feat: add hotfix auto-tagging and template generation workflows#8131
Merged
feat: add hotfix auto-tagging and template generation workflows#8131
Conversation
Devinwong
added
the
hotfix
Contributor
There was a problem hiding this comment.
Pull request overview
Adds automation to support hotfix workflows for official/** release branches by generating scriptless-template overrides and auto-creating hotfix tags.
Changes:
- Introduces
hack/hotfix-generate.shto detect changedparts/linux/cloud-init/artifacts/**files and inject matchingwrite_filesblocks intoparts/linux/cloud-init/nodecustomdata.yml’sEnableScriptlessCSECmdsection. - Adds a GitHub Actions workflow to run the generator, run
make generate, and commit/push the updated template + snapshot testdata. - Adds a GitHub Actions workflow to auto-tag hotfix releases on
official/**branches.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
hack/hotfix-generate.sh |
New generator script that maps changed artifacts to cloudInitData variable keys and injects the corresponding write_files blocks into the scriptless template section. |
.github/workflows/hotfix-generate.yml |
Workflow to run the generator on PRs/label events, run make generate, and commit/push generated updates. |
.github/workflows/hotfix-autotag.yml |
Workflow to create/push incrementing v0.<date>.<patch> tags for official/** branches. |
…tialization scripts
Devinwong
removed
the
hotfix
Devinwong
requested review from
cameronmeissner,
ganeshkumarashok and
lilypan26
as code owners
Uses the same GitHub App token pattern as tidy.yaml to produce verified/signed commits that satisfy branch protection rules. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Uses go-version-file to match the repo's pinned Go version. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
awesomenix
approved these changes
Mar 20, 2026
Replaces git commit + git push with GitHub Git Data API calls (create tree → create commit → update ref). This produces a single atomic commit that is automatically signed/verified by GitHub, satisfying branch protection requirements. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…roving script output
awesomenix
approved these changes
Mar 20, 2026
Comment on lines
+73
to
+89
| - name: Commit changes via API | ||
| env: | ||
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | ||
| run: | | ||
| FILE="parts/linux/cloud-init/nodecustomdata.yml" | ||
| if git diff --quiet "$FILE"; then | ||
| echo "No template changes needed." | ||
| exit 0 | ||
| fi | ||
| CONTENT=$(base64 -w 0 "$FILE") | ||
| SHA=$(gh api "repos/${{ github.repository }}/contents/${FILE}?ref=${{ github.head_ref }}" --jq '.sha') | ||
| gh api "repos/${{ github.repository }}/contents/${FILE}" \ | ||
| -X PUT \ | ||
| -f message="chore: auto-generate hotfix template entries" \ | ||
| -f content="$CONTENT" \ | ||
| -f branch="${{ github.head_ref }}" \ | ||
| -f sha="$SHA" |
There was a problem hiding this comment.
The commit-via-API step can fail with a 409/sha mismatch if multiple runs update the PR branch around the same time (e.g., rapid pushes triggering synchronize, plus a labeled run). Consider adding a concurrency group keyed by PR (and cancel-in-progress: true) and/or adding a small retry that refetches the latest file SHA before the PUT to make the workflow resilient to concurrent runs.
| @@ -0,0 +1,89 @@ | |||
| name: Hotfix Template Update | |||
| # This workflow is for temporary use and will deprecate once we move to the | |||
There was a problem hiding this comment.
The header comment says the workflow "will deprecate"; grammatically this should be "will be deprecated" (or "will be removed") to avoid ambiguity about whether the workflow deprecates something else or is itself being deprecated.
Suggested change
| # This workflow is for temporary use and will deprecate once we move to the | |
| # This workflow is for temporary use and will be deprecated once we move to the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Add hotfix auto-tagging and template generation workflows.
Developer per-hotfix effort:
main.Tried to separate from production codes because this is only for script hotfix PR generation, and probably won't last too long once we get aks-node-controller hotfix available.
Which issue(s) this PR fixes:
Fixes #