From 49659dd40fe5d6f68cfc5e991f0e4b89ff34b35d Mon Sep 17 00:00:00 2001 From: ehl-jf Date: Thu, 4 Jun 2026 16:03:47 +0200 Subject: [PATCH] JGC-499 - Replace 'safe to test' label with single build-gate environment approval Introduce build-gate.yml orchestrator: a single `build-gate` environment deployment approval (skipped on push/dispatch) releases frogbot and all integration-test suites for fork/PR runs. Convert frogbot and the 25 test workflows to reusable (workflow_call) workflows invoked behind the gate, drop the per-workflow 'safe to test' label conditions, and delete removeLabel.yml. Add a build-gate-success aggregator job that needs all suites, so branch protection can require a single stable check instead of matrix-expanded suite contexts. --- .github/workflows/accessTests.yml | 10 +- .github/workflows/artifactoryTests.yml | 10 +- .github/workflows/build-gate.yml | 183 ++++++++++++++++++ .github/workflows/conanTests.yml | 9 +- .github/workflows/distributionTests.yml | 10 +- .github/workflows/dockerTests.yml | 10 +- .github/workflows/evidenceTests.yml | 9 +- .../workflows/frogbot-scan-pull-request.yml | 10 +- .github/workflows/ghostFrogTests.yml | 10 +- .github/workflows/goTests.yml | 13 +- .github/workflows/gradleTests.yml | 10 +- .github/workflows/helmTests.yml | 10 +- .github/workflows/huggingfaceTests.yml | 10 +- .github/workflows/lifecycleTests.yml | 10 +- .github/workflows/mavenTests.yml | 10 +- .github/workflows/nixTests.yml | 9 +- .github/workflows/npmTests.yml | 10 +- .github/workflows/nugetTests.yml | 10 +- .github/workflows/oidcTests.yml | 10 +- .github/workflows/pluginsTests.yml | 10 +- .github/workflows/pnpmTests.yml | 9 +- .github/workflows/podmanTests.yml | 10 +- .github/workflows/poetryTests.yml | 11 +- .github/workflows/pythonTests.yml | 10 +- .github/workflows/removeLabel.yml | 18 -- .github/workflows/scriptTests.yml | 11 +- .github/workflows/transferTests.yml | 11 +- .github/workflows/uvTests.yml | 10 +- 28 files changed, 218 insertions(+), 245 deletions(-) create mode 100644 .github/workflows/build-gate.yml delete mode 100644 .github/workflows/removeLabel.yml diff --git a/.github/workflows/accessTests.yml b/.github/workflows/accessTests.yml index 3f00d95d7..62f9ec488 100644 --- a/.github/workflows/accessTests.yml +++ b/.github/workflows/accessTests.yml @@ -1,5 +1,6 @@ name: Access Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,14 +13,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -31,7 +24,6 @@ permissions: jobs: Access-Tests: name: Access tests (${{ matrix.os.name }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/artifactoryTests.yml b/.github/workflows/artifactoryTests.yml index 62e701bf5..fcb9ad60b 100644 --- a/.github/workflows/artifactoryTests.yml +++ b/.github/workflows/artifactoryTests.yml @@ -1,5 +1,6 @@ name: Artifactory Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,14 +13,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -28,7 +21,6 @@ concurrency: jobs: Artifactory-Tests: name: ${{ matrix.suite }} ${{ matrix.os.name }} - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/build-gate.yml b/.github/workflows/build-gate.yml new file mode 100644 index 000000000..b287aae73 --- /dev/null +++ b/.github/workflows/build-gate.yml @@ -0,0 +1,183 @@ +name: Build Gate +# Single approval gate for fork/PR runs: a maintainer approves the `build-gate` +# environment deployment once, releasing frogbot and every integration-test suite. +# Replaces the per-workflow 'safe to test' label mechanism. +on: + pull_request_target: + types: [opened, synchronize, reopened] + branches: + - "master" + push: + branches: + - "master" + workflow_dispatch: + +# Ensures that only the latest commit is running for each PR at a time. +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + pull-requests: write + contents: read + +jobs: + # The single approval point. `build-gate` carries the Required-reviewers rule. + # Trusted push & manual dispatch skip approval (empty environment name = no gate). + gate: + name: Approval gate + runs-on: ubuntu-latest + environment: ${{ github.event_name == 'pull_request_target' && 'build-gate' || '' }} + steps: + - run: echo "Approved — releasing frogbot and integration suites." + + # ---- Suites (each fans out behind the single gate) ---------------------- + frogbot: + needs: gate + uses: ./.github/workflows/frogbot-scan-pull-request.yml + secrets: inherit + + access: + needs: gate + uses: ./.github/workflows/accessTests.yml + secrets: inherit + artifactory: + needs: gate + uses: ./.github/workflows/artifactoryTests.yml + secrets: inherit + conan: + needs: gate + uses: ./.github/workflows/conanTests.yml + secrets: inherit + distribution: + needs: gate + uses: ./.github/workflows/distributionTests.yml + secrets: inherit + docker: + needs: gate + uses: ./.github/workflows/dockerTests.yml + secrets: inherit + evidence: + needs: gate + uses: ./.github/workflows/evidenceTests.yml + secrets: inherit + ghost-frog: + needs: gate + uses: ./.github/workflows/ghostFrogTests.yml + secrets: inherit + go: + needs: gate + uses: ./.github/workflows/goTests.yml + secrets: inherit + gradle: + needs: gate + uses: ./.github/workflows/gradleTests.yml + secrets: inherit + helm: + needs: gate + uses: ./.github/workflows/helmTests.yml + secrets: inherit + huggingface: + needs: gate + uses: ./.github/workflows/huggingfaceTests.yml + secrets: inherit + lifecycle: + needs: gate + uses: ./.github/workflows/lifecycleTests.yml + secrets: inherit + maven: + needs: gate + uses: ./.github/workflows/mavenTests.yml + secrets: inherit + nix: + needs: gate + uses: ./.github/workflows/nixTests.yml + secrets: inherit + npm: + needs: gate + uses: ./.github/workflows/npmTests.yml + secrets: inherit + nuget: + needs: gate + uses: ./.github/workflows/nugetTests.yml + secrets: inherit + oidc: + needs: gate + uses: ./.github/workflows/oidcTests.yml + secrets: inherit + plugins: + needs: gate + uses: ./.github/workflows/pluginsTests.yml + secrets: inherit + pnpm: + needs: gate + uses: ./.github/workflows/pnpmTests.yml + secrets: inherit + podman: + needs: gate + uses: ./.github/workflows/podmanTests.yml + secrets: inherit + poetry: + needs: gate + uses: ./.github/workflows/poetryTests.yml + secrets: inherit + python: + needs: gate + uses: ./.github/workflows/pythonTests.yml + secrets: inherit + script: + needs: gate + uses: ./.github/workflows/scriptTests.yml + secrets: inherit + transfer: + needs: gate + uses: ./.github/workflows/transferTests.yml + secrets: inherit + uv: + needs: gate + uses: ./.github/workflows/uvTests.yml + secrets: inherit + + # Single, stable required status check. Point branch protection at + # "Build Gate / build-gate-success" instead of the matrix-expanded suite checks. + # Recover a failed suite with "Re-run failed jobs" (re-runs the suite + this job, + # not the approval gate) — no re-approval and no new commit needed. + build-gate-success: + name: build-gate-success + if: always() + needs: + - frogbot + - access + - artifactory + - conan + - distribution + - docker + - evidence + - ghost-frog + - go + - gradle + - helm + - huggingface + - lifecycle + - maven + - nix + - npm + - nuget + - oidc + - plugins + - pnpm + - podman + - poetry + - python + - script + - transfer + - uv + runs-on: ubuntu-latest + steps: + - name: Verify no suite failed or was cancelled + run: | + if ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}; then + echo "::error::One or more suites failed or were cancelled." + exit 1 + fi + echo "All suites succeeded (skipped suites are allowed)." diff --git a/.github/workflows/conanTests.yml b/.github/workflows/conanTests.yml index 0a08b9417..452d0b7b7 100644 --- a/.github/workflows/conanTests.yml +++ b/.github/workflows/conanTests.yml @@ -1,5 +1,6 @@ name: Conan Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,13 +13,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - pull_request_target: - types: [labeled] - branches: - - "master" concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} @@ -26,7 +20,6 @@ concurrency: jobs: Conan-Tests: name: Conan tests (${{ matrix.os.name }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/distributionTests.yml b/.github/workflows/distributionTests.yml index d621d51fb..64f335bc1 100644 --- a/.github/workflows/distributionTests.yml +++ b/.github/workflows/distributionTests.yml @@ -1,14 +1,7 @@ name: Distribution Tests on: + workflow_call: workflow_dispatch: - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -17,7 +10,6 @@ concurrency: jobs: Distribution-Tests: name: Distribution tests (${{ matrix.os }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/dockerTests.yml b/.github/workflows/dockerTests.yml index e1d5056b4..761589f4f 100644 --- a/.github/workflows/dockerTests.yml +++ b/.github/workflows/dockerTests.yml @@ -1,14 +1,7 @@ name: Docker Tests on: + workflow_call: workflow_dispatch: - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -17,7 +10,6 @@ concurrency: jobs: Docker-tests: name: Docker tests (${{ matrix.os.name }}, containerd-snapshotter=${{ !matrix.disable-containerd-snapshotter }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/evidenceTests.yml b/.github/workflows/evidenceTests.yml index c62460a9e..3fca11723 100644 --- a/.github/workflows/evidenceTests.yml +++ b/.github/workflows/evidenceTests.yml @@ -1,14 +1,7 @@ name: Evidence Tests on: + workflow_call: workflow_dispatch: - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: diff --git a/.github/workflows/frogbot-scan-pull-request.yml b/.github/workflows/frogbot-scan-pull-request.yml index f63c54743..c1ffd341f 100644 --- a/.github/workflows/frogbot-scan-pull-request.yml +++ b/.github/workflows/frogbot-scan-pull-request.yml @@ -1,9 +1,10 @@ name: "Frogbot Scan Pull Request" +# Reusable: invoked by build-gate.yml behind the `build-gate` approval. +# Also runnable standalone via workflow_dispatch. The approval gate now lives in the +# orchestrator, so this workflow no longer declares its own environment. on: - pull_request_target: - types: [opened, synchronize] - branches: - - "master" + workflow_call: + workflow_dispatch: permissions: pull-requests: write contents: read @@ -11,7 +12,6 @@ jobs: scan-pull-request: if: ${{ github.actor != 'dependabot[bot]' }} runs-on: ubuntu-latest - environment: frogbot steps: - name: Checkout the repository uses: actions/checkout@v6 diff --git a/.github/workflows/ghostFrogTests.yml b/.github/workflows/ghostFrogTests.yml index 89bde4ea7..607a87274 100644 --- a/.github/workflows/ghostFrogTests.yml +++ b/.github/workflows/ghostFrogTests.yml @@ -1,15 +1,7 @@ name: Ghost Frog Tests on: + workflow_call: workflow_dispatch: - push: - branches: - - "master" - - "ghost-frog" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: diff --git a/.github/workflows/goTests.yml b/.github/workflows/goTests.yml index b9a9f91fd..5bcb445dd 100644 --- a/.github/workflows/goTests.yml +++ b/.github/workflows/goTests.yml @@ -1,14 +1,10 @@ name: Go Tests +# Reusable suite: invoked by build-gate.yml behind the `build-gate` approval. +# Also runnable standalone via workflow_dispatch. Approval/label gating now lives in the +# orchestrator, not here. on: + workflow_call: workflow_dispatch: - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -18,7 +14,6 @@ jobs: GO-tests: # Go modules doesn't allow passing credentials to a private registry using an HTTP URL. Therefore, the Go tests run against a remote Artifactory server. name: Go tests (${{ matrix.os }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/gradleTests.yml b/.github/workflows/gradleTests.yml index e895fe093..5d8d32aeb 100644 --- a/.github/workflows/gradleTests.yml +++ b/.github/workflows/gradleTests.yml @@ -1,5 +1,6 @@ name: Gradle Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,14 +13,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -28,7 +21,6 @@ concurrency: jobs: Gradle-Tests: name: ${{ matrix.os.name }}-gradle-${{ matrix.gradle-version }} - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/helmTests.yml b/.github/workflows/helmTests.yml index 82c1b78eb..3801232ed 100644 --- a/.github/workflows/helmTests.yml +++ b/.github/workflows/helmTests.yml @@ -1,5 +1,6 @@ name: Helm Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,14 +13,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -31,7 +24,6 @@ permissions: jobs: Helm-Tests: name: Helm tests (${{ matrix.os.name }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/huggingfaceTests.yml b/.github/workflows/huggingfaceTests.yml index bcfb77225..84c7dd8aa 100644 --- a/.github/workflows/huggingfaceTests.yml +++ b/.github/workflows/huggingfaceTests.yml @@ -1,5 +1,6 @@ name: HuggingFace Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,14 +13,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -31,7 +24,6 @@ permissions: jobs: HuggingFace-Tests: name: HuggingFace tests (${{ matrix.os.name }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/lifecycleTests.yml b/.github/workflows/lifecycleTests.yml index c6568308c..68b934a9e 100644 --- a/.github/workflows/lifecycleTests.yml +++ b/.github/workflows/lifecycleTests.yml @@ -2,6 +2,7 @@ name: Lifecycle Tests env: JFROG_CLI_LOG_LEVEL: DEBUG on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -14,14 +15,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -30,7 +23,6 @@ concurrency: jobs: Lifecycle-Tests: name: Lifecycle tests (${{ matrix.os.name }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/mavenTests.yml b/.github/workflows/mavenTests.yml index d209f163f..f6114e9e2 100644 --- a/.github/workflows/mavenTests.yml +++ b/.github/workflows/mavenTests.yml @@ -1,5 +1,6 @@ name: Maven Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,14 +13,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -28,7 +21,6 @@ concurrency: jobs: Maven-Tests: name: Maven tests (${{ matrix.os.name }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/nixTests.yml b/.github/workflows/nixTests.yml index 52b3909d8..78e91af47 100644 --- a/.github/workflows/nixTests.yml +++ b/.github/workflows/nixTests.yml @@ -1,5 +1,6 @@ name: Nix Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,13 +13,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - pull_request_target: - types: [labeled] - branches: - - "master" concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} @@ -26,7 +20,6 @@ concurrency: jobs: Nix-Tests: name: Nix tests (${{ matrix.os.name }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/npmTests.yml b/.github/workflows/npmTests.yml index dc8811ed4..025816028 100644 --- a/.github/workflows/npmTests.yml +++ b/.github/workflows/npmTests.yml @@ -1,5 +1,6 @@ name: npm Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,14 +13,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -28,7 +21,6 @@ concurrency: jobs: npm-Tests: name: npm tests (${{ matrix.os.name }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/nugetTests.yml b/.github/workflows/nugetTests.yml index 415471340..3fcff9e37 100644 --- a/.github/workflows/nugetTests.yml +++ b/.github/workflows/nugetTests.yml @@ -1,6 +1,7 @@ name: NuGet Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -13,14 +14,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -30,7 +23,6 @@ concurrency: jobs: NuGet-Tests: name: NuGet tests (${{ matrix.os.name }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/oidcTests.yml b/.github/workflows/oidcTests.yml index e0b691f28..bf48ffe15 100644 --- a/.github/workflows/oidcTests.yml +++ b/.github/workflows/oidcTests.yml @@ -2,15 +2,8 @@ # After the server has been configured the CLI will ping the server to make sure we have access name: "Config OIDC test" on: + workflow_call: workflow_dispatch: - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -26,7 +19,6 @@ permissions: contents: read jobs: config-oidc: - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/pluginsTests.yml b/.github/workflows/pluginsTests.yml index 974556b96..93e356ffb 100644 --- a/.github/workflows/pluginsTests.yml +++ b/.github/workflows/pluginsTests.yml @@ -1,5 +1,6 @@ name: Plugins Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,14 +13,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -28,7 +21,6 @@ concurrency: jobs: Plugins-Tests: name: Plugins tests (${{ matrix.os.name }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/pnpmTests.yml b/.github/workflows/pnpmTests.yml index eec21b04f..b8989ccbe 100644 --- a/.github/workflows/pnpmTests.yml +++ b/.github/workflows/pnpmTests.yml @@ -1,5 +1,6 @@ name: pnpm Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,13 +13,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - pull_request_target: - types: [labeled] - branches: - - "master" concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} @@ -27,7 +21,6 @@ concurrency: jobs: pnpm-Tests: name: "pnpm 10 tests (${{ matrix.os.name }})" - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/podmanTests.yml b/.github/workflows/podmanTests.yml index ccd50c908..9ed6b479b 100644 --- a/.github/workflows/podmanTests.yml +++ b/.github/workflows/podmanTests.yml @@ -1,14 +1,7 @@ name: Podman Tests on: + workflow_call: workflow_dispatch: - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -17,7 +10,6 @@ concurrency: jobs: Podman-tests: name: Podman tests (${{ matrix.os.name }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: matrix: os: diff --git a/.github/workflows/poetryTests.yml b/.github/workflows/poetryTests.yml index 0568a6277..01ad86394 100644 --- a/.github/workflows/poetryTests.yml +++ b/.github/workflows/poetryTests.yml @@ -1,5 +1,6 @@ name: Poetry Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -17,15 +18,6 @@ on: type: string required: false default: "1.8.5" - push: - branches: - - "master" - # Triggers the workflow on PRs to master from any branch (including forks). - # PRs from forks require the 'safe to test' label (gated below). - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -35,7 +27,6 @@ concurrency: jobs: Poetry-Tests: name: poetry ${{ matrix.os.name }} - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/pythonTests.yml b/.github/workflows/pythonTests.yml index f40ba7523..6741df604 100644 --- a/.github/workflows/pythonTests.yml +++ b/.github/workflows/pythonTests.yml @@ -1,5 +1,6 @@ name: Python Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,14 +13,6 @@ on: type: string required: false default: "" - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -28,7 +21,6 @@ concurrency: jobs: Python-Tests: name: ${{ matrix.suite }} ${{ matrix.os.name }} - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/removeLabel.yml b/.github/workflows/removeLabel.yml deleted file mode 100644 index 67be7e8d3..000000000 --- a/.github/workflows/removeLabel.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: Remove Label -on: - pull_request_target: - types: [labeled] -# Ensures that only the latest commit is running for each PR at a time. -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} - cancel-in-progress: true -jobs: - Remove-Label: - if: contains(github.event.pull_request.labels.*.name, 'safe to test') - name: Remove label - runs-on: ubuntu-latest - steps: - - name: Remove 'safe to test' - uses: actions-ecosystem/action-remove-labels@v1 - with: - labels: "safe to test" diff --git a/.github/workflows/scriptTests.yml b/.github/workflows/scriptTests.yml index f27a81d8b..186b4752c 100644 --- a/.github/workflows/scriptTests.yml +++ b/.github/workflows/scriptTests.yml @@ -1,14 +1,8 @@ name: Scripts Tests on: + workflow_call: workflow_dispatch: - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" + # Ensures that only the latest commit is running for each PR at a time. concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} @@ -16,7 +10,6 @@ concurrency: jobs: Scripts-tests: name: Script tests (${{ matrix.os.name }}-${{ matrix.os.version }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') defaults: run: shell: sh diff --git a/.github/workflows/transferTests.yml b/.github/workflows/transferTests.yml index 8ffe905fc..7bf68bbf1 100644 --- a/.github/workflows/transferTests.yml +++ b/.github/workflows/transferTests.yml @@ -1,5 +1,6 @@ name: Transfer Tests on: + workflow_call: workflow_dispatch: inputs: jfrog_url: @@ -12,14 +13,7 @@ on: type: string required: false default: "" - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" + # Ensures that only the latest commit is running for each PR at a time. concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }} @@ -27,7 +21,6 @@ concurrency: jobs: Transfer-Artifactory-7-Tests: name: Transfer tests (${{ matrix.os.name }}) - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: diff --git a/.github/workflows/uvTests.yml b/.github/workflows/uvTests.yml index f32fc4fbf..bbb876115 100644 --- a/.github/workflows/uvTests.yml +++ b/.github/workflows/uvTests.yml @@ -1,14 +1,7 @@ name: UV Tests on: + workflow_call: workflow_dispatch: - push: - branches: - - "master" - # Triggers the workflow on PRs to master branch only. - pull_request_target: - types: [labeled] - branches: - - "master" # Ensures that only the latest commit is running for each PR at a time. concurrency: @@ -18,7 +11,6 @@ concurrency: jobs: UV-Tests: name: uv ${{ matrix.os.name }} py${{ matrix.python-version }} uv${{ matrix.uv-version }} - if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'safe to test') strategy: fail-fast: false matrix: