Skip to content

[TT-16977] fix: trigger release workflow on PR labeled event#8088

Merged
buger merged 1 commit intorelease-5.12from
fix/pr-labeled-trigger-release-5.12
Apr 17, 2026
Merged

[TT-16977] fix: trigger release workflow on PR labeled event#8088
buger merged 1 commit intorelease-5.12from
fix/pr-labeled-trigger-release-5.12

Conversation

@buger
Copy link
Copy Markdown
Member

@buger buger commented Apr 17, 2026

Summary

  • Add labeled to pull_request trigger types so dep-guard re-evaluates when deps-reviewed label is added.

Test plan

  • Adding deps-reviewed label triggers a new release workflow run

🤖 Generated with Claude Code

@buger @claude
fix: trigger release workflow on PR labeled event
2b375ee 
Adding deps-reviewed label after dep-guard fails didn't trigger a
new run. Add 'labeled' type so the workflow re-runs when the label
is added.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@buger buger requested a review from a team as a code owner April 17, 2026 13:54
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 17, 2026

🚨 Jira Linter Failed

Commit: 2b375ee
Failed at: 2026-04-17 13:55:04 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details 
failed to validate branch and PR title rules: branch name 'fix/pr-labeled-trigger-release-5.12' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

  • Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
  • Verify your PR title matches the branch's Jira ticket ID
  • Check that the Jira ticket exists and is accessible

This comment will be automatically deleted once the linter passes.

@probelabs
Copy link
Copy Markdown
Contributor

probelabs Bot commented Apr 17, 2026
edited
Loading

This PR updates the release.yml GitHub Actions workflow to trigger on the labeled event for pull requests. This allows the workflow, particularly the dep-guard check, to be re-evaluated when a label such as deps-reviewed is added, without requiring a new commit.

Files Changed Analysis

  • .github/workflows/release.yml: A single line was added to include labeled in the list of pull request event types that trigger the workflow.

Architecture & Impact Assessment

  • Accomplishment: Enables re-running the release workflow's checks when a PR is labeled, improving the dependency review process.
  • Technical Change: The on.pull_request.types configuration in the workflow was expanded from [opened, synchronize, reopened] to [opened, synchronize, reopened, labeled].
  • Affected Components: This change affects the CI/CD pipeline by increasing the frequency of release workflow runs. It will now execute every time a label is added to a pull request, which may have a minor impact on action runner usage.

Scope Discovery & Context Expansion

  • The change is confined to the trigger mechanism of the release.yml workflow. The direct purpose is to re-run jobs within this workflow when a label is applied. Based on the PR description, this is intended to interact with a dep-guard job that likely has logic conditioned on the presence of the deps-reviewed label.
Metadata
  • Review Effort: 1 / 5
  • Primary Label: bug

Powered by Visor from Probelabs

Last updated: 2026-04-17T13:56:20.753Z | Triggered by: pr_opened | Commit: 2b375ee

💡 TIP: You can chat with Visor using /visor ask <your question>

@probelabs
Copy link
Copy Markdown
Contributor

probelabs Bot commented Apr 17, 2026
edited
Loading

Security Issues (1)

Severity Location Issue
🟡 Warning .github/workflows/release.yml:19
The `release.yml` workflow is now triggered whenever a label is added to a pull request (`labeled` event). This significantly widens the trigger surface for a workflow that, based on its name, may perform sensitive release operations. If this workflow has access to secrets and performs actions like publishing artifacts, it could be triggered on unreviewed code by any user with permission to add labels. This could potentially lead to unauthorized releases or execution of privileged actions from a pull request branch.
💡 SuggestionValidate that the `release.yml` workflow does not perform any sensitive operations that should be restricted to merges on protected branches. If it does, remove the `labeled` trigger. If the workflow must run on label events for tasks like dependency checks (as suggested by the PR description), ensure the job has strict conditions to prevent unintended execution of sensitive steps. For example, add conditions to verify the actor's permissions and the specific label that was added (e.g., `if: github.event.label.name == 'deps-reviewed'`). Sensitive release workflows should ideally only be triggered on pushes to protected branches.

Architecture Issues (1)

Severity Location Issue
🟡 Warning .github/workflows/release.yml:19
The workflow is configured to trigger every time any label is added to a pull request by using the `labeled` event type. This will cause the workflow to execute for any label, leading to unnecessary workflow runs and resource consumption. The pull request description states the goal is to trigger only for the `deps-reviewed` label.
💡 SuggestionTo ensure the workflow runs only when intended, add a condition to the relevant job(s) to check for the specific label. For example: ```yaml jobs: your-job-name: if: github.event.label.name == 'deps-reviewed' ... ```

Performance Issues (1)

Severity Location Issue
🟡 Warning .github/workflows/release.yml:19
The workflow is configured to trigger on every `labeled` event for a pull request. This will cause the entire workflow to run each time any label is added or removed, leading to unnecessary consumption of CI/CD resources. The pull request description mentions this is for the `deps-reviewed` label, but the current implementation triggers on all labels.
💡 SuggestionTo prevent unnecessary workflow runs, add a conditional check at the job level to ensure that jobs only run for the `labeled` event if the specific label is `deps-reviewed`. This will preserve the behavior for other event types like `opened` and `synchronize` while correctly scoping the `labeled` trigger.

Example of a job-level conditional:

jobs:
  some-job:
    if: github.event.action != &#39;labeled&#39; || github.event.label.name == &#39;deps-reviewed&#39;
    runs-on: ubuntu-latest
    steps:
      ...

Powered by Visor from Probelabs

Last updated: 2026-04-17T13:55:56.100Z | Triggered by: pr_opened | Commit: 2b375ee

💡 TIP: You can chat with Visor using /visor ask <your question>

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 17, 2026

API Changes

no api changes detected

@buger buger merged commit b893a31 into release-5.12 Apr 17, 2026
18 of 20 checks passed
@buger buger deleted the fix/pr-labeled-trigger-release-5.12 branch April 17, 2026 14:05
@probelabs probelabs Bot changed the title fix: trigger release workflow on PR labeled event [TT-16977] fix: trigger release workflow on PR labeled event Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@buger