Add get-weaviate-branch and pull-weaviate-code actions#13
Conversation
Add two new reusable GitHub Actions: - get-weaviate-branch: Resolves a Weaviate Docker tag to the exact git commit hash and branch from weaviate/weaviate. Handles all tag variants (release, preview, branch+hash, semver+hash, nightly, latest) by reverse-engineering the tag format from ci/push_docker.sh. Always returns a full 40-char commit SHA. - pull-weaviate-code: Clones weaviate/weaviate at the commit matching a given Docker tag. Uses shallow fetch for efficiency, validates the target directory doesn't already exist, and supports custom clone paths. Both actions use env-based git config (GIT_CONFIG_COUNT) for authentication to avoid token leakage in URLs or error messages. Includes comprehensive test workflows covering all tag patterns, directory conflict detection, and custom directory support. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Orca Security Scan Summary
| Status | Check | Issues by priority | |
|---|---|---|---|
| Infrastructure as Code | View in Orca | ||
| SAST | View in Orca | ||
| Secrets | View in Orca | ||
| Vulnerabilities | View in Orca |
There was a problem hiding this comment.
Pull request overview
Adds two GitHub composite actions to resolve Weaviate Docker tags to upstream source and to clone the matching weaviate/weaviate commit, along with CI workflows to validate common tag patterns.
Changes:
- Introduces
get-weaviate-branchto resolve a Weaviate Docker tag into a full 40-char commit SHA (and best-guess branch). - Introduces
pull-weaviate-codeto shallow-cloneweaviate/weaviateat the resolved commit into a chosen directory. - Adds CI workflows to test both actions across representative tag formats and scenarios (release, branch+hash, nightly, directory conflicts).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
.github/workflows/pull-weaviate-code-test.yml |
Adds workflow coverage for cloning behavior and directory conflict handling. |
.github/workflows/get-weaviate-branch-test.yml |
Adds workflow coverage for tag parsing/resolution across multiple tag shapes. |
.github/actions/pull-weaviate-code/action.yml |
Implements the composite action that clones weaviate/weaviate at the resolved commit. |
.github/actions/get-weaviate-branch/action.yml |
Implements tag → commit/branch resolution logic using git ls-remote + GitHub API. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
b983a44 to
a14b3cf
Compare
- Clear any Authorization header left by actions/checkout in global gitconfig before setting our own via env-based config. This fixes "Duplicate header: Authorization" errors (HTTP 400). - Replace fake commit hashes in tests with real Docker tags from Docker Hub (6175eab, 305c7dc, 519f0dc, 01c9f49) whose commits are verified to exist in weaviate/weaviate. - Remove arm64 test that used a non-existent tag format (main-HASH never has .arm64 suffix); replace with real arm64 tag test. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
a14b3cf to
3460c39
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Add empty guards for latest_tag/commit in the 'latest' tag path - Add empty commit check before API resolution (step 6) - Add explicit error on curl failure when resolving short hashes - Switch Authorization header from 'token' to 'Bearer' for fine-grained token compat - Fix major.minor extraction for RC tags (1.36.0-rc.0 → 1.36, not 1.36.0-rc) - Fix RC tag test expectation back to stable/v1.36 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Use jq to parse GitHub API JSON response instead of sed regex Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if [[ "${COMMIT}" != *"305c7dc"* ]]; then | ||
| echo "Expected commit to contain 305c7dc, got=${COMMIT}" | ||
| exit 1 |
There was a problem hiding this comment.
This assertion uses substring matching (*305c7dc*) which can theoretically false-pass. For a strict short->full SHA resolution test, assert the resolved 40-char SHA begins with the short hash (first 7 chars equal 305c7dc).
| if [[ "${COMMIT}" != *"305c7dc"* ]]; then | ||
| echo "Expected commit to contain 305c7dc, got=${COMMIT}" | ||
| exit 1 |
There was a problem hiding this comment.
This check uses *305c7dc* (substring). For a correct short-SHA resolution test, assert the full SHA starts with the short hash (e.g., ${COMMIT:0:7} equals 305c7dc).
| if [[ "${COMMIT}" != *"6175eab"* ]]; then | ||
| echo "Expected commit to contain 6175eab, got=${COMMIT}" | ||
| exit 1 |
There was a problem hiding this comment.
This uses substring matching (*6175eab*) which can false-pass. Prefer asserting the resolved 40-char SHA starts with the short hash (first 7 chars equal 6175eab).
| if [[ "${COMMIT}" != *"01c9f49"* ]]; then | ||
| echo "Expected commit to contain 01c9f49, got=${COMMIT}" | ||
| exit 1 |
There was a problem hiding this comment.
This assertion checks for *01c9f49* anywhere in the SHA. To make the test precise, assert the resolved full SHA starts with 01c9f49 (or compare directly to the commit output if you want an exact match).
| if [[ "${COMMIT}" != *"519f0dc"* ]]; then | ||
| echo "Expected commit to contain 519f0dc, got=${COMMIT}" |
There was a problem hiding this comment.
This uses substring matching (*519f0dc*). For a strict check that the short SHA was expanded correctly, assert the resolved 40-char SHA begins with 519f0dc (first 7 chars), not just contains it.
| if [[ "${COMMIT}" != *"519f0dc"* ]]; then | |
| echo "Expected commit to contain 519f0dc, got=${COMMIT}" | |
| if [[ "${COMMIT}" != 519f0dc* ]]; then | |
| echo "Expected commit to start with 519f0dc, got=${COMMIT}" |
| if [[ "${COMMIT}" != *"6175eab"* ]]; then | ||
| echo "Expected commit to contain 6175eab, got=${COMMIT}" |
There was a problem hiding this comment.
This assertion checks if the full SHA contains 6175eab as a substring. For correctness, assert the resolved SHA starts with the short hash (e.g., first 7 chars equal 6175eab).
| if [[ "${COMMIT}" != *"6175eab"* ]]; then | |
| echo "Expected commit to contain 6175eab, got=${COMMIT}" | |
| if [[ "${COMMIT:0:7}" != "6175eab" ]]; then | |
| echo "Expected commit to start with 6175eab, got=${COMMIT}" |
| # Verify HEAD contains the short hash | ||
| cd "${{ steps.pull.outputs.weaviate_path }}" | ||
| HEAD_SHA=$(git rev-parse HEAD) | ||
| if [[ "${HEAD_SHA}" != *"01c9f49"* ]]; then | ||
| echo "HEAD (${HEAD_SHA}) does not contain expected short hash 01c9f49" |
There was a problem hiding this comment.
The verification only checks that HEAD contains the short hash string. This can false-pass if the checked-out SHA happens to include that substring outside the prefix. Compare HEAD_SHA directly to the action's resolved commit output (full 40-char SHA) to assert the clone is exactly at the expected commit.
| # Verify HEAD contains the short hash | |
| cd "${{ steps.pull.outputs.weaviate_path }}" | |
| HEAD_SHA=$(git rev-parse HEAD) | |
| if [[ "${HEAD_SHA}" != *"01c9f49"* ]]; then | |
| echo "HEAD (${HEAD_SHA}) does not contain expected short hash 01c9f49" | |
| # Verify HEAD matches the resolved commit SHA | |
| cd "${{ steps.pull.outputs.weaviate_path }}" | |
| HEAD_SHA=$(git rev-parse HEAD) | |
| if [ "${HEAD_SHA}" != "${{ steps.pull.outputs.commit }}" ]; then | |
| echo "HEAD (${HEAD_SHA}) does not match expected commit ${{ steps.pull.outputs.commit }}" |
| if [[ "${COMMIT}" != *"6175eab"* ]]; then | ||
| echo "Expected commit to contain 6175eab, got=${COMMIT}" |
There was a problem hiding this comment.
This assertion checks whether the resolved full SHA merely contains the 7-char short hash. To validate the short->full resolution correctly, check that the full SHA starts with the short hash (e.g., first 7 chars equal 6175eab) rather than substring matching.
| if [[ "${COMMIT}" != *"6175eab"* ]]; then | |
| echo "Expected commit to contain 6175eab, got=${COMMIT}" | |
| if [[ "${COMMIT}" != 6175eab* ]]; then | |
| echo "Expected commit to start with short hash 6175eab, got=${COMMIT}" |
Summary
get-weaviate-branch: Resolves any Weaviate Docker tag to the exact git commit (full 40-char SHA) and branch from
weaviate/weaviate. Reverse-engineers the tag format fromci/push_docker.shto handle all variants: official releases (1.36.6), RC tags (1.36.0-rc.0), semver+hash (1.34.19-6175eab.amd64), preview/PR builds, branch builds (main-01c9f49,stable-v1.34-519f0dc), and special tags (nightly,latest).pull-weaviate-code: Clones
weaviate/weaviateat the commit matching a given Docker tag. Usesget-weaviate-branchto resolve the tag, then performs a shallowgit fetch --depth=1for efficiency. Validates the target path doesn't already exist and supports custom clone directories.Both actions rely on the weaviate repo being public — git operations need no authentication. The
gh_tokeninput is optional and only used for the GitHub API call that resolves short commit hashes (improves rate limits from 60 to 5000 req/hr).Test plan
get-weaviate-branch-test.yml— 11 jobs covering all tag patterns using real Docker Hub tags (semver+hash+arch, semver+hash, semver-dev+hash, preview, main branch, stable branch, official release, RC, nightly, latest, arm64 suffix)pull-weaviate-code-test.yml— 5 jobs covering release clone, branch+hash clone, custom directory, directory conflict detection, and nightly clone🤖 Generated with Claude Code