ci:cherry pick unicorn

[robertaandersen]

...

Attach a link to issue if relevant

What

Specify what you're trying to achieve

Why

Specify why you need to achieve this

Screenshots / Gifs

Attach Screenshots / Gifs to help reviewers understand the scope of the pull request

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• New Features

  • Introduced automated branch update creation triggered under specific conditions.

• Chores

  • Enhanced the pull request workflow to act only on merged contributions.
  • Modified history retrieval to include the complete commit log.
  • Refined conditional checks to streamline automated branch management.

These improvements help ensure a more robust and predictable automation process during pull request handling and release management.

[coderabbitai]

Walkthrough

The changes update the GitHub Actions workflow defined in .github/workflows/pullrequest-close.yml. The workflow now runs certain jobs only for merged pull requests and introduces new job outputs (IS_UNICORN and LATEST_RELEASE). It adjusts the checkout strategy by fetching full history and renames a step’s identifier. Parameters passed to a script in the unicorn check step have been modified, and additional steps are added that perform Git operations to create a pull request when a unicorn condition is met.

Changes

File(s)	Change Summary
.github/workflows/pullrequest-close.yml	- Added a conditional check to run the job only if the pull request is merged. - Modified fetch-depth from 10 to 0 in the checkout step. - Updated the step identifier from unicorn-affected to unicorn_affected. - Changed parameters for the unicorn check from baseBranch/mergeBranch to head/base. - Added outputs: IS_UNICORN, LATEST_RELEASE and new Git commands for PR creation.

Sequence Diagram(s)

sequenceDiagram
    participant PR_Event as PR Event
    participant Workflow as GitHub Workflow
    participant CheckUnicorn as Check Unicorn Job
    participant UnicornLogic as Unicorn Check Step
    participant ReleaseAction as Release & PR Creation Step

    PR_Event->>Workflow: Trigger on PR event (merged)
    Workflow->>CheckUnicorn: Evaluate if the pull request is merged
    CheckUnicorn->>UnicornLogic: Run unicorn affected check (using head and base)
    UnicornLogic-->>Workflow: Return IS_UNICORN flag
    alt IS_UNICORN is true
        Workflow->>ReleaseAction: Execute steps to find release branch and create a PR
    else IS_UNICORN is false
        Workflow-->>PR_Event: End workflow without PR creation
    end

Loading

Suggested labels

automerge

Tip

🌐 Web search-backed reviews and chat

• We have enabled web search-based reviews and chat for all users. This feature allows CodeRabbit to access the latest documentation and information on the web.
• You can disable this feature by setting web_search: false in the knowledge_base settings.
• Please share any feedback in the Discord discussion.

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c81f657 and 78d5f2d.

📒 Files selected for processing (1)

• .github/workflows/pullrequest-close.yml (3 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/pullrequest-close.yml

16-16: label "arc-runners" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-22.04", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "macos-12-xl", "macos-12-xlarge", "macos-12-large", "macos-12", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

---

71-71: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions for more details

(expression)

🔇 Additional comments (8)

.github/workflows/pullrequest-close.yml (8)

15-15: Unicorn Condition Check:
The condition if: github.event.pull_request.merged == true (line 15) ensures that the job runs only for merged pull requests, which aligns with the intended behavior based on the PR objectives.

---

16-16: Runner Label Validation:
The job is configured with runs-on: arc-runners (line 16), a label not included in the standard GitHub runner labels. If arc-runners is a custom, self-hosted runner, please ensure that the actionlint configuration is updated accordingly. Otherwise, consider using a standard label (e.g., ubuntu-latest) to avoid potential runtime issues.

🧰 Tools

🪛 actionlint (1.7.4)

16-16: label "arc-runners" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-22.04", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "macos-12-xl", "macos-12-xlarge", "macos-12-large", "macos-12", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

---

18-20: Job Outputs Declaration:
The outputs IS_UNICORN and LATEST_RELEASE (lines 18–20) are mapped to the corresponding step outputs correctly. Ensure that both the unicorn_affected and get_latest_release steps consistently provide these outputs for downstream usage.

---

24-24: Checkout History Depth:
Setting fetch-depth: 0 (line 24) to clone the full Git history is a deliberate change to support operations like cherry-picking. Be aware that this may increase the clone time on larger repositories, but it appears to be a well-considered trade-off.

---

47-47: Step Identifier Renaming:
Renaming the step identifier to unicorn_affected (line 47) improves the naming consistency. Verify that all references to this identifier (such as in job outputs and condition checks) have been updated correctly.

---

50-50: Parameter Update for Unicorn Check:
In the “Check unicorn affected” step (line 50), the parameters passed to the unicorn-utils.mjs script have been updated to use head and base keys. This update should align with the script’s expectations. Please verify that the unicorn-utils.mjs script correctly processes these new keys.

---

57-62: Latest Release Branch Determination:
The “Find Latest Release Branch” step (lines 57–62) is now conditioned on IS_UNICORN == 'true' and uses a Node script to determine the latest release branch. Ensure that the script robustly handles edge cases, for example, if no valid release branch is found.

---

65-83: Create a PR Step & Input Sanitization:
In the “Create a PR” step (lines 65–83), the new branch name PR_BRANCH is constructed using the expression ${{ github.head_ref}}/cherry-pick (line 69). According to static analysis, using github.head_ref directly in inline scripts can be risky if the value is untrusted. Consider sanitizing this variable—perhaps by first storing a validated copy in an environment variable—to prevent potential injection issues.

If you would like, I can suggest a refactoring of this step to safely handle the github.head_ref value.

🧰 Tools

🪛 actionlint (1.7.4)

71-71: "github.head_ref" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions for more details

(expression)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 78d5f2d.

Command	Status	Duration	Result
nx run-many --target=codegen/frontend-client --...	✅ Succeeded	13s	View ↗
nx run-many --target=codegen/backend-schema --a...	✅ Succeeded	23s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-02-05 16:59:44 UTC

[pro-ingvar]

LGTM 🥇 , well done