feat(workflow): split CI poller into ci-pending.yml and ci-poller.yml

BYK · BYK · commit 953ad6fa6515 · 2026-04-02T16:19:06.000Z
ci-pending.yml: triggered on issues:opened, adds ci-pending label
  and sets CI_POLLER_HAS_PENDING repo variable to "true".

ci-poller.yml: cron (*/5 min) with job-level if that checks
  vars.CI_POLLER_HAS_PENDING — when "false", no runner is provisioned
  (zero cost). When "true", checks CI status for all ci-pending issues
  and flips to ci-ready when green. Resets variable to "false" when
  all pending issues are resolved.

Requires creating a CI_POLLER_HAS_PENDING repo variable (initial
value: "false") before deploying.
diff --git a/.github/workflows/ci-pending.yml b/.github/workflows/ci-pending.yml
@@ -0,0 +1,32 @@
+name: Mark new publish issues as CI-pending
+
+on:
+  issues:
+    types: [opened]
+
+permissions:
+  contents: read
+  issues: read
+
+jobs:
+  mark-pending:
+    runs-on: ubuntu-latest
+    if: "startsWith(github.event.issue.title, 'publish: ')"
+    steps:
+      - name: Get auth token
+        id: token
+        uses: actions/create-github-app-token@v2.2.1
+        with:
+          app-id: ${{ vars.SENTRY_INTERNAL_APP_ID }}
+          private-key: ${{ secrets.SENTRY_INTERNAL_APP_PRIVATE_KEY }}
+
+      - name: Add ci-pending label and enable poller
+        env:
+          GH_TOKEN: ${{ steps.token.outputs.token }}
+        run: |
+          gh issue edit "${{ github.event.issue.number }}" \
+            -R "$GITHUB_REPOSITORY" \
+            --add-label "ci-pending"
+
+          # Enable the cron poller (ci-poller.yml) so it starts checking
+          gh variable set CI_POLLER_HAS_PENDING -R "$GITHUB_REPOSITORY" -b "true"
diff --git a/.github/workflows/ci-poller.yml b/.github/workflows/ci-poller.yml
@@ -0,0 +1,133 @@
+name: CI Status Poller
+
+on:
+  schedule:
+    - cron: "*/5 * * * *"
+
+permissions:
+  contents: read
+  issues: read
+
+jobs:
+  check-ci:
+    runs-on: ubuntu-latest
+    # Skip entirely (no runner provisioned) when there's nothing to check.
+    # The CI_POLLER_HAS_PENDING variable is set to "true" by ci-pending.yml
+    # and reset to "false" here when all pending issues are resolved.
+    if: vars.CI_POLLER_HAS_PENDING == 'true'
+    concurrency:
+      group: ci-status-poller
+      cancel-in-progress: false
+    steps:
+      - name: Get auth token
+        id: token
+        uses: actions/create-github-app-token@v2.2.1
+        with:
+          app-id: ${{ vars.SENTRY_INTERNAL_APP_ID }}
+          private-key: ${{ secrets.SENTRY_INTERNAL_APP_PRIVATE_KEY }}
+
+      - name: Check CI status for ci-pending issues
+        env:
+          # Use the app token so label changes trigger publish.yml
+          # (GITHUB_TOKEN events are suppressed by GitHub).
+          GH_TOKEN: ${{ steps.token.outputs.token }}
+        run: |
+          # Find all open issues with ci-pending label (include body to extract commit SHA)
+          issues=$(gh issue list -R "$GITHUB_REPOSITORY" \
+            --state open \
+            --label ci-pending \
+            --limit 200 \
+            --json number,title,labels,body)
+
+          count=$(echo "$issues" | jq length)
+          if [[ "$count" == "0" ]]; then
+            echo "No ci-pending issues found. Disabling poller."
+            gh variable set CI_POLLER_HAS_PENDING -R "$GITHUB_REPOSITORY" -b "false"
+            exit 0
+          fi
+          echo "Found ${count} ci-pending issue(s)."
+
+          # Check each issue's CI status
+          echo "$issues" | jq -c '.[]' | while read -r issue; do
+            number=$(echo "$issue" | jq -r '.number')
+            title=$(echo "$issue" | jq -r '.title')
+            body=$(echo "$issue" | jq -r '.body')
+            has_accepted=$(echo "$issue" | jq '[.labels[].name] | any(. == "accepted")')
+
+            # Parse repo and version from title: "publish: owner/repo@version"
+            repo=$(echo "$title" | sed -n 's/^publish: \(.*\)@.*/\1/p')
+            version=$(echo "$title" | sed -n 's/^publish: .*@\(.*\)/\1/p')
+
+            if [[ -z "$repo" || -z "$version" ]]; then
+              echo "::warning::Could not parse repo/version from issue #${number}: ${title}"
+              continue
+            fi
+
+            # Extract the commit SHA from the "View check runs" link in the issue body.
+            # The link format is: https://github.com/{owner}/{repo}/commit/{SHA}/checks/
+            # This avoids hard-coding the release branch name, which repos can customize.
+            sha=$(echo "$body" | grep -oP '(?<=commit/)[0-9a-f]{40}(?=/checks)' || true)
+
+            if [[ -z "$sha" ]]; then
+              echo "::warning::Could not extract commit SHA from issue #${number} body, skipping."
+              continue
+            fi
+
+            echo "Checking CI for ${repo}@${version} commit ${sha:0:8} (issue #${number})..."
+
+            # Check combined commit status
+            commit_status=$(gh api "repos/${repo}/commits/${sha}/status" \
+              --jq '.state' 2>/dev/null || echo "error")
+
+            if [[ "$commit_status" == "error" ]]; then
+              echo "  Could not fetch commit status for ${repo}@${sha:0:8}, skipping."
+              continue
+            fi
+
+            # Check that all check runs are completed
+            pending_checks=$(gh api "repos/${repo}/commits/${sha}/check-runs" \
+              --jq '[.check_runs[] | select(.status != "completed")] | length' 2>/dev/null || echo "-1")
+
+            failed_checks=$(gh api "repos/${repo}/commits/${sha}/check-runs" \
+              --jq '[.check_runs[] | select(.conclusion == "failure")] | length' 2>/dev/null || echo "-1")
+
+            echo "  commit_status=${commit_status} pending_checks=${pending_checks} failed_checks=${failed_checks}"
+
+            # CI is ready when: commit status is success (or no statuses reported)
+            # AND no check runs are still pending AND none have failed
+            if [[ ("$commit_status" == "success" || "$commit_status" == "pending") \
+                  && "$pending_checks" == "0" && "$failed_checks" == "0" ]]; then
+
+              # Double-check there's at least one completed check run (avoid false positive
+              # when CI hasn't started yet — all counts would be 0)
+              total_checks=$(gh api "repos/${repo}/commits/${sha}/check-runs" \
+                --jq '.total_count' 2>/dev/null || echo "0")
+              if [[ "$total_checks" == "0" && "$commit_status" != "success" ]]; then
+                echo "  No check runs found and no success status — CI may not have started yet."
+                continue
+              fi
+
+              echo "  CI passed! Adding ci-ready label."
+              gh issue edit "$number" -R "$GITHUB_REPOSITORY" \
+                --remove-label "ci-pending" \
+                --add-label "ci-ready"
+
+              if [[ "$has_accepted" == "true" ]]; then
+                comment="CI checks passed for ${repo}@${version}. Publishing is starting now."
+              else
+                comment="CI checks passed for ${repo}@${version}. Publishing will start once the **accepted** label is also present."
+              fi
+              gh issue comment "$number" -R "$GITHUB_REPOSITORY" --body "$comment"
+            fi
+          done
+
+          # Re-check if there are still pending issues; disable poller if none remain
+          remaining=$(gh issue list -R "$GITHUB_REPOSITORY" \
+            --state open \
+            --label ci-pending \
+            --limit 1 \
+            --json number -q 'length')
+          if [[ "$remaining" == "0" ]]; then
+            echo "All ci-pending issues resolved. Disabling poller."
+            gh variable set CI_POLLER_HAS_PENDING -R "$GITHUB_REPOSITORY" -b "false"
+          fi
diff --git a/.github/workflows/ci-ready.yml b/.github/workflows/ci-ready.yml
