From: Patrick Donnelly Date: Thu, 14 May 2026 16:48:09 +0000 (-0400) Subject: .github/workflows/releng-audit: handle simultaneous override and fail label changes X-Git-Tag: v21.0.1~243^2~2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=93ba2d61bef0951bdd074a528369fb95bb318a8c;p=ceph.git .github/workflows/releng-audit: handle simultaneous override and fail label changes And add branch debugging. Signed-off-by: Patrick Donnelly --- diff --git a/.github/workflows/releng-audit.yaml b/.github/workflows/releng-audit.yaml index 06fb30d7700..d57abad7a8a 100644 --- a/.github/workflows/releng-audit.yaml +++ b/.github/workflows/releng-audit.yaml @@ -30,15 +30,21 @@ jobs: const eventName = context.eventName; const payload = context.payload; + core.info(`[Router] Evaluating event: ${eventName}, action: ${payload.action || 'N/A'}`); + // Trigger via Comment Override if (eventName === 'issue_comment') { + core.info('[Router] Processing issue_comment event.'); if (!payload.issue.pull_request) { + core.info('[Router] Comment is not on a pull request. Skipping.'); core.setOutput('run_audit', 'false'); return; } if (payload.comment.body.trim().startsWith('/audit retest')) { + core.info('[Router] Detected /audit retest command. Triggering audit.'); core.setOutput('run_audit', 'true'); } else { + core.info('[Router] Comment is not an audit command. Skipping.'); core.setOutput('run_audit', 'false'); } return; @@ -48,10 +54,14 @@ jobs: const hasPassLabel = payload.pull_request?.labels.some(l => l.name === 'releng-audit-pass'); const hasOverrideLabel = payload.pull_request?.labels.some(l => l.name === 'releng-audit-override'); + core.info(`[Router] Current labels - Fail: ${hasFailLabel}, Pass: ${hasPassLabel}, Override: ${hasOverrideLabel}`); + // On Push: Run audit unless it's already in a failed state if (eventName === 'pull_request_target' && payload.action === 'synchronize') { + core.info('[Router] Processing synchronize event (new commits).'); // Strip the override label if present, as new commits invalidate previous approvals if (hasOverrideLabel) { + core.info('[Router] PR had override label. Removing it because of new commits.'); try { await github.rest.issues.removeLabel({ owner: context.repo.owner, @@ -66,11 +76,12 @@ jobs: body: '⚠️ **Audit Override Removed**\n\nNew commits were pushed to this PR, so the previous `releng-audit-override` has been removed. If this PR still requires an override, please request a new review and have an authorized user relabel the PR.' }); } catch (error) { - // Ignore if label is not present or failed to remove + core.info(`[Router] Failed to remove override label: ${error.message}`); } } if (hasFailLabel) { + core.info('[Router] PR is currently in a failed audit state. Halting automated checks until failure label is removed.'); core.setFailed("PR is currently in a failed audit state. Remove the releng-audit-fail label to re-run."); core.setOutput('run_audit', 'false'); return; @@ -78,6 +89,7 @@ jobs: // Strip the pass label on new commits so the PR reflects a pending state if (hasPassLabel) { + core.info('[Router] Removing pass label so PR reflects pending state.'); try { await github.rest.issues.removeLabel({ owner: context.repo.owner, @@ -86,22 +98,34 @@ jobs: name: 'releng-audit-pass' }); } catch (error) { - // Ignore if label is not present + core.info(`[Router] Failed to remove pass label: ${error.message}`); } } + core.info('[Router] Triggering audit for new commits.'); core.setOutput('run_audit', 'true'); return; } // Trigger via Label Removal if (eventName === 'pull_request_target' && payload.action === 'unlabeled') { - if (payload.label.name === 'releng-audit-fail' || payload.label.name === 'releng-audit-pass' || payload.label.name === 'releng-audit-override') { + const removedLabel = payload.label.name; + core.info(`[Router] Processing unlabeled event for label: ${removedLabel}`); + if (removedLabel === 'releng-audit-fail' || removedLabel === 'releng-audit-pass' || removedLabel === 'releng-audit-override') { if (context.actor === 'github-actions[bot]' || context.actor === 'github-actions') { + core.info(`[Router] Label ${removedLabel} removed by bot. Skipping audit trigger.`); + core.setOutput('run_audit', 'false'); + return; + } + + // If PR already has override, prevent manual unlabeling of 'fail' from triggering a fresh audit. + if (hasOverrideLabel && removedLabel === 'releng-audit-fail') { + core.info(`[Router] PR has releng-audit-override. Ignoring manual removal of releng-audit-fail to prevent race conditions.`); core.setOutput('run_audit', 'false'); return; } + core.info(`[Router] User @${context.actor} removed ${removedLabel}. Stripping other state labels and triggering fresh audit.`); try { await github.rest.issues.removeLabel({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, name: 'releng-audit-fail' }); } catch (e) {} @@ -119,11 +143,12 @@ jobs: const labelName = payload.label.name; const actor = context.actor; const isBot = actor === 'github-actions[bot]' || actor === 'github-actions'; + core.info(`[Router] Processing labeled event for label: ${labelName} by actor: ${actor}`); // 1. Strictly block humans from applying machine labels if (labelName === 'releng-audit-pass' || labelName === 'releng-audit-fail') { if (!isBot) { - core.warning(`User @${actor} cannot manually apply ${labelName}. Stripping labels and forcing audit.`); + core.warning(`[Router] User @${actor} cannot manually apply ${labelName}. Stripping labels and forcing audit.`); try { await github.rest.issues.removeLabel({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, name: 'releng-audit-fail' }); @@ -140,6 +165,7 @@ jobs: // 2. Enforce authorization for the override label if (labelName === 'releng-audit-override') { if (!isBot) { + core.info(`[Router] Validating if user @${actor} is authorized to apply override.`); let isAuthorized = false; try { const { data: permData } = await github.rest.repos.getCollaboratorPermissionLevel({ @@ -150,7 +176,9 @@ jobs: if (permData.permission === 'admin' || permData.permission === 'maintain') { isAuthorized = true; } - } catch (error) {} + } catch (error) { + core.info(`[Router] Failed to fetch repo permissions: ${error.message}`); + } if (!isAuthorized && context.repo.owner === 'ceph' && process.env.ORG_TOKEN) { try { @@ -161,10 +189,13 @@ jobs: username: actor }); isAuthorized = (teamData.state === 'active'); - } catch (error) {} + } catch (error) { + core.info(`[Router] Failed to fetch org team membership: ${error.message}`); + } } if (!isAuthorized) { + core.info(`[Router] User @${actor} NOT authorized. Removing override label.`); await github.rest.issues.removeLabel({ owner: context.repo.owner, repo: context.repo.repo, @@ -175,6 +206,7 @@ jobs: core.setOutput('run_audit', 'false'); return; } else { + core.info(`[Router] User @${actor} is authorized. Stripping fail/pass labels to visually unblock PR.`); // Authorized: Strip the failure label so the PR is visually unblocked try { await github.rest.issues.removeLabel({ @@ -193,19 +225,24 @@ jobs: }); } catch (e) {} } + } else { + core.info(`[Router] Bot applied ${labelName}. Permitted.`); } } + core.info(`[Router] Labeled event handled without triggering audit.`); core.setOutput('run_audit', 'false'); return; } // Initial PR Creation or Reopen if (eventName === 'pull_request_target' && (payload.action === 'opened' || payload.action === 'reopened')) { + core.info(`[Router] PR ${payload.action}. Triggering audit.`); core.setOutput('run_audit', 'true'); return; } + core.info('[Router] Event did not match any trigger criteria. Skipping audit.'); core.setOutput('run_audit', 'false'); audit: