha }}
194223 RUN_URL : ${{ steps.source-run.outputs.run_url }}
195224 run : |
196225 set -euo pipefail
197226
227+ if [[ "${TARGET_REPO}" == "${HEAD_REPO}" ]]; then
228+ export GH_TOKEN="${GH_BUILTIN_TOKEN}"
229+ pr_head="${PR_BRANCH}"
230+ else
231+ if [[ -z "${PR_PAT}" ]]; then
232+ echo "PR_PAT secret is required when opening a PR from ${HEAD_REPO} to ${TARGET_REPO}" >&2
233+ exit 1
234+ fi
235+ export GH_TOKEN="${PR_PAT}"
236+ pr_head="${HEAD_OWNER}:${PR_BRANCH}"
237+ fi
238+
198239 existing_pr="$(gh pr list \
199- --repo "${SOURCE_REPO }" \
240+ --repo "${TARGET_REPO }" \
200241 --base "${TARGET_BRANCH}" \
201- --head "${PR_BRANCH }" \
242+ --head "${pr_head }" \
202243 --json url \
203244 --jq '.[0].url')"
204245
@@ -217,9 +258,9 @@ jobs:
217258 EOF
218259
219260 pr_url="$(gh pr create \
220- --repo "${SOURCE_REPO }" \
261+ --repo "${TARGET_REPO }" \
221262 --base "${TARGET_BRANCH}" \
222- --head "${PR_BRANCH }" \
263+ --head "${pr_head }" \
223264 --title "Promote NSC channel to ${SOURCE_SHA}" \
224265 --body-file "${body_file}")"
225266
@@ -231,9 +272,11 @@ jobs:
231272 echo "## NSC promotion summary"
232273 echo
233274 echo "- channel: \`${CHANNEL}\`"
275+ echo "- source repo: \`${SOURCE_REPO}\`"
234276 echo "- source run: \`${RUN_ID}\`"
235277 echo "- source commit: \`${{ steps.source-run.outputs.source_sha }}\`"
236278 echo "- release tag: \`${{ steps.source-run.outputs.release_tag }}\`"
279+ echo "- target repo: \`${TARGET_REPO}\`"
237280 echo "- target branch: \`${TARGET_BRANCH}\`"
238281 if [[ "${{ steps.manifest-diff.outputs.has_changes }}" == "true" ]]; then
239282 echo "- PR: ${{ steps.pr.outputs.url }}"
0 commit comments