Delete the source branch after doing the backport.#14062
Conversation
📝 WalkthroughWalkthroughThis pull request adds a new cleanup step to the backport release workflow. After a successful release, the workflow now conditionally deletes the remote backport source branch on origin. The step includes safeguards: it refuses to delete branches matching the repository's default branch or the current release branch, verifies the branch still exists with the expected commit SHA, and only proceeds with deletion if those checks pass. If the branch is missing or has diverged since the release was authorized, the workflow exits without deleting, ensuring no accidental removal of important branches. 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/backport_release.yaml:
- Around line 483-494: The delete step has a TOCTOU race: git ls-remote reads
SOURCE_BRANCH tip but a concurrent push can replace it before git push origin
--delete runs; replace the unconditional delete with a lease-protected delete
that only removes refs/heads/${SOURCE_BRANCH} if it still matches SOURCE_COMMIT
by using git push with --force-with-lease against the branch ref and a delete
refspec, i.e. send a --force-with-lease for refs/heads/${SOURCE_BRANCH} keyed to
SOURCE_COMMIT and the delete refspec :refs/heads/${SOURCE_BRANCH}; ensure the
workflow checks runner git supports --force-with-lease before using it and keep
the same logging for success/failure.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: b1e33b1f-6e8a-49b4-bc4b-553478cbff15
📒 Files selected for processing (1)
.github/workflows/backport_release.yaml
| current_tip="$(git ls-remote origin "refs/heads/${SOURCE_BRANCH}" | awk '{print $1}')" | ||
| if [[ -z "${current_tip}" ]]; then | ||
| echo "Source branch '${SOURCE_BRANCH}' no longer exists on origin; nothing to delete." | ||
| exit 0 | ||
| fi | ||
| if [[ "${current_tip}" != "${SOURCE_COMMIT}" ]]; then | ||
| echo "::warning::Source branch '${SOURCE_BRANCH}' tip (${current_tip}) no longer matches released commit (${SOURCE_COMMIT}). Leaving it in place." | ||
| exit 0 | ||
| fi | ||
|
|
||
| git push origin --delete "refs/heads/${SOURCE_BRANCH}" | ||
| echo "Deleted remote branch '${SOURCE_BRANCH}'." |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify Git on runner supports lease-protected delete refspec.
set -euo pipefail
git --version
git push -h | sed -n '/--force-with-lease/,+4p'Repository: Comfy-Org/ComfyUI
Length of output: 80
Fix TOCTOU race in “Delete remote source branch”
git ls-remote checks ${SOURCE_BRANCH}’s tip, but the subsequent git push origin --delete can still delete a newly-pushed tip if a push happens between the check and the delete.
Suggested hardening
- git push origin --delete "refs/heads/${SOURCE_BRANCH}"
+ git push \
+ --force-with-lease="refs/heads/${SOURCE_BRANCH}:${SOURCE_COMMIT}" \
+ origin \
+ ":refs/heads/${SOURCE_BRANCH}"
echo "Deleted remote branch '${SOURCE_BRANCH}'."Runner Git is 2.39.5; ensure git push --help includes --force-with-lease so the lease-protected delete refspec is accepted.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| current_tip="$(git ls-remote origin "refs/heads/${SOURCE_BRANCH}" | awk '{print $1}')" | |
| if [[ -z "${current_tip}" ]]; then | |
| echo "Source branch '${SOURCE_BRANCH}' no longer exists on origin; nothing to delete." | |
| exit 0 | |
| fi | |
| if [[ "${current_tip}" != "${SOURCE_COMMIT}" ]]; then | |
| echo "::warning::Source branch '${SOURCE_BRANCH}' tip (${current_tip}) no longer matches released commit (${SOURCE_COMMIT}). Leaving it in place." | |
| exit 0 | |
| fi | |
| git push origin --delete "refs/heads/${SOURCE_BRANCH}" | |
| echo "Deleted remote branch '${SOURCE_BRANCH}'." | |
| current_tip="$(git ls-remote origin "refs/heads/${SOURCE_BRANCH}" | awk '{print $1}')" | |
| if [[ -z "${current_tip}" ]]; then | |
| echo "Source branch '${SOURCE_BRANCH}' no longer exists on origin; nothing to delete." | |
| exit 0 | |
| fi | |
| if [[ "${current_tip}" != "${SOURCE_COMMIT}" ]]; then | |
| echo "::warning::Source branch '${SOURCE_BRANCH}' tip (${current_tip}) no longer matches released commit (${SOURCE_COMMIT}). Leaving it in place." | |
| exit 0 | |
| fi | |
| git push \ | |
| --force-with-lease="refs/heads/${SOURCE_BRANCH}:${SOURCE_COMMIT}" \ | |
| origin \ | |
| ":refs/heads/${SOURCE_BRANCH}" | |
| echo "Deleted remote branch '${SOURCE_BRANCH}'." |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/backport_release.yaml around lines 483 - 494, The delete
step has a TOCTOU race: git ls-remote reads SOURCE_BRANCH tip but a concurrent
push can replace it before git push origin --delete runs; replace the
unconditional delete with a lease-protected delete that only removes
refs/heads/${SOURCE_BRANCH} if it still matches SOURCE_COMMIT by using git push
with --force-with-lease against the branch ref and a delete refspec, i.e. send a
--force-with-lease for refs/heads/${SOURCE_BRANCH} keyed to SOURCE_COMMIT and
the delete refspec :refs/heads/${SOURCE_BRANCH}; ensure the workflow checks
runner git supports --force-with-lease before using it and keep the same logging
for success/failure.
No description provided.