Skip to content

add gating check to tests to ensure/recheck that pr submitter is auth…#463

Closed
acornett21 wants to merge 1 commit into
redhat-openshift-ecosystem:ci/latestfrom
acornett21:update_operator_test_gha
Closed

add gating check to tests to ensure/recheck that pr submitter is auth…#463
acornett21 wants to merge 1 commit into
redhat-openshift-ecosystem:ci/latestfrom
acornett21:update_operator_test_gha

Conversation

@acornett21

Copy link
Copy Markdown

Implement workflow authorization gating and secret scoping:

Changes:

  1. Authorization gating: Test jobs now only run for authorized contributors (listed in operator ci.yaml reviewers)
  2. Secret scoping: Moved IIB_INPUT_REGISTRY_TOKEN from workflow-level to individual test jobs, limiting exposure

…orized

Signed-off-by: Adam D. Cornett <adc@redhat.com>
@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

This PR has changes outside of operators directory. Maintainers have to approve it.

test-kiwi:
name: "kiwi / Full operator test"
needs: pr-check
if: needs.pr-check.outputs.opp_test_ready == '1' && (needs.pr-check.outputs.opp_op_delete == '0' || needs.pr-check.outputs.opp_is_new_operatror == '1' || needs.pr-check.outputs.opp_recreate == '1' ) && needs.pr-check.outputs.opp_ci_yaml_only == '0'

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem with this is that the tests are simply skipped (not failed) if the authorized-changes label is not set. This just marks the operator as validated (even though no validation ran). Some bigger rework will be needed for proper gating. See this testing PR I ran with update of the CI based on your PR.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BorekZnovustvoritel Thanks for testing this, it was on my todo today, since I just learned last week how the testing works here. However, since this doesn't work, and since you all updated the jira to work on this. I'll close this PR and let you all take care of this.

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 5, 2026
@openshift-ci

openshift-ci Bot commented Jun 5, 2026

Copy link
Copy Markdown

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@acornett21 acornett21 closed this Jun 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants