fix: add admin rbac for pr-preview namespace (#492)

fegmorte · web-flow · commit 1cfa49aefddd · 2026-04-02T12:17:36.000+02:00
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -17,19 +17,17 @@ on:
 
 permissions: {}
 
-# Controls concurrent workflow runs:
-# - Groups runs by PR head ref
-# - Cancels in-progress runs when new commits are pushed
+# Per-PR group + suffix: runs that should supersede each other use "ci"; unrelated
+# label events (e.g. CLA bot) use "noise" so they do not cancel an in-progress push
+# or pr-preview run. Push / synchronize / reopen always use "ci"; so do labeled
+# events that match docker-build (pr-preview-*, docker). Those now share one group
+# and cancel each other (fixing label-pr-preview vs synchronize split).
 concurrency:
   group: >-
-    build-and-test-${{ github.head_ref || github.run_id }}-${{
-      github.event.action == 'labeled' &&
-      startsWith(github.event.label.name, 'pr-preview-') &&
-      'label-pr-preview' ||
-      github.event.action == 'labeled' &&
-      github.event.label.name != 'docker' &&
-      'label-other' ||
-      'main'
+    build-and-test-${{ github.event.pull_request.number || github.run_id }}-${{
+      github.event.action != 'labeled' && 'ci' ||
+      github.event.action == 'labeled' && (startsWith(github.event.label.name, 'pr-preview-') || github.event.label.name == 'docker') && 'ci' ||
+      'noise'
     }}
   cancel-in-progress: true
 
diff --git a/.github/workflows/pr-preview-deploy.yml b/.github/workflows/pr-preview-deploy.yml
@@ -63,12 +63,12 @@ jobs:
       NAMESPACE: 'kms-ci-${{ github.actor }}-${{ inputs.pr_number }}'
       TKMS_INFRA_CHART_VERSION: '0.3.2'
       SYNC_SECRETS_CHART_VERSION: '0.2.1'
-      KMS_CORE_ENCLAVE_IMAGE_NAME: 'ghcr.io/zama-ai/kms/core-service-enclave'
-      KMS_CORE_IMAGE_NAME: 'ghcr.io/zama-ai/kms/core-service'
-      KMS_CORE_CLIENT_IMAGE_NAME: 'ghcr.io/zama-ai/kms/core-client'
+      KMS_CORE_ENCLAVE_IMAGE_NAME: 'hub.zama.org/ghcr/zama-ai/kms/core-service-enclave'
+      KMS_CORE_IMAGE_NAME: 'hub.zama.org/ghcr/zama-ai/kms/core-service'
+      KMS_CORE_CLIENT_IMAGE_NAME: 'hub.zama.org/ghcr/zama-ai/kms/core-client'
       KMS_CORE_IMAGE_TAG: ${{ inputs.image_tag }}
       KMS_CORE_CLIENT_IMAGE_TAG: ${{ inputs.image_tag }}
-      IMAGE_REPO: 'ghcr.io/zama-ai/kms'
+      IMAGE_REPO: 'hub.zama.org/ghcr/zama-ai/kms'
       TLS: 'true'
       FHE_PARAMS: 'Test'
       DEPLOYMENT_TYPE: ${{ inputs.deployment_type }}
@@ -216,6 +216,17 @@ jobs:
             kubectl create namespace "${NAMESPACE}"
           fi
 
+      # ======================================================================
+      # RBAC: Tailscale group kms-dev-access (same pattern as zws-dev k8s-access)
+      # ======================================================================
+      - name: Grant kms-dev-access RBAC on preview namespace
+        run: |
+          kubectl create rolebinding kms-dev-binding \
+            --clusterrole=admin \
+            --group=kms-dev-access \
+            -n "${NAMESPACE}" \
+            --dry-run=client -o yaml | kubectl apply -f -
+
       - name: Checkout Project KMS
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -285,7 +296,7 @@ jobs:
 
            :rocket: And launch your tests:
           \`\`\`bash
-          cargo nextest run --test ${TEST_NAME} --profile ci --no-fail-fast
+          cargo nextest run --test ${TEST_NAME} --profile ci --no-fail-fast  --features="kind_tests"
           \`\`\`
 
           You can connect to the core-client with:
