[CAT-2931] feat: add distributed lock and should-run-integration-tests actions#7
Merged
Conversation
Adds lock/acquire and lock/release composite actions that use a git branch in onfido/ci-lock as a cross-repository mutex. Creating a git ref is atomic, making this a reliable distributed lock mechanism. - lock/acquire: creates a branch to claim lock, polls with timeout - lock/release: deletes the branch to free lock Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Determines whether integration tests should run based on the event type. Returns result=true for pull_request, release, workflow_dispatch, schedule events, and for push events from merged fork PRs (where secrets weren't available pre-merge). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
782693f to
44dcff1
Compare
Replace github-token with GitHub App credentials (app-id, app-private-key, app-installation-id) for generating short-lived tokens via actions/create-github-app-token@v1. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
471e383 to
ea57e82
Compare
After acquiring the lock, push an empty commit with metadata (repo name and run URL). When waiting for a held lock, display who holds it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Prevents a timed-out workflow from accidentally releasing another workflow's lock by checking the commit message for the current run ID. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
47039e4 to
8154a80
Compare
sanchapereira
approved these changes
Jul 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two new composite actions to prevent SDK integration tests from running in parallel across repositories and to centralise the logic for when tests should run.
New actions
lock/acquire&lock/releaseA distributed lock mechanism using a git branch in a dedicated lock repository (onfido/ci-lock) as an atomic mutex.
locks/<lock-name>— git ref creation is atomic, so only one workflow succeeds. Others poll until the lock is released or timeout (default: 30 min, polling every 30s).if: always()to prevent stale locks.actions/create-github-app-token@v2— short-lived, auto-rotating tokens scoped to the lock repo.should-run-integration-testsDetermines whether integration tests should run based on the workflow event:
pull_request(internal branch)pull_request(fork)push(merge from fork PR)push(internal merge/direct)pull_request)release/workflow_dispatch/scheduleUsage
Setup requirements
ci-lockrepositoryONFIDO_CI_LOCK_APP_IDandONFIDO_CI_LOCK_PRIVATE_KEYRelated PRs