-
Notifications
You must be signed in to change notification settings - Fork 63
fix: reuse existing secret-key on startup; add upstream sync workflow #39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,81 @@ | ||||||||||||||
| name: Sync Upstream and Release | ||||||||||||||
|
|
||||||||||||||
| on: | ||||||||||||||
| schedule: | ||||||||||||||
| # Check for upstream changes daily at 00:00 UTC | ||||||||||||||
| - cron: '0 0 * * *' | ||||||||||||||
| workflow_dispatch: | ||||||||||||||
| inputs: | ||||||||||||||
| force_release: | ||||||||||||||
| description: 'Force a release even if no upstream changes' | ||||||||||||||
| required: false | ||||||||||||||
| default: 'false' | ||||||||||||||
| type: choice | ||||||||||||||
| options: | ||||||||||||||
| - 'false' | ||||||||||||||
| - 'true' | ||||||||||||||
|
|
||||||||||||||
| env: | ||||||||||||||
| UPSTREAM_REPO: https://github.com/router-for-me/EasyCLI.git | ||||||||||||||
| UPSTREAM_BRANCH: main | ||||||||||||||
|
|
||||||||||||||
| jobs: | ||||||||||||||
| sync: | ||||||||||||||
| name: Sync Upstream | ||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||
| steps: | ||||||||||||||
| - name: Checkout | ||||||||||||||
| uses: actions/checkout@v4 | ||||||||||||||
| with: | ||||||||||||||
| fetch-depth: 0 | ||||||||||||||
| token: ${{ secrets.GITHUB_TOKEN }} | ||||||||||||||
|
|
||||||||||||||
| - name: Configure Git | ||||||||||||||
| run: | | ||||||||||||||
| git config user.name "github-actions[bot]" | ||||||||||||||
| git config user.email "github-actions[bot]@users.noreply.github.com" | ||||||||||||||
|
|
||||||||||||||
| - name: Add upstream remote | ||||||||||||||
| run: | | ||||||||||||||
| git remote add upstream ${{ env.UPSTREAM_REPO }} || true | ||||||||||||||
| git fetch upstream ${{ env.UPSTREAM_BRANCH }} | ||||||||||||||
|
|
||||||||||||||
| - name: Check for upstream changes | ||||||||||||||
| id: check | ||||||||||||||
| run: | | ||||||||||||||
| LOCAL_SHA=$(git rev-parse HEAD) | ||||||||||||||
| UPSTREAM_SHA=$(git rev-parse upstream/${{ env.UPSTREAM_BRANCH }}) | ||||||||||||||
|
|
||||||||||||||
| if [ "$LOCAL_SHA" = "$UPSTREAM_SHA" ] && [ "${{ github.event.inputs.force_release }}" != "true" ]; then | ||||||||||||||
| echo "No upstream changes detected." | ||||||||||||||
| echo "has_changes=false" >> "$GITHUB_OUTPUT" | ||||||||||||||
| else | ||||||||||||||
| echo "Upstream changes detected or force release requested." | ||||||||||||||
| echo "has_changes=true" >> "$GITHUB_OUTPUT" | ||||||||||||||
| fi | ||||||||||||||
|
Comment on lines
+46
to
+55
|
||||||||||||||
|
|
||||||||||||||
| - name: Merge upstream changes | ||||||||||||||
| if: steps.check.outputs.has_changes == 'true' | ||||||||||||||
| run: | | ||||||||||||||
| git merge upstream/${{ env.UPSTREAM_BRANCH }} --no-edit --allow-unrelated-histories || { | ||||||||||||||
| echo "::warning::Merge conflict detected. Resolving by keeping our changes." | ||||||||||||||
| git checkout --ours . | ||||||||||||||
| git add . | ||||||||||||||
| git commit -m "Merge upstream (conflicts resolved by keeping local)" | ||||||||||||||
|
Comment on lines
+61
to
+64
|
||||||||||||||
| echo "::warning::Merge conflict detected. Resolving by keeping our changes." | |
| git checkout --ours . | |
| git add . | |
| git commit -m "Merge upstream (conflicts resolved by keeping local)" | |
| echo "::error::Merge conflict detected while syncing with upstream. Please resolve manually." | |
| exit 1 |
Copilot
AI
Apr 1, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pushing merged changes directly to origin HEAD on a schedule can fail on protected default branches and makes it easy to publish unreviewed upstream merges. Consider pushing the merge result to a dedicated bot branch and opening/updating a PR instead, then tagging only after that PR is merged.
Copilot
AI
Apr 1, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tag name v${DATE}-sync-${SHORT_SHA} can collide if the workflow is re-run for the same commit/day (e.g., manual re-run after a transient failure), causing git tag/git push to fail. Consider checking for an existing tag before creating it, or including ${{ github.run_id }}/${{ github.run_number }} in the tag to guarantee uniqueness.
| TAG="v${DATE}-sync-${SHORT_SHA}" | |
| TAG="v${DATE}-sync-${SHORT_SHA}-${GITHUB_RUN_ID}" |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1128,8 +1128,14 @@ fn start_cliproxyapi(app: tauri::AppHandle) -> Result<serde_json::Value, String> | |
| eprintln!("[PORT_CLEANUP] Warning: {}", e); | ||
| } | ||
|
|
||
| // Generate random password for local mode | ||
| let password = generate_random_password(); | ||
| // Reuse existing secret-key from config if present, otherwise generate a new one | ||
| let existing_key = conf | ||
| .get("remote-management") | ||
| .and_then(|v| v.get("secret-key")) | ||
| .and_then(|v| v.as_str()) | ||
| .filter(|s| !s.trim().is_empty()) | ||
| .map(|s| s.to_string()); | ||
| let password = existing_key.unwrap_or_else(|| generate_random_password()); | ||
bighamx marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| // Store the password for keep-alive authentication | ||
| *CLI_PROXY_PASSWORD.lock() = Some(password.clone()); | ||
|
Comment on lines
1139
to
1143
|
||
|
|
@@ -1258,8 +1264,14 @@ fn restart_cliproxyapi(app: tauri::AppHandle) -> Result<(), String> { | |
| eprintln!("[PORT_CLEANUP] Warning: {}", e); | ||
| } | ||
|
|
||
| // Generate random password for local mode | ||
| let password = generate_random_password(); | ||
| // Reuse existing secret-key from config if present, otherwise generate a new one | ||
| let existing_key = conf | ||
| .get("remote-management") | ||
| .and_then(|v| v.get("secret-key")) | ||
| .and_then(|v| v.as_str()) | ||
| .filter(|s| !s.trim().is_empty()) | ||
| .map(|s| s.to_string()); | ||
| let password = existing_key.unwrap_or_else(|| generate_random_password()); | ||
bighamx marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| // Store the password for keep-alive authentication | ||
| *CLI_PROXY_PASSWORD.lock() = Some(password.clone()); | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This workflow pushes commits and tags back to the repository using
GITHUB_TOKEN, but it doesn't declare explicit token permissions. To make scheduled/manual runs reliable across org/repo settings, addpermissions: contents: write(and any other required scopes) at the workflow or job level.