Skip to content

chore(os): add a task to create PRs for OS sync #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Sep 18, 2025
+192 −110
Merged

chore(os): add a task to create PRs for OS sync #29

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
20c3ad0
chore: add a task to create PRs for OS sync
gberenice Jun 24, 2025
41e0f6e
Merge branch 'main' into chore/os-pr-task
gberenice Aug 21, 2025
e672e34
feat: add some error handling
gberenice Aug 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions aqua.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,5 @@ packages:
- name: TomWright/dasel@v2.4.1
- name: stedolan/jq@jq-1.7.1
tags: [cursor]
- name: cli/cli@v2.74.2
tags: [gh]
93 changes: 91 additions & 2 deletions lib/os-modules/Taskfile.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ vars:
terraform-aws-tailscale \
terraform-aws-identity-center-users \
terraform-datadog-users \
terraform-github-organization \
terraform-github-teams \
terraform-googleworkspace-users-groups-automation \
terraform-postgres-config-dbs-users-roles \
Expand Down Expand Up @@ -94,7 +93,15 @@ tasks:

# If branch exists and delete option is turned off - skip creation
if git branch --list "{{.SYNC_BRANCH}}" | grep -q "{{.SYNC_BRANCH}}" && [ "{{.DELETE_EXISTING_SYNC_BRANCH}}" = "false" ]; then
echo "⏭️ Branch {{.SYNC_BRANCH}} already exists, skipping creation."
echo "⏭️ Branch {{.SYNC_BRANCH}} already exists, checking it out."
git checkout {{.SYNC_BRANCH}}

# Check if local and remote branches have diverged
if git status --porcelain -b | grep -q "ahead\|behind\|diverged"; then
echo "⚠️ Local and remote branches have diverged. Resetting to remote branch..."
git fetch origin {{.SYNC_BRANCH}}
git reset --hard origin/{{.SYNC_BRANCH}}
fi
Comment on lines 110 to +119
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Divergence check risks clobbering local commits

git status --porcelain -b flags any “ahead/behind” state and then hard-resets to the remote, which will silently drop local commits if the branch is only ahead of origin.

A safer pattern is to reset only when the branch is behind or has actually diverged:

- if git status --porcelain -b | grep -q "ahead\|behind\|diverged"; then
-   echo "⚠️  Local and remote branches have diverged. Resetting to remote branch..."
-   git fetch origin {{.SYNC_BRANCH}}
-   git reset --hard origin/{{.SYNC_BRANCH}}
+ # Count commits left (behind) and right (ahead) of remote
+ if [ "$(git rev-list --left-right --count {{.SYNC_BRANCH}}...origin/{{.SYNC_BRANCH}} | awk '{print $1}')" -gt 0 ]; then
+   echo "🔄 Local branch is behind remote. Resetting hard to remote state…"
+   git fetch origin {{.SYNC_BRANCH}}
+   git reset --hard origin/{{.SYNC_BRANCH}}
+ fi

This preserves un-pushed work while still self-healing in the “behind” scenario.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In lib/os-modules/Taskfile.yaml around lines 95 to 104, the current divergence
check resets the branch hard whenever it is ahead, behind, or diverged, which
risks losing local commits. Modify the condition to reset only if the branch is
behind or diverged, excluding the ahead-only case. Adjust the git status check
to detect only "behind" or "diverged" states before performing the hard reset to
preserve un-pushed local commits.


# If branch exists and delete option is turned on - delete and create new branch
elif git branch --list "{{.SYNC_BRANCH}}" | grep -q "{{.SYNC_BRANCH}}" && [ "{{.DELETE_EXISTING_SYNC_BRANCH}}" = "true" ]; then
Expand Down Expand Up @@ -131,6 +138,8 @@ tasks:
do
echo "🚀 Processing ../$module..."
cd ../$module
echo "🔄 Checking out {{.SYNC_BRANCH}} branch..."
git checkout {{.SYNC_BRANCH}}
echo "📝 Committing changes..."
git add .
git commit -m "chore: update with the latest template state"
Expand All @@ -139,6 +148,63 @@ tasks:
cd -
done

pr:
desc: |
Create pull requests for the changes pushed to SYNC_BRANCH.
Example: `task os:pr -- terraform-spacelift-automation`
summary: |
This will create pull requests from the SYNC_BRANCH to main for each of the specified
Terraform module repositories using GitHub CLI.
To create PRs for specific repositories, pass their names as arguments:
`task os:pr -- terraform-custom-module`
or for multiple modules: `task os:pr -- "terraform-custom-module terraform-another-module"`

vars:
MODULES: "{{if .CLI_ARGS}}{{.CLI_ARGS}}{{else}}{{.DEFAULT_MODULES}}{{end}}"
PR_TITLE: "chore: sync with latest template state"
PR_BODY: |
This PR syncs the repository with the latest state from `terraform-module-template`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we update this PR body to include the tag / latest commit SHA from terraform-module-template so we can track what version this update is coming from?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should this as a follow up, so no need to add it to this PR!

Arc 2025-07-01 13 04 35
Arc 2025-07-01 13 07 20

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR body was updated and tested masterpointio/terraform-aws-identity-center-users#6


**Changes include:**
- Updated configuration files (.checkov.yaml, .markdownlint.yaml, etc.)
- Updated GitHub workflows and templates
- Updated linting and formatting configurations
- Updated documentation templates

cmds:
- |
# Convert newlines to spaces and remove backslashes
modules=$(echo "{{.MODULES}}" | tr '\n' ' ' | sed 's/\\//g')
for module in $modules
do
echo "🚀 Creating PR for ../$module..."
cd ../$module

current_branch=$(git branch --show-current)
if [ "$current_branch" != "{{.SYNC_BRANCH}}" ]; then
echo "⚠️ Warning: Not on {{.SYNC_BRANCH}} branch. Current branch: $current_branch"
echo "🔄 Checking out {{.SYNC_BRANCH}}..."
git checkout {{.SYNC_BRANCH}}
fi

Comment on lines +219 to +225
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Branch-safety check: bail out early instead of continuing on wrong branch

The current logic merely warns when the user happens to be on a different branch, then checks out {{.SYNC_BRANCH}}. If the checkout fails (e.g., branch missing), the script still proceeds and gh pr create will mis-behave. Prefer failing fast:

- git checkout {{.SYNC_BRANCH}}
+ if ! git checkout {{.SYNC_BRANCH}}; then
+   echo "❌ Failed to switch to {{.SYNC_BRANCH}} – skipping PR for $module"
+   cd -; continue
+ fi

Improves robustness across all repos.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
current_branch=$(git branch --show-current)
if [ "$current_branch" != "{{.SYNC_BRANCH}}" ]; then
echo "⚠️ Warning: Not on {{.SYNC_BRANCH}} branch. Current branch: $current_branch"
echo "🔄 Checking out {{.SYNC_BRANCH}}..."
git checkout {{.SYNC_BRANCH}}
fi
current_branch=$(git branch --show-current)
if [ "$current_branch" != "{{.SYNC_BRANCH}}" ]; then
echo "⚠️ Warning: Not on {{.SYNC_BRANCH}} branch. Current branch: $current_branch"
echo "🔄 Checking out {{.SYNC_BRANCH}}..."
if ! git checkout {{.SYNC_BRANCH}}; then
echo "❌ Failed to switch to {{.SYNC_BRANCH}} – skipping PR for $module"
cd -; continue
fi
fi
🤖 Prompt for AI Agents 
In lib/os-modules/Taskfile.yaml around lines 183 to 189, the script checks out
the sync branch if the current branch differs but does not handle checkout
failures. Modify the script to immediately exit with an error if the checkout
command fails, preventing further execution on the wrong branch. This can be
done by adding a check after the git checkout command and using an exit
statement to fail fast if the checkout is unsuccessful.

commits_ahead=$(git rev-list --count main..{{.SYNC_BRANCH}})
if [ "$commits_ahead" -eq 0 ]; then
echo "⏭️ No commits ahead of main, skipping PR creation for $module"
cd -
continue
fi

echo "📋 Creating pull request..."
gh pr create \
--title "{{.PR_TITLE}}" \
--body "{{.PR_BODY}}" \
--base main \
--head {{.SYNC_BRANCH}} \
--repo "masterpointio/$module"

cd -
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Handle existing PRs to make the task idempotent

gh pr create exits non-zero if a PR from the same head already exists, causing the loop to abort. A quick resilience upgrade:

- gh pr create \
+# If PR exists, this will no-op; otherwise it creates one.
+gh pr view {{.SYNC_BRANCH}} --head {{.SYNC_BRANCH}} >/dev/null 2>&1 || \
+gh pr create \
   --title "{{.PR_TITLE}}" \
   --body "{{.PR_BODY}}" \
   --base main \
   --head {{.SYNC_BRANCH}} \
   --repo "masterpointio/$module"

Keeps the workflow repeatable without manual cleanup.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
commits_ahead=$(git rev-list --count main..{{.SYNC_BRANCH}})
if [ "$commits_ahead" -eq 0 ]; then
echo "⏭️ No commits ahead of main, skipping PR creation for $module"
cd -
continue
fi
echo "📋 Creating pull request..."
gh pr create \
--title "{{.PR_TITLE}}" \
--body "{{.PR_BODY}}" \
--base main \
--head {{.SYNC_BRANCH}} \
--repo "masterpointio/$module"
cd -
echo "📋 Creating pull request..."
# If a PR for this branch already exists, no-op; otherwise create one.
gh pr view {{.SYNC_BRANCH}} --head {{.SYNC_BRANCH}} >/dev/null 2>&1 || \
gh pr create \
--title "{{.PR_TITLE}}" \
--body "{{.PR_BODY}}" \
--base main \
--head {{.SYNC_BRANCH}} \
--repo "masterpointio/$module"
cd -
🤖 Prompt for AI Agents 
In lib/os-modules/Taskfile.yaml around lines 190 to 205, the script uses `gh pr
create` which fails if a PR from the same head branch already exists, causing
the loop to abort. Modify the script to first check if a PR from the current
head branch exists using `gh pr list` or handle the error from `gh pr create`
gracefully. If a PR exists, skip creation and continue the loop to make the task
idempotent and prevent aborting on duplicate PRs.

done

setup-template:
desc: Set up the template repository in a shared temporary directory
cmds:
Expand Down Expand Up @@ -171,3 +237,26 @@ tasks:
- task: pull-and-branch
- task: sync
- task: cleanup-template

sync-and-pr:
desc: |
Complete workflow: sync with template, push changes, and create pull requests.
Example: `task os:sync-and-pr -- terraform-spacelift-automation`
summary: |
This will:
1. Pull the main branch and create a new branch named 'chore/sync-with-template'
2. Sync files from the template repository
3. Commit and push changes
4. Create pull requests for the changes
for each of the default Terraform module repositories listed in DEFAULT_MODULES.
To sync to a specific repository (or a custom list of repositories), pass their names as arguments:
`task os:sync-and-pr -- terraform-custom-module`
or for multiple modules: `task os:sync-and-pr -- "terraform-custom-module terraform-another-module"`

vars:
MODULES: "{{if .CLI_ARGS}}{{.CLI_ARGS}}{{else}}{{.DEFAULT_MODULES}}{{end}}"
DELETE_EXISTING_SYNC_BRANCH: "{{.DELETE_EXISTING_SYNC_BRANCH | default false}}"
cmds:
- task: sync-all
- task: push
- task: pr