Skip to content

fix: cancel running CI workflow before re-triggering and allow trusted GitHub Apps #26461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
keithwillcode merged 6 commits into from
Jan 5, 2026
Merged

fix: cancel running CI workflow before re-triggering and allow trusted GitHub Apps #26461

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e3e2eec
fix: cancel running CI workflow before re-triggering and allow truste…
devin-ai-integration[bot] Jan 5, 2026
1889831
fix: remove hardcoded bot allowlist, keep only cancel-and-rerun impro…
devin-ai-integration[bot] Jan 5, 2026
0d33e90
fix: add app_id verification for trusted GitHub Apps (Graphite)
devin-ai-integration[bot] Jan 5, 2026
caf0771
fix: simplify trusted bot check to use sender type, login, and instal…
devin-ai-integration[bot] Jan 5, 2026
69f9389
chore: remove unnecessary comments
devin-ai-integration[bot] Jan 5, 2026
f933ad1
Merge branch 'main' into devin/cancel-running-ci-before-rerun-1767620830
keithwillcode Jan 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 64 additions & 14 deletions .github/workflows/run-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,21 +19,32 @@ jobs:
with:
script: |
const adder = context.payload.sender.login;
const senderType = context.payload.sender.type;
const pr = context.payload.pull_request;
const installation = context.payload.installation;

// Verify label adder has write access
const { data: perm } = await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: adder,
});
const trustedBotLogins = ['graphite-app[bot]'];
let isAuthorized = false;

if (!['admin', 'maintain', 'write'].includes(perm.permission)) {
core.setFailed(`${adder} does not have write access`);
return;
if (senderType === 'Bot' && installation && trustedBotLogins.includes(adder)) {
console.log(`Label added by trusted GitHub App: ${adder}`);
isAuthorized = true;
}

console.log(`Label added by ${adder} (${perm.permission})`);
if (!isAuthorized) {
const { data: perm } = await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: adder,
});

if (!['admin', 'maintain', 'write'].includes(perm.permission)) {
core.setFailed(`${adder} does not have write access`);
return;
}

console.log(`Label added by ${adder} (${perm.permission})`);
}

// Find the latest pr.yml run for this PR's head SHA
const { data: runs } = await github.rest.actions.listWorkflowRuns({
Expand All @@ -56,13 +67,52 @@ jobs:

const latestRun = matchingRuns[0];

// Check if workflow is still running - can't re-run in-progress workflows
// If workflow is still running, cancel it first then re-run
if (latestRun.status === 'in_progress' || latestRun.status === 'queued') {
core.setFailed(`Workflow is still running (status: ${latestRun.status}). Wait for it to complete or cancel it first.`);
return;
console.log(`Workflow is running (status: ${latestRun.status}). Cancelling it first...`);

await github.rest.actions.cancelWorkflowRun({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: latestRun.id,
});

// Wait for the workflow to be cancelled (poll with timeout)
const maxWaitTime = 60000; // 60 seconds
const pollInterval = 2000; // 2 seconds
const startTime = Date.now();

while (Date.now() - startTime < maxWaitTime) {
await new Promise(resolve => setTimeout(resolve, pollInterval));

const { data: updatedRun } = await github.rest.actions.getWorkflowRun({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: latestRun.id,
});

if (updatedRun.status === 'completed') {
console.log(`Workflow cancelled successfully (conclusion: ${updatedRun.conclusion})`);
break;
}

console.log(`Waiting for workflow to cancel... (status: ${updatedRun.status})`);
}

// Check final status
const { data: finalRun } = await github.rest.actions.getWorkflowRun({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: latestRun.id,
});

if (finalRun.status !== 'completed') {
core.setFailed(`Timed out waiting for workflow to cancel (status: ${finalRun.status})`);
return;
}
}

console.log(`Re-running workflow ${latestRun.id} (was: ${latestRun.conclusion})`);
console.log(`Re-running workflow ${latestRun.id} (was: ${latestRun.conclusion || latestRun.status})`);

// Re-run preserves original context (PR, SHA, etc.)
await github.rest.actions.reRunWorkflow({
Expand Down
Loading