diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9f612c59d78..cfc150faf93 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,6 +46,8 @@ jobs: validate-source: name: Validate source code changes runs-on: cncf-ubuntu-8-32-x86 + permissions: + pull-requests: read # For hack/ci/pr-should-include-tests to query PR labels. env: # Base commit of this PR; used by the Makefile and the helper scripts to # compute the commit range (git merge-base $DEST_BRANCH HEAD). @@ -126,8 +128,9 @@ jobs: run: make swagger - name: Check that the PR includes tests - # The 'No New Tests' label lets maintainers override this check. - if: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'No New Tests') }} + env: + # For hack/ci/pr-should-include-tests to query PR labels. + GITHUB_TOKEN: ${{ github.token }} run: make tests-included - name: Validate renovate config @@ -154,9 +157,8 @@ jobs: # limit enforced by hack/ci/make-and-check-size.sh. if: ${{ github.event_name == 'pull_request' }} env: - # The 'bloat_approved' label lets a repo admin override the binary - # size growth check in hack/ci/make-and-check-size.sh. - BLOAT_APPROVED: ${{ contains(github.event.pull_request.labels.*.name, 'bloat_approved') }} + # For hack/ci/make-and-check-size.sh to query PR labels. + GITHUB_TOKEN: ${{ github.token }} run: | # git rebase rewrites commits, so it needs a committer identity. git config user.name "CI" diff --git a/hack/ci/make-and-check-size.sh b/hack/ci/make-and-check-size.sh index 1c31bf47620..8dde0ae9696 100755 --- a/hack/ci/make-and-check-size.sh +++ b/hack/ci/make-and-check-size.sh @@ -53,9 +53,21 @@ function bloat_approved() { # requiring a MAX_BIN_GROWTH=nnn statement in github comments. local actual_growth="$1" - # The validate-source GitHub Actions workflow sets BLOAT_APPROVED=true when - # the PR carries the '$OVERRIDE_LABEL' label. - [[ "$BLOAT_APPROVED" == "true" ]] + local var + for var in PR_NUMBER GITHUB_TOKEN GITHUB_REPOSITORY; do + if [[ -z "${!var}" ]]; then + echo "$ME: cannot query github: \$$var is undefined" >&2 + return 1 + fi + done + + labels=$(curl --fail -s \ + -H "Authorization: bearer $GITHUB_TOKEN" \ + -H "Accept: application/vnd.github+json" \ + "https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/$PR_NUMBER" | + jq -r '.labels[].name') + + grep -F -x -q "$OVERRIDE_LABEL" <<< "$labels" } # ACTUAL CODE BEGINS HERE diff --git a/hack/ci/pr-should-include-tests b/hack/ci/pr-should-include-tests index 75f55b14755..ad9568098e2 100755 --- a/hack/ci/pr-should-include-tests +++ b/hack/ci/pr-should-include-tests @@ -46,9 +46,30 @@ if [[ -z "$filtered_changes" ]]; then exit 0 fi -# This PR touches non-test files but adds no tests. Fail loudly. -# The '$OVERRIDE_LABEL' label can be used to override this check; that is -# handled by the CI workflow, not here. +# This PR touches non-test files but adds no tests. Only allow it if the +# '$OVERRIDE_LABEL' github label is set. +if [[ -n "$PR_NUMBER" ]]; then + for var in GITHUB_TOKEN GITHUB_REPOSITORY; do + if [[ -z "${!var}" ]]; then + echo "$ME: cannot query github: \$$var is undefined" >&2 + return 1 + fi + done + + labels=$(curl --fail -s \ + -H "Authorization: bearer $GITHUB_TOKEN" \ + -H "Accept: application/vnd.github+json" \ + "https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/$PR_NUMBER" | + jq -r '.labels[].name') + + if grep -F -x -q "$OVERRIDE_LABEL" <<< "$labels"; then + echo "$ME: \"$OVERRIDE_LABEL\" label found, ignoring test requirements" + exit 0 + fi +fi + +# This PR touches non-test files but adds no tests, and +# the '$OVERRIDE_LABEL' is not set. Fail loudly. cat <