Merge branch 'master' into add-subpath-support

vmridul · web-flow · commit 57864e4eb86d · 2025-12-19T22:58:25.000+05:30
diff --git a/.github/workflows/ok-to-test-ci.yml b/.github/workflows/ok-to-test-ci.yml
@@ -0,0 +1,54 @@
+name: Execute CI on PRs with ok-to-test label
+
+# This workflow executes CI for fork PRs that have the 'ok-to-test' label.
+# Once labeled, all subsequent commits will have their CI runs auto-approved.
+
+on:
+  pull_request_target:
+    types: [labeled, synchronize]
+
+permissions:
+  actions: write
+  contents: read
+  pull-requests: read
+
+jobs:
+  auto-approve:
+    runs-on: ubuntu-latest
+    # Only run for fork PRs with ok-to-test label
+    if: >
+      github.event.pull_request.head.repo.full_name != github.repository &&
+      contains(join(github.event.pull_request.labels.*.name, ','), 'ok-to-test')
+    steps:
+      - name: Approve pending workflow runs
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          echo "Looking for workflow runs requiring approval for SHA: $PR_SHA"
+
+          # Wait a moment for workflow runs to be created
+          sleep 5
+
+          # Get all workflow runs for this commit that need approval
+          runs=$(curl -s -H "Authorization: Bearer $GH_TOKEN" \
+            -H "Accept: application/vnd.github.v3+json" \
+            "https://api.github.com/repos/${{ github.repository }}/actions/runs?head_sha=$PR_SHA" | \
+            jq -r '.workflow_runs[] | select(.status == "action_required") | .id')
+
+          if [[ -z "$runs" ]]; then
+            echo "No workflow runs found requiring approval."
+            exit 0
+          fi
+
+          echo "Found workflow runs requiring approval: $runs"
+
+          # Approve each workflow run
+          for run_id in $runs; do
+            echo "Approving workflow run: $run_id"
+            curl -X POST -H "Authorization: Bearer $GH_TOKEN" \
+              -H "Accept: application/vnd.github.v3+json" \
+              "https://api.github.com/repos/${{ github.repository }}/actions/runs/$run_id/approve"
+          done
+
+          echo "All pending runs approved."
diff --git a/.github/workflows/ok-to-test-label.yml b/.github/workflows/ok-to-test-label.yml
@@ -0,0 +1,59 @@
+name: /ok-to-test -> label
+
+# When a maintainer comments /ok-to-test, this adds the 'ok-to-test' label.
+# The ok-to-test-ci.yml workflow then automatically executes CI for labeled PRs.
+
+# Please note, the google-oss-prow bot also converts /ok-to-test comments to
+# labels. As a result, this is technically redundant, but I'm adding it in case
+# we decide to move away from prow.
+
+on:
+  issue_comment:
+    types:
+      - created
+
+permissions: read-all
+
+jobs:
+  # Notify non-members that they cannot use privileged commands
+  unauthorized:
+    runs-on: ubuntu-latest
+    if: >-
+      contains(github.event.comment.body, '/ok-to-test') &&
+      !(github.event.comment.author_association == 'MEMBER' ||
+        github.event.comment.author_association == 'OWNER')
+    permissions:
+      issues: write
+    steps:
+      - name: Notify commenter of insufficient permissions
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MESSAGE: |
+            🚫 This command cannot be processed. Only organization members or owners can use `/ok-to-test`.
+            Once a maintainer applies the `ok-to-test` label, CI will run automatically on all future commits.
+        run: |
+          gh issue comment "${{ github.event.issue.number }}" --repo "${{ github.repository }}" --body "${MESSAGE}"
+
+  # Add ok-to-test label when a maintainer comments /ok-to-test
+  ok-to-test:
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.issue.pull_request &&
+      contains(github.event.comment.body, '/ok-to-test') &&
+      (github.event.comment.author_association == 'MEMBER' ||
+        github.event.comment.author_association == 'OWNER')
+    permissions:
+      pull-requests: write
+      issues: write
+    steps:
+      - name: Add ok-to-test label
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr edit "${{ github.event.issue.number }}" \
+            --repo "${{ github.repository }}" \
+            --add-label "ok-to-test"
+
+          gh issue comment "${{ github.event.issue.number }}" \
+            --repo "${{ github.repository }}" \
+            --body "✅ Added \`ok-to-test\` label. CI will now run automatically on all commits to this PR."
diff --git a/.github/workflows/pr-commands.yml b/.github/workflows/pr-commands.yml
diff --git a/manifests/kustomize/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/deployment.yaml b/manifests/kustomize/env/cert-manager/platform-agnostic-multi-user-k8s-native/patches/deployment.yaml
@@ -10,7 +10,6 @@ spec:
           ports:
           - containerPort: 8443
             name: webhook
-          image: domain.local/apiserver:local
           command:
             - "/bin/apiserver"
           args:
