zhangning21 commented on code in PR #19075:
URL: https://github.com/apache/nuttx/pull/19075#discussion_r3385651204
##########
.github/workflows/build.yml:
##########
@@ -45,9 +45,12 @@ jobs:
- name: Determine Target Branches
id: gittargets
shell: bash
+ env:
+ PR_BODY: ${{ github.event.pull_request.body }}
Review Comment:
Purpose
│ nuttx and nuttx-apps are built together in CI, and for a normal PR the
Fetch-Source job always checks out the master of the other repo. The main
problem this solves is cross-repo PR interdependency: when one feature must
change both repos, each PR's CI fails because the other repo's master doesn't
yet contain the matching change — today the only workaround is to force-merge
one side with CI skipped, which risks breaking master. The same mechanism also
covers the case where a PR depends on another PR in the same repo. The author
declares this in the PR body, e.g. depends-on: [apache/nuttx-apps/pull/XXX],
and CI builds the combined code. It's fully opt-in — without a depends-on line,
CI behaves exactly as today.
Now to your specific questions:
│
│ 1. Yes, the author specifies the dependency in the PR body.
│
│ 2. "If the author edits the dependency in the body, is it rechecked?"
│ If the author edits only the PR body, it is not rechecked immediately.
This follows the current workflow behavior: the existing `pull_request` trigger
does not run CI for PR description edits, only for normal CI-triggering events
such as new commits. The dependency will be re-read on the next CI run.
│
│ 3. "Isn't a PR Label better than parsing untrusted body text?"
│ Labels would be more controlled, but they are not very practical here
because external contributors usually cannot apply labels to upstream PRs, and
dependency values are dynamic PR numbers rather than fixed categories. Using
the PR body lets the contributor declare the dependency directly, while the
workflow still validates it with a strict allowlist and numeric PR ID.
│
│ 4. "Do other projects parse dependencies from the PR body, and are they
OK with the untrusted input?"
│ Yes . A similar approach is used by Zuul CI for cross-project
dependencies. Zuul supports a `Depends-On:` directive, and for GitHub-based
projects it is placed in the pull request
description:
https://zuul-ci.org/docs/zuul/latest/gating.html#cross-project-dependencies
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
