workflows: fix allowlist update race (#866)

.github/workflows/update_allowlist.yml

@@ -0,0 +1,167 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# Replaces the former pair `update_actions.yml` (composite -> actions.yml)
+# and `update_composite_action.yml` (actions.yml -> composite). Those ran
+# in separate concurrency groups and could race when both files changed in
+# overlapping pushes, silently overwriting one direction's edit. This
+# single workflow always runs both directions in order, so neither edit
+# is lost regardless of which file triggered the run. See #866.
+name: Update Allowlist
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - "actions.yml"
+      - ".github/actions/for-dependabot-triggered-reviews/action.yml"
+  pull_request:
+    paths:
+      - ".github/workflows/update_allowlist.yml"
+      - ".github/actions/for-dependabot-triggered-reviews/action.yml"
+      - "actions.yml"
+      - "gateway/*"
+
+permissions:
+  contents: read
+
+# Single group across both inputs so no two updates touch the allowlist
+# files in parallel. Don't cancel — every queued run must finish so we
+# don't drop a dependabot bump or a manual actions.yml edit.
+concurrency:
+  group: "${{ github.ref }}-update-allowlist"
+  cancel-in-progress: false
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: true
+          token: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }} # zizmor: ignore[secrets-outside-env]
+          # On push/dispatch, check out the current tip of main rather
+          # than the trigger SHA. A queued run that started on an older
+          # SHA would otherwise regenerate from stale inputs and either
+          # undo the prior run's commit or fail to push.
+          ref: ${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && 'main' || '' }}
+
+      - name: Print token details
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN }} # zizmor: ignore[secrets-outside-env]
+        run: |
+          echo "::group::Token details"
+          echo "Token user and permissions:"
+          gh api /user --jq '"Login: \(.login)\nName: \(.name)\nEmail: \(.email)"'
+          echo ""
+          echo "Token expiration:"
+          gh api /installation/token --jq '.expires_at' 2>/dev/null || echo "Token expiration not available (likely a PAT, not an installation token)"
+          echo ""
+          echo "Token scopes:"
+          curl -sS -H "Authorization: token ${GH_TOKEN}" -I https://api.github.com/ 2>/dev/null | grep -i 'x-oauth-scopes' || echo "No OAuth scopes header (fine-grained or app token)"
+          echo "::endgroup::"
+
+      - run: pipx install uv
+
+      - name: Sync composite action, actions.yml, and approved_patterns.yml
+        run: |
+          uv run python << 'PYEOF'
+          import sys
+          sys.path.append("./gateway/")
+
+          import gateway as g
+
+          composite = ".github/actions/for-dependabot-triggered-reviews/action.yml"
+          actions = "actions.yml"
+          patterns = "approved_patterns.yml"
+
+          # Always run both directions. The previous two-workflow split
+          # raced on overlapping pushes; running both here means the
+          # outcome is the same regardless of which file triggered us.
+          #
+          # 1. Pull any new refs from the composite (e.g. dependabot
+          #    bumps) into actions.yml. Additive: existing entries stay
+          #    and get their expiry refreshed.
+          g.update_actions(composite, actions)
+
+          # 2. Regenerate the composite from the (now-merged)
+          #    actions.yml so a manual actions.yml edit is reflected.
+          g.update_workflow(composite, actions)
+
+          # 3. Regenerate the approved patterns from actions.yml.
+          g.update_patterns(patterns, actions)
+          PYEOF
+
+      - name: Commit and push changes
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          GH_TOKEN: ${{ secrets.ALLOWLIST_WORKFLOW_TOKEN || github.token }} # zizmor: ignore[secrets-outside-env]
+        run: |
+          AUTHOR_NAME=$(gh api /user --jq '.login' 2>/dev/null || echo "asfgit")
+          AUTHOR_EMAIL=$(gh api /user --jq '.email // "\(.login)@users.noreply.github.com"' 2>/dev/null || echo "asfgit@users.noreply.github.com")
+          git config --local user.name "${AUTHOR_NAME}"
+          git config --local user.email "${AUTHOR_EMAIL}"
+
+          composite=".github/actions/for-dependabot-triggered-reviews/action.yml"
+          if git diff --quiet -- actions.yml approved_patterns.yml "${composite}"; then
+            echo "No changes"
+            exit 0
+          fi
+
+          git add -f actions.yml approved_patterns.yml "${composite}"
+          git commit \
+            -m "Sync actions.yml, composite action, and approved_patterns.yml" \
+            -m "Generated by .github/workflows/update_allowlist.yml"
+
+          # If a concurrent push (e.g. remove_expired.yml) advanced main
+          # while we were computing, rebase and retry. The sync script is
+          # idempotent so re-running on the rebased tree is safe.
+          for attempt in 1 2 3; do
+            if git push origin HEAD:main; then
+              exit 0
+            fi
+            echo "Push rejected on attempt ${attempt}; rebasing and re-running sync"
+            git fetch origin main
+            git reset --hard origin/main
+            uv run python << 'PYEOF'
+          import sys
+          sys.path.append("./gateway/")
+          import gateway as g
+          composite = ".github/actions/for-dependabot-triggered-reviews/action.yml"
+          actions = "actions.yml"
+          patterns = "approved_patterns.yml"
+          g.update_actions(composite, actions)
+          g.update_workflow(composite, actions)
+          g.update_patterns(patterns, actions)
+          PYEOF
+            if git diff --quiet -- actions.yml approved_patterns.yml "${composite}"; then
+              echo "Already in sync after rebase; nothing to push"
+              exit 0
+            fi
+            git add -f actions.yml approved_patterns.yml "${composite}"
+            git commit \
+              -m "Sync actions.yml, composite action, and approved_patterns.yml" \
+              -m "Generated by .github/workflows/update_allowlist.yml"
+          done
+          echo "Failed to push after 3 attempts"
+          exit 1