[main][cherry-pick] Fix(ci): restrict integration tests to trusted contributors or safe-to-test label#3806
Merged
Merged
Conversation
…o-test label Gate the get-sha job in tests-integration.yml so CI runs automatically only for contributors with explicit repository write access (OWNER or COLLABORATOR). All others require a maintainer to add the "safe-to-test" label, which must be done via a labeled event — not checked by label presence — eliminating any race condition on new commits. Add remove-safe-to-test-label.yml to automatically strip the safe-to-test label when a contributor pushes new commits, so a maintainer must explicitly re-label before CI runs again on the updated code. Signed-off-by: Prem Kumar Kalle <prem.kalle@broadcom.com>
prkalle
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of the Change
This PR is cherry-pick of #3805
This PR restricts integration tests to trusted contributors or safe-to-test label
Why Is This PR Valuable?
This PR improves the security posture of the integration test CI workflow by ensuring only trusted contributors can trigger test runs against repository infrastructure. It also reduces maintainer overhead by automatically signaling(by removing the safe-to-test label) when a PR needs re-approval after new commits are pushed.
Applicable Issues
List any applicable GitHub Issues here
How Urgent Is The Change?
Fairly urget
Other Relevant Parties
Who else is affected by the change?