Skip to content

Harden and correct keep-alive GHA workflow#141

Merged
bart-vmware merged 1 commit into
mainfrom
keepalive-fixes
Jul 2, 2026
Merged

Harden and correct keep-alive GHA workflow#141
bart-vmware merged 1 commit into
mainfrom
keepalive-fixes

Conversation

@bart-vmware

@bart-vmware bart-vmware commented Jul 1, 2026

Copy link
Copy Markdown
Member

Several correctness, reliability and maintainability issues were found and fixed in the keep-alive workflow:

Correctness

  • Fix default branch detection: github.event.repository.default_branch is empty on scheduled runs; now resolved via the GitHub API
  • Fix $GITHUB_OUTPUT references that were unquoted
  • Fix branch strategy: the old approach accumulated commits on the keep-alive-workflow branch across runs; now always resets to the tip of the default branch before force-pushing a single empty commit
  • Fix PR strategy: gh pr reopen fails after a force push because GitHub considers the head branch changed; replaced the reopen/close cycle with keeping a single PR permanently open
  • Fix jq returning literal null: add // empty so missing values produce an empty string instead
  • Remove 2>/dev/null from gh calls, which was silently swallowing errors

Reliability

  • No set -euo pipefail was present in any run block, allowing intermediate command failures to be silently swallowed. Added to all three blocks.
  • Add explicit git fetch origin before checkout, since actions/checkout with fetch-depth: 1 does not reliably establish remote tracking refs
  • Add guard to fail fast if the API returns an empty default branch
  • Add numeric validation of the parsed PR number
  • Add concurrency group to prevent simultaneous runs
  • Add workflow_dispatch bypass to always run keep-alive on manual triggers
  • Add a new step that explicitly re-enables all scheduled workflows via the GitHub API (PUT /enable), resetting their individual 60-day inactivity timers as a belt-and-suspenders measure alongside the branch push
  • Replace process substitution <(...) with command substitution $(...) in the enable step so set -e correctly propagates API failures

Simplification

  • Hoist GH_TOKEN, GH_REPO, and BRANCH_NAME to job-level env to reduce duplication across steps
  • Split the two monolithic steps into three focused ones: enable workflows, push branch, open PR
  • Replace issues: read (unused) with actions: write (required for API enablement)
  • Rename branch from keep-alive-workflow to keep-workflows-alive
  • Add build status badge and an important notice to the PR body

@bart-vmware bart-vmware force-pushed the keepalive-fixes branch 2 times, most recently from e1ab7f3 to d4d13f3 Compare July 1, 2026 13:27
@bart-vmware bart-vmware changed the title fix(keep-alive): harden and correct workflow behaviour Harden and correct keep-alive workflow behavior Jul 1, 2026
@bart-vmware bart-vmware changed the title Harden and correct keep-alive workflow behavior Harden and correct keep-alive GHA workflow Jul 1, 2026
@bart-vmware bart-vmware force-pushed the keepalive-fixes branch 3 times, most recently from 86c8a09 to 4d6b443 Compare July 1, 2026 15:27
Several correctness, reliability and maintainability issues were found and fixed in the keep-alive workflow:

**Correctness**
- Fix default branch detection: `github.event.repository.default_branch` is empty on scheduled runs; now resolved via the GitHub API
- Fix `$GITHUB_OUTPUT` references that were unquoted
- Fix branch strategy: the old approach accumulated commits on the `keep-alive-workflow` branch across runs; now always resets to the tip of the default branch before force-pushing a single empty commit
- Fix PR strategy: `gh pr reopen` fails after a force push because GitHub considers the head branch changed; replaced the reopen/close cycle with keeping a single PR permanently open
- Fix jq returning literal null: add `// empty` so missing values produce an empty string instead
- Remove `2>/dev/null` from `gh` calls, which was silently swallowing errors

**Reliability**
- No `set -euo pipefail` was present in any run block, allowing intermediate command failures to be silently swallowed. Added to all three blocks.
- Add explicit `git fetch origin` before checkout, since `actions/checkout` with `fetch-depth: 1` does not reliably establish remote tracking refs
- Add guard to fail fast if the API returns an empty default branch
- Add numeric validation of the parsed PR number
- Add `concurrency` group to prevent simultaneous runs
- Add `workflow_dispatch` bypass to always run keep-alive on manual triggers
- Add a new step that explicitly re-enables all scheduled workflows via the GitHub API (`PUT /enable`), resetting their individual 60-day inactivity timers as a belt-and-suspenders measure alongside the branch push
- Replace process substitution `<(...)` with command substitution `$(...)` in the enable step so `set -e` correctly propagates API failures

**Simplification**
- Hoist `GH_TOKEN`, `GH_REPO`, and `BRANCH_NAME` to job-level `env` to reduce duplication across steps
- Split the two monolithic steps into three focused ones: enable workflows, push branch, open PR
- Replace `issues: read` (unused) with `actions: write` (required for API enablement)
- Rename branch from `keep-alive-workflow` to `keep-workflows-alive`
- Add build status badge and an important notice to the PR body
@bart-vmware bart-vmware marked this pull request as ready for review July 1, 2026 15:32
@bart-vmware bart-vmware requested a review from TimHess July 1, 2026 15:32

@TimHess TimHess left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bart-vmware bart-vmware merged commit 22abb7b into main Jul 2, 2026
13 checks passed
@bart-vmware bart-vmware deleted the keepalive-fixes branch July 2, 2026 07:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants