github-starred/actual
2
0
Fork 0
mirror of https://github.com/actualbudget/actual.git synced 2026-03-09 03:32:54 -05:00
Code Issues 250 Packages Projects Releases 53 Wiki Activity

[PR #6817] Handle fork PRs gracefully in release notes generation #6757

New Issue
Open
opened 2026-02-28 21:32:17 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-02-28 21:32:17 -06:00
Owner
Copy Link

Original Pull Request: https://github.com/actualbudget/actual/pull/6817

State: open
Merged: No

Summary

This PR updates AI-generated release notes automation to better handle fork PRs by matching the same commit model used successfully in other workflows.

Findings

  • The earlier assumption that fork PR branches are broadly unwriteable from Actions was too strict.
  • Other workflows (notably VRT update apply) can commit to fork PR branches by checking out the PR head repository/branch and pushing with ACTIONS_UPDATE_TOKEN.
  • The previous release-notes approach used a direct Contents API write and often fell back to manual comments.

Clarification on Permissions vs Write Method

  • On master, create-release-notes-file.js was already using ACTIONS_UPDATE_TOKEN, but it wrote via repos.createOrUpdateFileContents (Contents API).
  • That API path can still fail for fork branches (commonly 403/404) even when a branch push method may succeed.
  • This PR switches to checkout + git commit + git push, which aligns with workflows that already succeed on fork branches.
  • This improves success rate, but does not guarantee writes in all fork scenarios: if push permissions are truly unavailable, fallback comments are still expected.

What Changed

  • Switched release-notes write path to the VRT-style approach:
    • checkout PR head repo/ref
    • write upcoming-release-notes/<pr>.md
    • commit and push to the PR head branch with ACTIONS_UPDATE_TOKEN
  • Updated file-existence checks to query the actual PR head repo/ref (including forks), not only base-repo context.
  • Added explicit PR-head metadata outputs (head_repo_full_name, head_ref, maintainer_can_modify) for workflow decisions and diagnostics.
  • Added debug logging in workflow output so maintainers can quickly see why auto-commit was/was not attempted.
  • Preserved manual comment fallback when direct push is not possible.

Security and Reliability Adjustments

  • Avoids executing trusted scripts from an untrusted checkout path by checking out PR branch into a separate directory and only writing/committing the generated file there.
  • Avoids unnecessary @actions/core dependency and switched helper output writing to GITHUB_OUTPUT directly to reduce dependency/lockfile churn.
  • Relaxed overly strict gating so the workflow attempts checkout/push whenever PR head repo/ref are available, then falls back gracefully only on actual failures.

Behavior After This PR

  • Fork PRs where token permissions allow branch writes: release-notes file is added directly to contributor branch.
  • Fork PRs where permissions still block writes: contributor gets a manual copy/paste comment, now with clearer debug context for maintainers.

Test Plan

  • Validate workflow logic and helper scripts via CI execution on PR events.
  • Confirm helper script syntax (node --check) and lint cleanliness for changed files.
  • Manual reasoning verification against working VRT permission model and checkout/push flow.

AI Generated

Yes, this PR was created with AI prompts to GPT-Codex.

**Original Pull Request:** https://github.com/actualbudget/actual/pull/6817 **State:** open **Merged:** No --- ## Summary This PR updates AI-generated release notes automation to better handle fork PRs by matching the same commit model used successfully in other workflows. ## Findings - The earlier assumption that fork PR branches are broadly unwriteable from Actions was too strict. - Other workflows (notably VRT update apply) can commit to fork PR branches by checking out the PR head repository/branch and pushing with `ACTIONS_UPDATE_TOKEN`. - The previous release-notes approach used a direct Contents API write and often fell back to manual comments. ## Clarification on Permissions vs Write Method - On `master`, `create-release-notes-file.js` was already using `ACTIONS_UPDATE_TOKEN`, but it wrote via `repos.createOrUpdateFileContents` (Contents API). - That API path can still fail for fork branches (commonly 403/404) even when a branch push method may succeed. - This PR switches to checkout + git commit + git push, which aligns with workflows that already succeed on fork branches. - This improves success rate, but does not guarantee writes in all fork scenarios: if push permissions are truly unavailable, fallback comments are still expected. ## What Changed - Switched release-notes write path to the VRT-style approach: - checkout PR head repo/ref - write `upcoming-release-notes/<pr>.md` - commit and push to the PR head branch with `ACTIONS_UPDATE_TOKEN` - Updated file-existence checks to query the actual PR head repo/ref (including forks), not only base-repo context. - Added explicit PR-head metadata outputs (`head_repo_full_name`, `head_ref`, `maintainer_can_modify`) for workflow decisions and diagnostics. - Added debug logging in workflow output so maintainers can quickly see why auto-commit was/was not attempted. - Preserved manual comment fallback when direct push is not possible. ## Security and Reliability Adjustments - Avoids executing trusted scripts from an untrusted checkout path by checking out PR branch into a separate directory and only writing/committing the generated file there. - Avoids unnecessary `@actions/core` dependency and switched helper output writing to `GITHUB_OUTPUT` directly to reduce dependency/lockfile churn. - Relaxed overly strict gating so the workflow attempts checkout/push whenever PR head repo/ref are available, then falls back gracefully only on actual failures. ## Behavior After This PR - Fork PRs where token permissions allow branch writes: release-notes file is added directly to contributor branch. - Fork PRs where permissions still block writes: contributor gets a manual copy/paste comment, now with clearer debug context for maintainers. ## Test Plan - Validate workflow logic and helper scripts via CI execution on PR events. - Confirm helper script syntax (`node --check`) and lint cleanliness for changed files. - Manual reasoning verification against working VRT permission model and checkout/push flow. ### AI Generated Yes, this PR was created with AI prompts to GPT-Codex. <!--- actual-bot-sections --->
GiteaMirror added the pull-request label 2026-02-28 21:32:17 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
Mirrored from GitHub Pull Request
 regression
reports
responsive
rules
schedules
server
merged
split transactions
tech debt
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
approved
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/actual#6757
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?