mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-27 11:22:03 +00:00
05c896cf52
ci: centralize path-gating behind single orchestrator + all-checks-pass gate Replace the scattered per-workflow detect-changes pattern with a single ci.yml orchestrator that runs the classifier once, then conditionally calls sub-workflows via workflow_call based on lane outputs. A final all-checks-pass job (if: always()) aggregates all results so branch protection only needs to require one check. Changes: - New .github/workflows/ci.yml orchestrator (detect + conditional calls + all-checks-pass gate) - Extend classify_changes.py with scan/deps/mcp_catalog lanes, absorbing supply-chain-audit's internal changes job - Update detect-changes/action.yml to expose the new lane outputs - Convert all 10 PR-gated sub-workflows to workflow_call-only triggers, removing their push/pull_request triggers and per-step detect-changes guards (gating now happens at the orchestrator level) - lint.yml + supply-chain-audit.yml receive event_name as a workflow_call input to replace github.event_name (which is "workflow_call" inside called workflows) - supply-chain-audit.yml: remove internal changes job + *-gate jobs (orchestrator handles gating, booleans arrive as inputs) - contributor-check.yml: remove internal filter step - Update test_classify_changes.py for 6-lane output + new supply-chain test cases
57 lines
2.5 KiB
YAML
57 lines
2.5 KiB
YAML
name: History Check
|
|
|
|
# Rejects PRs whose branch has no common ancestor with main.
|
|
#
|
|
# In May 2026 PR #25045 was merged from a branch that had been disconnected
|
|
# from main's history (likely an accidental `git checkout --orphan` or
|
|
# `.git/` re-init). GitHub's merge UI does not refuse merges of unrelated
|
|
# histories, so the PR landed cleanly with the intended one-file change —
|
|
# but its parent-less root commit (413990c94) got grafted into main as a
|
|
# second root, and ~1500 files' worth of `git blame` history collapsed
|
|
# onto that single commit.
|
|
#
|
|
# This check catches the failure mode by requiring `git merge-base` between
|
|
# the PR head and main to be non-empty.
|
|
|
|
on:
|
|
workflow_call:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
check-common-ancestor:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0 # full history both sides for merge-base
|
|
|
|
- name: Reject PRs with no common ancestor on main
|
|
run: |
|
|
# `git merge-base` exits non-zero AND prints nothing when the two
|
|
# commits share no ancestor. We check both conditions explicitly
|
|
# so the failure message is clear regardless of which signal fires
|
|
# first.
|
|
if ! BASE=$(git merge-base origin/main HEAD 2>/dev/null) || [ -z "$BASE" ]; then
|
|
echo ""
|
|
echo "::error::This PR has no common ancestor with main."
|
|
echo ""
|
|
echo "Your branch's history is disconnected from main. Common causes:"
|
|
echo " - the branch was created with 'git checkout --orphan'"
|
|
echo " - '.git/' was re-initialized at some point during the work"
|
|
echo " - the branch was force-pushed from an unrelated repository"
|
|
echo ""
|
|
echo "Merging an unrelated-history PR grafts a parent-less root commit"
|
|
echo "into main and collapses git blame for every file in that snapshot."
|
|
echo "Reference: PR #25045 caused this and re-rooted blame on ~1500"
|
|
echo "files to a single orphan commit."
|
|
echo ""
|
|
echo "To fix, rebase your changes onto current main:"
|
|
echo " git fetch origin main"
|
|
echo " git checkout -b fix-branch origin/main"
|
|
echo " # re-apply your changes (cherry-pick, copy files, etc.)"
|
|
echo " git push -f origin fix-branch"
|
|
exit 1
|
|
fi
|
|
echo "::notice::Common ancestor with main: $BASE"
|