From 68d9c8b6a4a7c811d976e51ad7108e0fd3996990 Mon Sep 17 00:00:00 2001 From: Rico Hermans Date: Fri, 12 Jan 2024 14:01:39 +0100 Subject: [PATCH] chore: update sync workflow (#28689) Make the sync workflow a bit more efficient, by only fetching the branches we're actually planning on syncing from `upstream`. Also document the limitations of GitHub Actions tokens more clearly. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .github/workflows/sync-from-upstream.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sync-from-upstream.yml b/.github/workflows/sync-from-upstream.yml index ebb0403c65ae4..fba99dd721aba 100644 --- a/.github/workflows/sync-from-upstream.yml +++ b/.github/workflows/sync-from-upstream.yml @@ -11,11 +11,15 @@ jobs: # Check for the presence of a PROJEN_GITHUB_TOKEN secret. # - # This is expected to contain a personal access token of someone - # who pas permissions to bypass branch protection rules. + # This is expected to contain a personal access token of someone who has + # permissions to bypass branch protection rules. # - # If not present, we will use GitHub Actions Token permissions, - # but those are bound by branch protection rules. + # If not present, we can only use GitHub Actions Token permissions, + # but this has the following downsides: + # + # - Those are bound by branch protection rules (so automated pushing won't work). + # - As soon as a workflow file needs to be changed, GitHub will reject the push. + # Only Apps and Users can be allowed to modify workflows. check-secret: # Don't run on the target repo itself, only forks if: github.repository != 'aws/aws-cdk' @@ -52,7 +56,7 @@ jobs: - name: Sync from aws/aws-cdk run: |- git remote add upstream https://github.com/aws/aws-cdk.git - git fetch upstream + git fetch upstream $BRANCHES for branch in $BRANCHES; do git push origin --force refs/remotes/upstream/$branch:refs/heads/$branch