From 5151c3ab54500e5682b4b7c848bd45e0a0d27d8e Mon Sep 17 00:00:00 2001 From: MK Date: Wed, 1 Jul 2026 15:42:10 +0800 Subject: [PATCH 1/2] Add label-triggered workflow to rebuild the action bundle When the needs-bundle-rebuild label lands on a PR (Renovate adds it for bumps to deps compiled into the publish-action bundle), rebuild the bundle and push the refreshed dist so the "Verify action bundle" check passes without a manual `pnpm build:action`. Prefers a BUNDLE_REBUILD_TOKEN secret so the push re-triggers required checks; falls back to GITHUB_TOKEN (which commits the fresh dist but can't re-run CI, per GitHub's loop-prevention). Same-repo PRs only. --- .github/workflows/rebuild-bundle.yml | 63 ++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 .github/workflows/rebuild-bundle.yml diff --git a/.github/workflows/rebuild-bundle.yml b/.github/workflows/rebuild-bundle.yml new file mode 100644 index 0000000..9120119 --- /dev/null +++ b/.github/workflows/rebuild-bundle.yml @@ -0,0 +1,63 @@ +name: Rebuild action bundle + +# The `needs-bundle-rebuild` label (Renovate adds it for bumps to deps compiled +# into the publish-action bundle) triggers a rebuild of the bundle and a push of +# the refreshed dist, so the "Verify action bundle" check passes without a manual +# `pnpm build:action`. +on: + pull_request: + types: [labeled] + +permissions: + contents: write + +concurrency: + group: rebuild-bundle-${{ github.event.pull_request.number }} + cancel-in-progress: true + +jobs: + rebuild: + name: rebuild bundle + # Only for our label, and only same-repo branches we can push back to + # (Renovate PRs are same-repo; fork PRs can't be pushed to). + if: >- + github.event.label.name == 'needs-bundle-rebuild' && + github.event.pull_request.head.repo.full_name == github.repository + runs-on: ubuntu-latest + steps: + # Actions are pinned to a full commit SHA (org policy). + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + ref: ${{ github.event.pull_request.head.ref }} + # Prefer a PAT/App token so the follow-up push re-triggers the PR's + # required checks (a push with the default GITHUB_TOKEN does not). Falls + # back to GITHUB_TOKEN, which still commits the fresh dist but won't + # re-run CI, so the check needs a manual nudge. + token: ${{ secrets.BUNDLE_REBUILD_TOKEN || secrets.GITHUB_TOKEN }} + + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 + with: + version: 11.9.0 + + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + node-version: 24 + cache: pnpm + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Rebuild the action bundle + run: pnpm build:action + + - name: Commit and push the rebuilt bundle if it changed + run: | + if git diff --quiet -- .github/actions/publish-preview/dist; then + echo "Bundle already up to date; nothing to push." + exit 0 + fi + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git add .github/actions/publish-preview/dist + git commit -m "Rebuild publish-action bundle for dependency update" + git push From 63f4acbb970bc2342a93e76494548c0830f36fd2 Mon Sep 17 00:00:00 2001 From: MK Date: Wed, 1 Jul 2026 15:47:11 +0800 Subject: [PATCH 2/2] Use a GitHub App token for the bundle-rebuild push Mint an App token (actions/create-github-app-token, client-id: APP_ID / private-key: APP_PRIVATE_KEY, matching the org convention in vite-plus) and checkout/push with it, so the push re-triggers the PR's required checks. Drops the GITHUB_TOKEN fallback. --- .github/workflows/rebuild-bundle.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/workflows/rebuild-bundle.yml b/.github/workflows/rebuild-bundle.yml index 9120119..c189e8a 100644 --- a/.github/workflows/rebuild-bundle.yml +++ b/.github/workflows/rebuild-bundle.yml @@ -8,8 +8,7 @@ on: pull_request: types: [labeled] -permissions: - contents: write +permissions: {} concurrency: group: rebuild-bundle-${{ github.event.pull_request.number }} @@ -24,16 +23,22 @@ jobs: github.event.label.name == 'needs-bundle-rebuild' && github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest + permissions: + contents: read steps: + # A GitHub App token so the follow-up push re-triggers the PR's required + # checks; a push with the default GITHUB_TOKEN does not (loop prevention). + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + id: app-token + with: + client-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + # Actions are pinned to a full commit SHA (org policy). - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ github.event.pull_request.head.ref }} - # Prefer a PAT/App token so the follow-up push re-triggers the PR's - # required checks (a push with the default GITHUB_TOKEN does not). Falls - # back to GITHUB_TOKEN, which still commits the fresh dist but won't - # re-run CI, so the check needs a manual nudge. - token: ${{ secrets.BUNDLE_REBUILD_TOKEN || secrets.GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 with: