Comment PR test-build rebase command on each PR #8

Merged

Mondrethos merged 2 commits from feat/pr-rebase-hint into main

2026-06-18 09:03:21 +00:00

Mondrethos commented

2026-06-18 08:44:38 +00:00

(Migrated from github.com)

Summary

Adds .github/workflows/pr-rebase-hint.yml — posts a comment when a PR is opened with the exact rebase command for that PR's signed test image:

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/<owner>/monolith:pr-<number>-<image-version>

Details

Signed ref. Same-repo PR builds have SIGNING_SECRET, so their images are cosign-signed (verified pr-7-44 against cosign.pub). The comment uses ostree-image-signed:, matching the README; anyone testing is already on monolith and has the policy installed.
Version from the recipe. image-version is read from recipes/recipe.yml (currently 44) so the tag stays correct across Fedora bumps.
One comment. The pr-N-<version> tag is constant for the PR's lifetime, so it posts once on opened/reopened instead of on every push.
Least privilege. Top-level permissions: {}; the job takes only contents: read and pull-requests: write.

Scope

Targets the current same-repo PR flow. Fork PRs (read-only token, unsigned image) are intentionally out of scope until outside contributions start.

Self-demo

This PR should get the comment on itself once the workflow runs.

## Summary Adds `.github/workflows/pr-rebase-hint.yml` — posts a comment when a PR is opened with the exact rebase command for that PR's signed test image: ```bash rpm-ostree rebase ostree-image-signed:docker://ghcr.io/<owner>/monolith:pr-<number>-<image-version> ``` ## Details - **Signed ref.** Same-repo PR builds have `SIGNING_SECRET`, so their images are cosign-signed (verified `pr-7-44` against `cosign.pub`). The comment uses `ostree-image-signed:`, matching the README; anyone testing is already on monolith and has the policy installed. - **Version from the recipe.** `image-version` is read from `recipes/recipe.yml` (currently `44`) so the tag stays correct across Fedora bumps. - **One comment.** The `pr-N-<version>` tag is constant for the PR's lifetime, so it posts once on `opened`/`reopened` instead of on every push. - **Least privilege.** Top-level `permissions: {}`; the job takes only `contents: read` and `pull-requests: write`. ## Scope Targets the current same-repo PR flow. Fork PRs (read-only token, unsigned image) are intentionally out of scope until outside contributions start. ## Self-demo This PR should get the comment on itself once the workflow runs.

github-actions[bot] commented

2026-06-18 08:44:48 +00:00

(Migrated from github.com)

🧪 Test this PR on a real install

Each successful build of this PR publishes a signed test image to ghcr.io/mondrethos/monolith:pr-8-44. From an existing monolith install (which already has the signing policy), rebase onto it:

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/mondrethos/monolith:pr-8-44
systemctl reboot

The tag is rebuilt on every new commit here, so rpm-ostree upgrade pulls the latest build. When you're done testing, return to the released image:

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/mondrethos/monolith:latest

The test tag stops updating once this PR is merged or closed.

### 🧪 Test this PR on a real install Each successful build of this PR publishes a signed test image to `ghcr.io/mondrethos/monolith:pr-8-44`. From an existing monolith install (which already has the signing policy), rebase onto it: ```bash rpm-ostree rebase ostree-image-signed:docker://ghcr.io/mondrethos/monolith:pr-8-44 systemctl reboot ``` The tag is rebuilt on every new commit here, so `rpm-ostree upgrade` pulls the latest build. When you're done testing, return to the released image: ```bash rpm-ostree rebase ostree-image-signed:docker://ghcr.io/mondrethos/monolith:latest ``` _The test tag stops updating once this PR is merged or closed._