Add a sanity check for backups

The check makes sure that the backup contains the latest PR information (based on title and PR number).
2025-04-17 10:37:22 +03:00 · 2025-03-24 10:30:39 +01:00 · 2025-03-24 10:30:39 +01:00 · ab468e33af
commit ab468e33af
parent 5f7c2a617f
1 changed files with 28 additions and 4 deletions
--- a/.github/workflows/backup.yml
+++ b/.github/workflows/backup.yml
@ -22,27 +22,50 @@ jobs:
          sudo apt-get -y install restic
      - name: Trigger backup export
        run: |
+          # needed for sanity check
+          NUMBER=$(gh api \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            repos/$REPO/pulls --jq '.[0].number')
+          TITLE=$(gh api \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            repos/$REPO/pulls --jq '.[0].title')
          ID=$(gh api --method POST /orgs/MariaDB/migrations \
            --raw-field "repositories[]=$REPO" \
            --field lock_repositories=false \
            --field exclude_git_data=true --jq '.id')
          # define some ENV vars needed below
+          echo "LATEST_PR_NUMBER=$NUMBER" >>$GITHUB_ENV
+          echo "LATEST_PR_TITLE=$TITLE" >>$GITHUB_ENV
          echo "EXPORT_ID=$ID" >>$GITHUB_ENV
-          echo "REPO_NAME=${{ github.event.repository.name }}" >> $GITHUB_ENV
+          echo "REPO_NAME=${{ github.event.repository.name }}" >>$GITHUB_ENV
      - name: Wait until backup is finished
        run: |
          while true; do
-            STATE=$(gh api --method GET "/orgs/MariaDB/migrations/$EXPORT_ID" --jq '.state')
+            STATE=$(gh api --method GET "/orgs/MariaDB/migrations/$EXPORT_ID" \
+              --jq '.state')
            [[ $STATE == "exported" ]] && break
            sleep 10
          done
      - name: Download backup
        run: |
-          ARCHIVE_URL=$(gh api --method GET "/orgs/MariaDB/migrations/$EXPORT_ID" --jq '.archive_url')
+          ARCHIVE_URL=$(gh api --method GET "/orgs/MariaDB/migrations/$EXPORT_ID" \
+            --jq '.archive_url')
          curl -L -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer $GH_TOKEN" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            -o "archive.tgz" "$ARCHIVE_URL"
+      - name: Sanity check
+        run: |
+          # Make sure that we have the latest PR information
+          # title and corresponding number (from URL)
+          zgrep -a -B3 "$LATEST_PR_TITLE" archive.tgz |
+            grep "\"url\":" |
+            grep -q "https://github.com/$REPO/pull/$LATEST_PR_NUMBER" || {
+            echo "Latest PR not found in archive.tgz"
+            exit 1
+          }
      - name: Save backup (restic)
        run: |
          export RESTIC_REPOSITORY=$RESTIC_REPOSITORY_URL/$REPO_NAME
@ -50,6 +73,7 @@ jobs:
          if ! restic cat config >/dev/null 2>&1; then
            restic init
          fi
-          restic backup --host gh-runner --stdin --stdin-filename archive.tgz <./archive.tgz
+          restic backup --host gh-runner --stdin \
+            --stdin-filename archive.tgz <./archive.tgz
          restic forget --prune --keep-within 6m
          restic check