Script to ghstack land

[kirklandsign]

Per ghstack tutorial for a PR exported by ghstack, it will have two diff sets:

• gh/user/1/base <- gh/user/1/head where the PR is created like this
• main <- gh/user/1/orig

The purpose of this bot is, when the ghstack PR is merged, automatically create another PR to do this merge main <- gh/user/1/orig. Then we just merge the newly created PR so that main has that change.

Missing piece: token from pytorch bot to create PR.

If this goes well, we can either git merge the commit from gh/user/1/orig into main directly, without going through the new PR; or auto approve and merge the PR.

Test: You can test locally with export GITHUB_TOKEN=ghpxyz; python .github/scripts/propose_ghstack_orig_pr.py --pr 6265 --repo pytorch/executorch
Note that between /orig merges, there is never a merge conflict.

The invariant is guaranteed that gh/user/1/orig contains the exact same change between gh/user/1/base <- gh/user/1/head by ghstack tool.

[pytorch-bot]

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/6270

• 📄 Preview Python docs built from this PR

Note: Links to docs will display an error until the docs builds have been completed.

✅ No Failures

As of commit 3410698 with merge base 7510f8c ():
💚 Looks good so far! There are no failures yet. 💚

This comment was automatically generated by Dr. CI and updates every 15 minutes.

[kirklandsign]

@huydhn could use your help with getting a bot token for creating the PR

[kirklandsign]

@huydhn Then let's still use GH_PYTORCHBOT_CHERRY_PICK_TOKEN, and add environment: cherry-pick-bot?

[kirklandsign]

very cheap job.

[huydhn]

I need to sit down to review this one, but let me ask @kit1980 to take a look too as granting pull request write permission to a pull_request target seems like a security hole. And he knows that part well.

[kirklandsign]

I need to sit down to review this one, but let me ask @kit1980 to take a look too as granting pull request write permission to a pull_request target seems like a security hole. And he knows that part well.

Thank you! It’s very similar to our cherry pick bot. However if I use cherry pick bot token it doesn’t allow me to create PR (maybe on this branch trigger). GH actions token can’t be used to create PR.

[huydhn]

@kit1980 Let me hear what you think. From what I see, we could make the PR work as it stands because it only needs to grant write permission to ghstack PRs. And folks need to have write permission to the repo already to be able to use ghstack in the first place. So, there shouldn't be any security gap (if we implement the workflow correctly)

[kirklandsign]

@huydhn @kit1980 Can we accept gh/*/base to trigger the cherry pick bot?

Users already needs permission to push to pytorch:gh/*/base, so this won't grant additional permission

[kit1980]

I need to sit down to review this one, but let me ask @kit1980 to take a look too as granting pull request write permission to a pull_request target seems like a security hole. And he knows that part well.

I don't see the issue. Secrets are not passed to forked PRs on pull_request trigger, so it should be fine.

[huydhn]

I think if you want to choose a smaller group of people to test this out first, you can list them here explicitly, i.e.

    branches:
      - 'gh/kirklandsign/[0-9]+/base'
      - 'gh/guangy10/[0-9]+/base'

It seems like a good idea to try it out first before rolling out to everyone.

[facebook-github-bot]

@kirklandsign has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

[dbort]

Can you clarify this? Is this an index into the stack, or the PR number itself? And if it's an existing PR, why does it need to create another PR?

[kirklandsign]

That's the trigger PR. Example: #6346

The bot creates #6347 for merging into main

[facebook-github-bot]

@kirklandsign merged this pull request in 18a7e65.