Conversation
Signed-off-by: oliver könig <okoenig@nvidia.com>
Contributor
📝 WalkthroughWalkthroughAdds Personal Access Token authentication to GitHub Actions checkout steps for TARGET_BRANCH and SOURCE_BRANCH in the update dependencies workflow, enabling authenticated submodule operations. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 2 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/_update_dependencies.yml (2)
186-204:⚠️ Potential issue | 🟠 MajorDirect push to
TARGET_BRANCHbypasses branch protection.Lines 199–203 check out
TARGET_BRANCH, apply a squash merge fromSOURCE_BRANCH, and force-push directly — completely bypassing any required status checks or required-review rules on that branch. The CI-check-wait step earlier only covers the intermediate bump PR, not the squash commit itself.If
TARGET_BRANCHis protected, consider merging via the GitHub API (gh pr merge --squash) instead of rawgit push, so branch-protection rules are honoured by the platform:♻️ Alternative: use `gh pr merge` to respect branch protection
- git config user.name "github-actions[bot]" - git config user.email "github-actions[bot]@users.noreply.github.com" - git fetch origin ${{ env.SOURCE_BRANCH }} - git fetch origin ${{ env.TARGET_BRANCH }} - git checkout ${{ env.TARGET_BRANCH }} - git merge --squash origin/${{ env.SOURCE_BRANCH }} - git commit -m "${{ env.title }}" - git pull --rebase origin ${{ env.TARGET_BRANCH }} - git push origin ${{ env.TARGET_BRANCH }} - git push origin --delete ${{ env.SOURCE_BRANCH }} + gh pr merge "$PR_NUMBER" --squash --subject "${{ env.title }}" --delete-branch🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/_update_dependencies.yml around lines 186 - 204, The workflow currently checks out and squash-merges SOURCE_BRANCH into TARGET_BRANCH using git merge --squash and git push, which bypasses branch protection; replace the direct checkout/commit/push sequence (the block using git fetch, git checkout ${{ env.TARGET_BRANCH }}, git merge --squash origin/${{ env.SOURCE_BRANCH }}, git commit, git push, git push --delete) with a GitHub API/CLI merge that uses the created PR number (steps.create-pull-request.outputs.pull-request-number) — e.g., call gh pr merge --repo ${{ github.repository }} $PR_NUMBER --squash --delete-branch (ensure GH auth setup and required permissions) so the merge honors branch-protection and required checks instead of performing a raw git push.
148-184:⚠️ Potential issue | 🟠 MajorUnbounded
while trueloop — add a max-iteration or step timeout guard.The polling loop has no upper bound: if a required check stalls, the GitHub status API is flaky, or the PR is never created, the runner loops indefinitely at
sleep 30per iteration. A stuck job consumes billed runner minutes and holds a concurrency slot until the workflow-leveltimeout-minutes(if any) fires.Add either a
timeout-minuteson the step or a hard cap on iterations:🛡️ Proposed fix — add a max-attempts guard
+ MAX_ATTEMPTS=120 # 120 × 30 s = 1 h max i=0 INITIALIZED=false while true; do i=$((i + 1)) + if [ "$i" -gt "$MAX_ATTEMPTS" ]; then + echo "Timed out waiting for required checks after $MAX_ATTEMPTS attempts" + exit 1 + fiAlternatively, set a
timeout-minuteson the step itself in the YAML:- name: Wait for CI checks + timeout-minutes: 60 env: GH_TOKEN: ${{ secrets.PAT }}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/_update_dependencies.yml around lines 148 - 184, The infinite polling loop (while true) using i/INITIALIZED and sleep 30 can stall indefinitely; add a hard cap by introducing a MAX_ATTEMPTS (or MAX_RETRIES) and increment/check i each iteration (e.g., if i -ge MAX_ATTEMPTS then echo a timeout/failure message and exit 1) before sleeping, or alternatively set a timeout-minutes on the workflow step so the runner kills the job; update the loop that reads CHECKS_JSON/REQUIRED_CHECKS and the final sleep 30 block to respect this max-attempts guard (referencing the existing i, INITIALIZED, sleep 30, PR_NUMBER and REQUIRED_CHECKS symbols).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In @.github/workflows/_update_dependencies.yml:
- Around line 186-204: The workflow currently checks out and squash-merges
SOURCE_BRANCH into TARGET_BRANCH using git merge --squash and git push, which
bypasses branch protection; replace the direct checkout/commit/push sequence
(the block using git fetch, git checkout ${{ env.TARGET_BRANCH }}, git merge
--squash origin/${{ env.SOURCE_BRANCH }}, git commit, git push, git push
--delete) with a GitHub API/CLI merge that uses the created PR number
(steps.create-pull-request.outputs.pull-request-number) — e.g., call gh pr merge
--repo ${{ github.repository }} $PR_NUMBER --squash --delete-branch (ensure GH
auth setup and required permissions) so the merge honors branch-protection and
required checks instead of performing a raw git push.
- Around line 148-184: The infinite polling loop (while true) using
i/INITIALIZED and sleep 30 can stall indefinitely; add a hard cap by introducing
a MAX_ATTEMPTS (or MAX_RETRIES) and increment/check i each iteration (e.g., if i
-ge MAX_ATTEMPTS then echo a timeout/failure message and exit 1) before
sleeping, or alternatively set a timeout-minutes on the workflow step so the
runner kills the job; update the loop that reads CHECKS_JSON/REQUIRED_CHECKS and
the final sleep 30 block to respect this max-attempts guard (referencing the
existing i, INITIALIZED, sleep 30, PR_NUMBER and REQUIRED_CHECKS symbols).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do ?
Add a one line overview of what this PR aims to accomplish.
Changelog
GitHub Actions CI
See the CI sectionin the Contributing doc for how to trigger the CI. A Nvidia developer will need to approve and trigger the CI for external contributors.
Before your PR is "Ready for review"
Pre checks:
If you haven't finished some of the above items you can still open "Draft" PR.
Additional Information
Summary by CodeRabbit