open-telemetry
diff --git a/‎.github/labeler.yml‎
Lines changed: 0 additions & 11 deletions b/‎.github/labeler.yml‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎.github/workflows/build-pull-request.yml‎
Lines changed: 67 additions & 18 deletions b/‎.github/workflows/build-pull-request.yml‎
Lines changed: 67 additions & 18 deletions
diff --git a/‎.github/workflows/label.yml‎
Lines changed: 0 additions & 20 deletions b/‎.github/workflows/label.yml‎
Lines changed: 0 additions & 20 deletions
diff --git a/‎.github/workflows/test-on-comment.yml‎
Lines changed: 152 additions & 0 deletions b/‎.github/workflows/test-on-comment.yml‎
Lines changed: 152 additions & 0 deletions
@@ -6,32 +6,81 @@ on:
       - opened
       - synchronize
       - reopened
-      - labeled
+  # Triggered by `.github/workflows/test-on-comment.yml` to enable optional
+  # tests (openj9, windows, or to force-run native) on a specific PR. The
+  # comment workflow validates the commenter's association before dispatching.
+  workflow_dispatch:
+    inputs:
+      pr-number:
+        description: "PR number to build"
+        type: string
+        required: true
+      run-native-tests:
+        description: "Force-enable native tests"
+        type: boolean
+        default: false
+      run-openj9-tests:
+        description: "Enable openj9 tests"
+        type: boolean
+        default: false
+      run-windows-smoke-tests:
+        description: "Enable windows smoke tests"
+        type: boolean
+        default: false
 
 concurrency:
-  group: build-pull-request-${{ github.event.pull_request.number }}
+  # Per-PR group across both event types so a new push or a new
+  # workflow_dispatch from a /test command supersedes any in-progress build.
+  group: build-pull-request-${{ github.event.pull_request.number || inputs.pr-number }}
   cancel-in-progress: true
 
 permissions:
   contents: read
 
 jobs:
+  # Detect whether native tests should run based on the PR's changed file
+  # paths (formerly handled by `.github/labeler.yml`'s `test native` rule).
+  # Runs for both pull_request and workflow_dispatch events so that a
+  # `/test openj9` (or similar) dispatched build still auto-runs native
+  # tests if the PR's diff warrants them.
+  resolve-native:
+    runs-on: ubuntu-latest
+    outputs:
+      run-native-tests: ${{ steps.filter.outputs.native }}
+    steps:
+      - name: Detect native-relevant changes
+        id: filter
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number || inputs.pr-number }}
+        run: |
+          files=$(
+            gh api --paginate "/repos/${GITHUB_REPOSITORY}/pulls/${PR_NUMBER}/files" \
+              --jq '.[].filename'
+          )
+          include='^instrumentation/logback/logback-appender-1\.0/library/'
+          include+='|^instrumentation/jdbc/library/'
+          include+='|^instrumentation/spring/'
+          include+='|^smoke-tests-otel-starter/'
+          include+='|^dependencyManagement/build\.gradle\.kts$'
+          include+='|^settings\.gradle\.kts$'
+          exclude='^instrumentation/spring/.+/javaagent/'
+          if grep -Eq "$include" <<<"$files" && ! grep -Eq "$exclude" <<<"$files"; then
+            echo "native=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "native=false" >> "$GITHUB_OUTPUT"
+          fi
+
   build:
-    # On `labeled` events, only proceed when the added label affects what we
-    # build. All other event types (opened, synchronize, reopened) always
-    # proceed.
-    if: |
-      github.event.action != 'labeled' ||
-      github.event.label.name == 'test native' ||
-      github.event.label.name == 'test openj9' ||
-      github.event.label.name == 'test windows'
+    needs: [resolve-native]
     uses: ./.github/workflows/reusable-pr-build.yml
     with:
-      # it's rare for only the openj9 tests, openj9 smoke variants, the windows
-      # smoke tests, or the native tests to break, so they are gated by labels.
-      # `test native` is applied automatically by .github/labeler.yml when the
-      # PR diff touches native-relevant paths; `test openj9` and `test windows`
-      # are applied manually.
-      skip-native-tests: ${{ !contains(github.event.pull_request.labels.*.name, 'test native') }}
-      skip-openj9-tests: ${{ !contains(github.event.pull_request.labels.*.name, 'test openj9') }}
-      skip-windows-smoke-tests: ${{ !contains(github.event.pull_request.labels.*.name, 'test windows') }}
+      # Native tests run when either:
+      # * a /test native comment dispatched this build (run-native-tests=true), or
+      # * the changed paths match the legacy `test native` glob (resolve-native).
+      skip-native-tests: ${{ !(inputs.run-native-tests || needs.resolve-native.outputs.run-native-tests == 'true') }}
+      # openj9 / windows tests are opt-in via /test openj9 or /test windows
+      # comments handled by `.github/workflows/test-on-comment.yml`.
+      skip-openj9-tests: ${{ !inputs.run-openj9-tests }}
+      skip-windows-smoke-tests: ${{ !inputs.run-windows-smoke-tests }}
+
@@ -0,0 +1,152 @@
+name: Test on comment
+
+# Lets a maintainer enable optional tests on a PR by commenting one of:
+#
+#   /test native    -- force-run native tests (also auto-detected from paths)
+#   /test openj9    -- run the openj9 test variants
+#   /test windows   -- run the windows smoke tests
+#
+# Multiple words can be combined, e.g. `/test openj9 windows`.
+#
+# Replaces the previous label-driven design (`test native` / `test openj9` /
+# `test windows` labels). Labels were removed because adding a label fires a
+# `pull_request labeled` event, which entered the build's per-PR concurrency
+# group BEFORE the job-level `if:` filter ran, cancelling the in-progress
+# real build whenever any non-test label was added (see PR #18441).
+#
+# Comment commands sidestep that entirely: this workflow lives in its own
+# `issue_comment` event scope and dispatches `build-pull-request.yml` via
+# `workflow_dispatch` against the PR's head branch, so its check_runs
+# surface in the PR Checks tab and supersede prior runs in the same per-PR
+# concurrency group (just like a fresh push would).
+
+on:
+  issue_comment:
+    types: [created]
+
+permissions:
+  contents: read
+
+jobs:
+  dispatch:
+    # Only run on PR comments containing a /test command from a maintainer.
+    if: |
+      github.event.issue.pull_request != null &&
+      startsWith(github.event.comment.body, '/test ') &&
+      contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write       # to dispatch build-pull-request.yml
+      pull-requests: write # to react to the comment
+    steps:
+      - name: Acknowledge comment with eyes reaction
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api -X POST -H "Accept: application/vnd.github+json" \
+            "/repos/${GITHUB_REPOSITORY}/issues/comments/${{ github.event.comment.id }}/reactions" \
+            -f content=eyes
+
+      - name: Parse /test command
+        id: parse
+        env:
+          BODY: ${{ github.event.comment.body }}
+        run: |
+          set -euo pipefail
+          # Drop the leading "/test " then split remaining words.
+          rest="${BODY#'/test '}"
+          # Keep only the first line; ignore anything after a newline.
+          rest="${rest%%$'\n'*}"
+          run_native=false
+          run_openj9=false
+          run_windows=false
+          for word in $rest; do
+            case "$word" in
+              native) run_native=true ;;
+              openj9) run_openj9=true ;;
+              windows) run_windows=true ;;
+            esac
+          done
+          if ! $run_native && ! $run_openj9 && ! $run_windows; then
+            echo "Refusing to dispatch: no recognized test variants in /test command." >&2
+            echo "valid=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "valid=true" >> "$GITHUB_OUTPUT"
+            echo "run-native=$run_native" >> "$GITHUB_OUTPUT"
+            echo "run-openj9=$run_openj9" >> "$GITHUB_OUTPUT"
+            echo "run-windows=$run_windows" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Resolve PR head ref
+        if: steps.parse.outputs.valid == 'true'
+        id: pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          # We need the head branch name for `gh workflow run --ref`
+          # (workflow_dispatch only accepts branches/tags, not SHAs).
+          IFS=$'\t' read -r head_ref head_repo < <(
+            gh api "/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.issue.number }}" \
+              --jq '[.head.ref, .head.repo.full_name] | @tsv'
+          )
+          if [[ "$head_repo" != "$GITHUB_REPOSITORY" ]]; then
+            echo "Refusing to dispatch: PR is from a fork ($head_repo); /test commands are not supported for fork PRs." >&2
+            echo "supported=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "supported=true" >> "$GITHUB_OUTPUT"
+            echo "head-ref=$head_ref" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Dispatch build-pull-request.yml
+        if: steps.parse.outputs.valid == 'true' && steps.pr.outputs.supported == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Pass templated values through env so attacker-controlled branch
+          # names (e.g. containing $, `, ") cannot escape the shell command.
+          HEAD_REF: ${{ steps.pr.outputs.head-ref }}
+          PR_NUMBER: ${{ github.event.issue.number }}
+          RUN_NATIVE: ${{ steps.parse.outputs.run-native }}
+          RUN_OPENJ9: ${{ steps.parse.outputs.run-openj9 }}
+          RUN_WINDOWS: ${{ steps.parse.outputs.run-windows }}
+        run: |
+          set -euo pipefail
+          # Dispatch against the PR's head branch so the resulting check_runs
+          # attach to the PR's HEAD commit and surface in the PR's Checks
+          # tab. The workflow file used is the one at that ref; this is the
+          # same trust model as the regular `pull_request` trigger.
+          gh workflow run build-pull-request.yml \
+            --ref "$HEAD_REF" \
+            -f pr-number="$PR_NUMBER" \
+            -f run-native-tests="$RUN_NATIVE" \
+            -f run-openj9-tests="$RUN_OPENJ9" \
+            -f run-windows-smoke-tests="$RUN_WINDOWS"
+
+      - name: React with rocket on success
+        if: steps.parse.outputs.valid == 'true' && steps.pr.outputs.supported == 'true' && success()
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api -X POST -H "Accept: application/vnd.github+json" \
+            "/repos/${GITHUB_REPOSITORY}/issues/comments/${{ github.event.comment.id }}/reactions" \
+            -f content=rocket
+
+      - name: Comment back when PR is from a fork
+        if: steps.parse.outputs.valid == 'true' && steps.pr.outputs.supported == 'false'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BODY: |
+            @${{ github.event.comment.user.login }} `/test` commands aren't supported for PRs from forks.
+
+            A maintainer can pull the branch into this repo and re-run the command, or push an empty commit to retrigger the build with the requested tests.
+        run: |
+          gh pr comment "${{ github.event.issue.number }}" --body "$BODY"
+
+      - name: React with confused on parse failure
+        if: steps.parse.outputs.valid != 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api -X POST -H "Accept: application/vnd.github+json" \
+            "/repos/${GITHUB_REPOSITORY}/issues/comments/${{ github.event.comment.id }}/reactions" \
+            -f content=confused