Try to trigger CI automatically for PRs created by the xDS protobuf update

[jrhee17]

Motivation:

The xds-apply-updates.yml workflow creates PRs using the default GITHUB_TOKEN via peter-evans/create-pull-request. Apparently CI is not run for events created with GITHUB_TOKEN, so the automatically created xDS protobuf update PRs never get CI runs.

Sample: jrhee17#45

Modifications:

• Use ARMERIAN_PAT instead of the default GITHUB_TOKEN in the peter-evans/create-pull-request step of xds-apply-updates.yml.
• Add secrets: inherit to xds-sync-apis.yml so that ARMERIAN_PAT is available to the called workflow.
• Misc) Calling update-sha.sh locally got me rate-limited. Added a way to add auth token headers.

Result:

• PRs created by the xDS protobuf update workflow will now trigger CI automatically.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds explicit PAT use for PR creation, forwards caller workflow secrets into a reusable workflow (secrets: inherit), implements a github_curl() helper for authenticated GitHub requests with HTTP-error handling and ensures resolved Envoy SHAs are non-empty, and disables xtrace in one update script.

Changes

Cohort / File(s)	Summary
Workflows: PR creation \.github/workflows/xds-apply-updates.yml	Adds token: ${{ secrets.ARMERIAN_PAT }} to the peter-evans/create-pull-request@v7 step to use an explicit PAT for PR creation.
Workflows: reusable workflow secrets \.github/workflows/xds-sync-apis.yml	Passes caller workflow secrets into the reusable workflow with secrets: inherit.
Update script: authenticated GitHub API & error handling xds-api/tools/update-sha.sh	Adds github_curl() to use GITHUB_TOKEN when present, captures HTTP status/body, prints body on 2xx, emits errors (HTTP code + body) and fails on non-2xx; uses it for tag lookup and raw file download; validates resolved ENVOY SHA is non-empty and exits on failure.
Update script: disable xtrace xds-api/tools/update-api.sh, xds-api/tools/update-sha.sh	Comments out set -o xtrace (changed to #set -o xtrace) to disable shell xtrace output during execution.

Sequence Diagram(s)

sequenceDiagram
    participant Runner as Actions Runner
    participant Workflow as GitHub Workflow
    participant Script as update-sha.sh
    participant GitHub as GitHub API
    participant Raw as Repository (raw file)

    Runner->>Workflow: start job
    Workflow->>Script: run update-sha.sh (env: GITHUB_TOKEN?)
    Script->>GitHub: github_curl GET /repos/.../git/ref/tags/<tag>
    GitHub-->>Script: 2xx + tag JSON or non-2xx + error
    alt success and SHA resolved
        Script->>Raw: github_curl GET raw/.../repository_locations.bzl
        Raw-->>Script: 2xx + file content
        Script->>Workflow: output resolved SHA
    else failure
        Script-->>Workflow: exit 1 with stderr (HTTP code + body)
    end
    Workflow->>GitHub: peter-evans/create-pull-request (token: ARMERIAN_PAT)
    GitHub-->>Workflow: PR created or error

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through tokens and tiny logs,

I wrapped my curls in secret clogs,
I chased the SHA and checked the line,
I nudged the PR with patient thyme,
Now scripts are calm — I nibble dots.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title directly summarizes the main objective: enabling automatic CI triggering for xDS protobuf update PRs by using an authenticated token.
Description check	✅ Passed	The pull request description clearly explains the motivation, modifications, and expected result. It directly addresses all changes in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/xds-sync-apis.yml:
- Line 24: Replace the broad "secrets: inherit" usage in the reusable workflow
call with an explicit secret mapping that only passes ARMERIAN_PAT to the called
workflow (the one referenced as xds-apply-updates.yml). Locate the call site
containing "secrets: inherit" and change it to supply only ARMERIAN_PAT (mapping
ARMERIAN_PAT to the caller secret) so the reusable workflow receives just that
token rather than all caller secrets.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 37ed6e22-9ac7-4ad2-842d-2864562c8bc1

📥 Commits

Reviewing files that changed from the base of the PR and between 525e983 and 845fbbc.

📒 Files selected for processing (2)

• .github/workflows/xds-apply-updates.yml
• .github/workflows/xds-sync-apis.yml

[github-actions]

🔍 Build Scan® (commit: 50c8eba)

Job name	Status	Build Scan®
build-ubicloud-standard-16-jdk-8	✅	https://ge.armeria.dev/s/u2wnbnzd2ww3a
build-ubicloud-standard-16-jdk-25	✅	https://ge.armeria.dev/s/xpozxxavtjytg
build-ubicloud-standard-16-jdk-21-snapshot-blockhound	✅	https://ge.armeria.dev/s/pwk3i7dcyjh32
build-ubicloud-standard-16-jdk-17-min-java-17-coverage	✅	https://ge.armeria.dev/s/6alogttvu2znq
build-ubicloud-standard-16-jdk-17-min-java-11	✅	https://ge.armeria.dev/s/luawci6fr4sx6
build-ubicloud-standard-16-jdk-17-leak	✅	https://ge.armeria.dev/s/rnwkk5gqjdbx4
build-ubicloud-standard-16-jdk-11	✅	https://ge.armeria.dev/s/nzfbtpjiogd7k
build-macos-latest-jdk-25	❌ (failure)	https://ge.armeria.dev/s/fgpwypx3faiem

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@xds-api/tools/update-sha.sh`:
- Around line 13-20: The github_curl function currently runs curl while xtrace
may be enabled, risking exposure of $GITHUB_TOKEN; modify github_curl (and the
curl invocation that sets TMPFILE and HTTP_CODE) to temporarily disable xtrace
before calling curl and restore the original xtrace state after the call (save
current xtrace state, turn off tracing, run curl with
"${CURL_AUTH[@]+"${CURL_AUTH[@]}"}" and "$@", then restore tracing). Ensure this
change targets the github_curl function and does not alter other behavior like
TMPFILE cleanup or HTTP_CODE capture.
- Around line 10-15: The CI runs unauthenticated because the script relies on
GITHUB_TOKEN but the workflow step doesn’t export it; update the workflow step
that invokes update-sha.sh to pass GITHUB_TOKEN via an env: entry so the
script’s check for GITHUB_TOKEN populates CURL_AUTH, or alternatively modify the
script’s CURL_AUTH handling to accept a passed-in token variable and use
"Authorization: Bearer $GITHUB_TOKEN" when present; ensure the variable name
referenced (GITHUB_TOKEN) and the CURL_AUTH array logic remain consistent with
the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 99d20381-7806-4eb9-8402-0f7ab937d5fc

📥 Commits

Reviewing files that changed from the base of the PR and between 845fbbc and f94ea2b.

📒 Files selected for processing (1)

• xds-api/tools/update-sha.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@xds-api/tools/update-sha.sh`:
- Around line 49-53: The command substitution assigning ENVOY_VERSION from
find_envoy_sha_from_tag can cause the script to exit early under set -e /
pipefail if the pipeline inside that function fails; change the assignment to
capture the function's stdout but prevent immediate exit (for example, run
find_envoy_sha_from_tag "$1" with "|| true" or otherwise capture output into a
temp variable while preserving any non-zero exit so the subsequent empty-check
on ENVOY_VERSION still runs), keeping the existing guard that checks [[ -z
"$ENVOY_VERSION" ]] and exits with the error message; update the code around the
ENVOY_VERSION assignment (the find_envoy_sha_from_tag call and the ENVOY_VERSION
variable) so the guard block is reachable even when the internal pipeline fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6f2c7d11-a48c-4015-afcb-66942857821a

📥 Commits

Reviewing files that changed from the base of the PR and between f94ea2b and 3a56f93.

📒 Files selected for processing (2)

• xds-api/tools/update-api.sh
• xds-api/tools/update-sha.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/xds-sync-apis.yml:
- Around line 24-25: The caller workflow is passing an undeclared secret
ARMERIAN_PAT to the reusable workflow xds-apply-updates.yml which causes
failures; either remove the secrets: ARMERIAN_PAT mapping from the caller or
declare ARMERIAN_PAT under on.workflow_call.secrets in xds-apply-updates.yml so
the reusable workflow accepts it (and ensure the called workflow actually uses
the secret if declared). Use the secret name ARMERIAN_PAT and the reusable
workflow identifier xds-apply-updates.yml to locate where to remove the mapping
or add the declaration.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ac83bfed-ea44-47b6-b007-f76c20cbba10

📥 Commits

Reviewing files that changed from the base of the PR and between 3a56f93 and 309c3d2.

📒 Files selected for processing (1)

• .github/workflows/xds-sync-apis.yml