Fix: GitHub CI workflow selects dev when building prod branch (#5428, #6823)

.dockerignore

@@ -2,6 +2,7 @@
 !Makefile
 !common.mk
 !requirements*.txt
+!environment
 !bin/keys/docker-apt-keyring.pgp
 # FIXME: Remove fips_enabled
 #        https://github.com/DataBiosphere/azul/issues/6675

.github/workflows/ci.yml

@@ -24,13 +24,14 @@ jobs:
 
       - name: 'Run unit tests and other checks'
         run: |
-          source environment
-          _link dev
-          _refresh
-
+          source environment  # load global defaults
           make virtualenv
           source .venv/bin/activate
           make requirements
+          deployment=$(python scripts/check_branch.py --print)
+          _link $deployment
+          _refresh
+
 
           make environment.boot
 

Dockerfile

@@ -64,15 +64,15 @@ RUN --mount=type=bind,source=fips_enabled,target=${azul_proc_sys_crypto}/fips_en
 #
 RUN mkdir /build
 WORKDIR /build
-ENV project_root=/build
 
 # Install Azul dependencies
 #
 ARG PIP_DISABLE_PIP_VERSION_CHECK
 ENV PIP_DISABLE_PIP_VERSION_CHECK=${PIP_DISABLE_PIP_VERSION_CHECK}
-COPY requirements*.txt common.mk Makefile ./
+COPY environment requirements*.txt common.mk Makefile ./
 ARG make_target
-RUN make virtualenv \
+RUN source environment \
+    && make virtualenv \
     && source .venv/bin/activate \
     && make $make_target \
     && rm requirements*.txt common.mk Makefile

requirements.all.txt

@@ -10,7 +10,7 @@ blinker==1.9.0
 boto3==1.36.5
 boto3-stubs-lite==1.36.5
 botocore==1.36.5
-botocore-stubs==1.36.11
+botocore-stubs==1.36.12
 brotli==1.1.0
 cachetools==5.5.1
 certifi==2025.1.31
@@ -80,7 +80,7 @@ mypy-boto3-dynamodb==1.36.0
 mypy-boto3-ec2==1.36.8
 mypy-boto3-ecr==1.36.10
 mypy-boto3-es==1.36.0
-mypy-boto3-iam==1.36.0
+mypy-boto3-iam==1.36.13
 mypy-boto3-kms==1.36.0
 mypy-boto3-lambda==1.36.0
 mypy-boto3-s3==1.36.9

requirements.dev.trans.txt

@@ -1,6 +1,6 @@
 blessed==1.20.0
 blinker==1.9.0
-botocore-stubs==1.36.11
+botocore-stubs==1.36.12
 brotli==1.1.0
 click==8.1.8
 colorama==0.4.6
@@ -30,7 +30,7 @@ mypy-boto3-dynamodb==1.36.0
 mypy-boto3-ec2==1.36.8
 mypy-boto3-ecr==1.36.10
 mypy-boto3-es==1.36.0
-mypy-boto3-iam==1.36.0
+mypy-boto3-iam==1.36.13
 mypy-boto3-kms==1.36.0
 mypy-boto3-lambda==1.36.0
 mypy-boto3-s3==1.36.9

scripts/check_branch.py

@@ -1,7 +1,6 @@
 import os
 import sys
 from typing import (
-    Optional,
     Sequence,
 )
 
@@ -16,17 +15,17 @@
 """
 
 
-def default_deployment(branch: Optional[str]) -> Optional[str]:
+def default_deployment(branch: str | None) -> str | None:
     deployments = config.shared_deployments_for_branch(branch)
     return None if deployments is None else deployments[0].name
 
 
 class BranchDeploymentMismatch(Exception):
 
     def __init__(self,
-                 branch: Optional[str],
+                 branch: str | None,
                  deployment: config.Deployment,
-                 allowed: Optional[Sequence[config.Deployment]]
+                 allowed: Sequence[config.Deployment] | None
                  ) -> None:
         branch = 'Detached head' if branch is None else f'Branch {branch!r}'
         if allowed is None:
@@ -37,29 +36,56 @@ def __init__(self,
                          f'only {allowed}personal deployments.')
 
 
-def check_branch(branch: Optional[str], deployment: str) -> None:
+def check_branch(branch: str | None, deployment: str) -> None:
     deployment = config.Deployment(deployment)
     if deployment.is_shared:
         deployments = config.shared_deployments_for_branch(branch)
         if deployments is None or deployment not in deployments:
             raise BranchDeploymentMismatch(branch, deployment, deployments)
 
 
-def gitlab_branch() -> Optional[str]:
+def target_branch() -> str | None:
     """
-    Return the current branch if we're on GitLab, else `None`
-    """
-    # Gitlab checks out a specific commit which results in a detached HEAD
-    # (no active branch). Extract the branch name from the runner environment.
-    return os.environ.get('CI_COMMIT_REF_NAME')
-
-
-def local_branch() -> Optional[str]:
-    """
-    Return `None` if detached head, else the current branch
+    In a local clone, this method returns the name of the branch currently
+    checked out or ``None``, if no branch is checked out (detached HEAD). On
+    GitHub and GitLab this returns the name of either the branch currently being
+    built or, if the build is for a feature branch involving a pull request, the
+    base branch of that feature branch.
     """
+    # The comments on the environment variable names below are taken from
+    #
+    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables
+    #
+    # and
+    #
+    # https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
+    #
+    for variable in [
+        # The name of the base ref or target branch of the pull request in a
+        # workflow run. This is only set when the event that triggers a workflow
+        # run is either pull_request or pull_request_target. For example, main.
+        #
+        'GITHUB_BASE_REF',
+
+        # The short ref name of the branch or tag that triggered the workflow
+        # run. This value matches the branch or tag name shown on GitHub. For
+        # example, feature-branch-1. For pull requests, the format is
+        # <pr_number>/merge.
+        #
+        'GITHUB_REF_NAME',
+
+        # The branch or tag name for which project is built.
+        #
+        'CI_COMMIT_REF_NAME',
+    ]:
+        try:
+            branch = os.environ[variable]
+        except KeyError:
+            pass
+        else:
+            return branch
     repo = git.Repo(config.project_root)
-    return None if repo.head.is_detached else repo.active_branch.name
+    return None if repo.head.is_detached else repo.head.reference.name
 
 
 def main(argv):
@@ -71,7 +97,7 @@ def main(argv):
                         help='Print the deployment matching the current branch or exit '
                              'with non-zero status code if no such deployment exists.')
     args = parser.parse_args(argv)
-    branch = gitlab_branch() or local_branch()
+    branch = target_branch()
     if args.print:
         deployment = default_deployment(branch)
         if deployment is None:

test/test_check_branch.py

@@ -1,9 +1,12 @@
 import json
 import os
 from unittest.mock import (
+    PropertyMock,
     patch,
 )
 
+import git
+
 from azul.modules import (
     load_script,
 )
@@ -14,7 +17,7 @@
 
 class TestCheckBranch(AzulUnitTestCase):
 
-    def test(self):
+    def test_check_branch(self):
         script = load_script('check_branch')
         check_branch = script.check_branch
 
@@ -70,3 +73,78 @@ def expect_exception(branch, deployment, message):
                              'prod',
                              "Branch 'feature/foo' cannot be deployed to 'prod', "
                              "only one of {'sandbox'} or personal deployments.")
+
+    def test_target_branch(self):
+        script = load_script('check_branch')
+
+        develop, prod = 'develop', 'prod'
+        feature, merge = 'issues/foo/1234-bar', '2345/merge'
+        cases = [
+            (
+                'Local build',
+                feature,
+                {},
+                feature
+            ),
+            (
+                'Local build with detached head',
+                None,
+                {},
+                None
+            ),
+            (
+                'GitHub building develop',
+                develop,
+                {'GITHUB_REF_NAME': develop},
+                develop
+            ),
+            (
+                'GitHub building prod',
+                prod,
+                {'GITHUB_REF_NAME': prod},
+                prod
+            ),
+            (
+                'GitHub PR against develop',
+                merge,
+                {
+                    'GITHUB_REF_NAME': merge,
+                    'GITHUB_HEAD_REF': feature,
+                    'GITHUB_BASE_REF': develop
+                },
+                develop
+            ),
+            (
+                'GitHub PR against prod',
+                merge,
+                {
+                    'GITHUB_REF_NAME': merge,
+                    'GITHUB_HEAD_REF': feature,
+                    'GITHUB_BASE_REF': prod
+                },
+                prod
+            ),
+            (
+                'Sandbox build on GitLab',
+                None,
+                {'CI_COMMIT_REF_NAME': feature},
+                feature
+            ),
+            (
+                'Non-sandbox build on GitLab',
+                None,
+                {'CI_COMMIT_REF_NAME': develop},
+                develop
+            ),
+        ]
+        variables = {v for case in cases for v in case[2]}
+        for sub_test, current_branch, new_env, target_branch in cases:
+            with self.subTest(sub_test):
+                with patch.object(git.Repo, 'head', new_callable=PropertyMock) as head:
+                    head.return_value.is_detached = current_branch is None
+                    head.return_value.reference.name = current_branch
+                    with patch.dict(os.environ) as env:
+                        for variable in variables:
+                            env.pop(variable, None)
+                        env.update(new_env)
+                        self.assertEqual(target_branch, script.target_branch())