ci(mirror-sync): auto-mirror upstream-pr/** branches for fork regression#12
Merged
ci(mirror-sync): auto-mirror upstream-pr/** branches for fork regression#12
Conversation
… regression" This reverts commit cf57b84.
PROPOSAL — please review before merge. Opening this PR as the proper review venue after an earlier unilateral commit to main (cf57b84, reverted in this PR's first commit). Same intended content, now routed through a branch + PR for your sign-off. Goal: let us e2e-test upstream-bound PR branches (upstream-pr/**) on this fork without touching their .github/ — which must stay clean for upstream reviewers. On every push to upstream-pr/**, a bot branch test-mirror/<same-topic> is (re)created with the fork's working CI files overlaid from fork-ci/. The mirror branch's .github/workflows/build.yaml (copied from fork-ci/) has test-mirror/** in its push-trigger list, so the normal e2e cascade (build → trigger-node-agent → component-tests) fires automatically. Two files added: 1. fork-ci/.github/workflows/build.yaml — an extracted copy of the previous working build.yaml (pushes images to ghcr.io, auto-triggers node-agent build). Push trigger extended to include test-mirror/** so mirror pushes fire it. 2. .github/workflows/mirror-sync.yaml — triggers on push to upstream-pr/**. Overlays fork-ci/ onto the pushed commit and force-pushes to test-mirror/<same-name>. Refuses to operate on non-upstream-pr branches. Needs secret CROSS_REPO_PAT set in repo settings (same token already used by the trigger-node-agent job in the old build.yaml). If the secret is missing, mirror-sync will fail loudly on first dispatch rather than silently pushing to the wrong thing. Same pattern will be proposed on k8sstormcenter/node-agent in a parallel PR once this one is reviewed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
entlein
added a commit
to k8sstormcenter/node-agent
that referenced
this pull request
Apr 24, 2026
Symmetric to k8sstormcenter/storage#12. Reacts to every push on upstream-pr/** by force-updating test-mirror/<same-topic> with the working tree overlaid from fork-ci/ on main. This lets our internal CI exercise upstream-bound branches without polluting the upstream diff with fork-only workflow files. fork-ci/ is intentionally empty beyond a README today: node-agent's existing build.yaml + component-tests.yaml already behave correctly on any ref. The machinery is in place so that the moment a fork-only workflow tweak is needed (e.g. a push trigger including test-mirror/** or a different image registry), it has a home that will not leak into the upstream PR diff. Requires a CROSS_REPO_PAT secret with contents:write on the fork so the workflow can force-push refs/heads/test-mirror/**. Signed-off-by: Entlein <eineintlein@gmail.com> Co-authored-by: Entlein <eineintlein@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Proper review venue for a mirror-sync infrastructure I earlier committed directly to
main(mistake — now reverted in this PR's first commit). Same intended content, routed through a branch + PR for sign-off.Why
Upstream-bound PR branches (
upstream-pr/**) stay pristine for reviewers like Matthias — we can't touch their.github/without contaminating the upstream diff. But we still want to exercise each push end-to-end on this fork (build → node-agent build → component-tests) to catch regressions before they get near upstream.How
Two files, both on this fork's
mainso they govern every mirror cycle:fork-ci/.github/workflows/build.yaml— extracted copy of the pre-refactor workingbuild.yaml(pushes to ghcr.io, includes thetrigger-node-agentcascade step). Push-trigger list extended withtest-mirror/**so any mirror push fires it..github/workflows/mirror-sync.yaml— triggers on push toupstream-pr/**. Overlaysfork-ci/onto the pushed tree and force-pushes totest-mirror/<same-name>. Refuses to operate on non-upstream-pr branches. Deliberately uses force-push because the mirror is a derived branch only written by this workflow.Flow
```
user pushes to upstream-pr/analyzer-zero-alloc
│
├─ mirror-sync.yaml fires
│ overlays fork-ci/ → force-pushes test-mirror/upstream-pr/analyzer-zero-alloc
│
├─ test-mirror/... push triggers fork-ci build.yaml
│ builds ghcr.io/k8sstormcenter/storage:
│ trigger-node-agent job dispatches node-agent build with --ref test-mirror/...
│
└─ node-agent build.yaml → component-tests.yaml (internal dispatch)
```
Prerequisites
Follow-up
A parallel PR will add the same pattern to `k8sstormcenter/node-agent` — `fork-ci/` + `mirror-sync.yaml` on its main, so pushing `upstream-pr/foo` on node-agent also produces a mirror for the cascade to target. I'll open that only after this one is reviewed/merged.
Rollback
If this turns out to cause more confusion than value: `git revert` both commits. The `test-mirror/**` branches it creates are safe to delete at any time — they're derived branches.
History note