ci: refine security reports and fix off-by-one in update-pins #377
Conversation
Signed-off-by: Jacob Howard <jacob.howard@docker.com>
Signed-off-by: Jacob Howard <jacob.howard@docker.com>
Signed-off-by: Jacob Howard <jacob.howard@docker.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| failed_servers+=("$server (update)") | ||
| fi | ||
| else | ||
| # Check PR limit before creating new PR. | ||
| if [ -n "$new_pr_limit" ] && [ "$new_pr_count" -ge "$new_pr_limit" ]; then | ||
| echo "New PR quota reached ($new_pr_limit); skipping $server." | ||
| continue | ||
| fi |
There was a problem hiding this comment.
The new PR limit is now enforced only after the branch is pushed. When the quota has been reached, the loop still applies the patch, commits, and force-pushes automation/update-pin-${server}, but then skips gh pr create. On the next run the code sees the pushed branch, finds that servers/${server}/server.yaml already pins the target commit, and immediately skips the server, so a PR is never opened for that update. Previously the check happened before pushing, allowing a later run to create the PR when the quota permitted. This regression causes updates processed after hitting the quota to be silently dropped until a newer upstream commit appears.
Useful? React with 👍 / 👎.
1 participant
This PR fixes a few issues in CI:
pull_request_numberas required when runningsecurity-review-changesviaworkflow_dispatch