JGC-499 - Replace 'safe to test' label with single build-gate environment approval#3535
Open
ehl-jf wants to merge 1 commit into
Open
JGC-499 - Replace 'safe to test' label with single build-gate environment approval#3535ehl-jf wants to merge 1 commit into
ehl-jf wants to merge 1 commit into
Conversation
…ment approval Introduce build-gate.yml orchestrator: a single `build-gate` environment deployment approval (skipped on push/dispatch) releases frogbot and all integration-test suites for fork/PR runs. Convert frogbot and the 25 test workflows to reusable (workflow_call) workflows invoked behind the gate, drop the per-workflow 'safe to test' label conditions, and delete removeLabel.yml. Add a build-gate-success aggregator job that needs all suites, so branch protection can require a single stable check instead of matrix-expanded suite contexts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the per-workflow
safe to testlabel gate with a singlebuild-gateGitHub Environment deployment approval. A maintainer approves once per fork/PR run, and that single approval releases frogbot and all integration-test suites. Trustedpushtomasterand manualworkflow_dispatchruns skip the approval entirely.What changed
build-gate.ymlorchestrator (name: Build Gate)pull_request_target [opened, synchronize, reopened],pushtomaster,workflow_dispatch.gatejob carriesenvironment: ${{ github.event_name == 'pull_request_target' && 'build-gate' || '' }}— only fork/PR runs hit the environment and wait for approval;push/workflow_dispatchresolve to an empty environment (no gate).frogbot+go+ 24 others), eachneeds: gate+uses: ./.github/workflows/<suite>.yml+secrets: inherit.build-gate-successaggregator job (needs:all suites,if: always()) that fails if any suite failed/was cancelled — see required-checks note below.frogbot-scan-pull-request.yml+ 25*Tests.yml)on:→workflow_call:+workflow_dispatch:(droppedpushandpull_request_target: [labeled]).safe to testjob conditions.workflow_dispatchinputs preserved (incl. poetry'spoetry_version);env:/permissions:blocks intact.frogbotno longer declares its ownenvironment: frogbot— the gate now lives in the orchestrator.evidenceTestsandghostFrogTestskeep their existingif: false(independently disabled).removeLabel.yml— the label mechanism it served is gone.Security model
gate, before any job checks out PR head code or touches secrets.pull_request_target, localuses:reusable workflows resolve from the base ref, so a PR cannot alter the gate or workflow logic — only the executed test/product code, which is exactly what the approval covers.Recovering a failed run
Use "Re-run failed jobs": it re-runs the failed suite(s) and
build-gate-success(reusing already-passed suites) while not re-runninggate, so no re-approval and no new commit are needed — the single required check flips green on the same SHA. ("Re-run all jobs" re-runsgateand re-triggers approval.)Create the
build-gateEnvironment (Settings → Environments) with Required reviewers = the maintainer team.Verify frogbot secrets are repo/org-level, not scoped to the old
frogbotenvironment. frogbot no longer declares an environment and receives secrets viasecrets: inherit(which passes repo/org secrets, not environment secrets). IfFROGBOT_URL,FROGBOT_ACCESS_TOKEN,JF_SMTP_*were stored asfrogbot-environment secrets, move them to repo/org level (or ontobuild-gate).Repoint branch-protection required status checks to the single aggregator:
Build Gate / build-gate-successRemove the stale old per-workflow contexts. The aggregator is the only check that needs to be required — it transitively gates every suite, is matrix-independent (won't break when a suite's matrix changes), and stays pending until the approval gate is released.
(Optional cleanup) Delete the
safe to testlabel and retire the now-unusedfrogbotenvironment.