fix: make GS Scorecard label-triggered but required for merging to main (#468)

mkolasinski-splunk · web-flow · commit e93a2686121f · 2026-02-25T09:17:48.000+01:00
## Summary - GSSA now only executes when the `execute_gs_scorecard` label is applied (no longer auto-runs on PRs to main) - For PRs targeting `main`, GSSA must have completed (pass or fail) before the PR can merge -- if skipped, `pre-publish` blocks with a clear error annotation and step summary message - Push to `main` continues to auto-run GSSA - Push to `develop`/`release/*`, schedule, and dispatch no longer run GSSA ## Changes ### `setup-workflow` job - Removed `execute_gs_scorecard` from `TESTS_TO_CONSIDER_FOR_EXECUTION` (no longer auto-enabled by branch/event logic) - Added explicit GSSA control after the `esac`: enables only when label is present (any PR) or on push to main ### `pre-publish` job - Added `run-gs-scorecard` to the `needs` list - Added a check: if the event is a PR to `main` and GSSA result is `skipped`, outputs `::error::` annotation, writes to `$GITHUB_STEP_SUMMARY`, and sets `run-publish=false` - Modified the existing jq filter to exclude `run-gs-scorecard` via `del(.["run-gs-scorecard"])` so GSSA failure doesn't block other checks ## Test results Tested on [splunk/splunk-add-on-for-ibm-websphere-application-server PR #388](splunk/splunk-add-on-for-ibm-websphere-application-server#388): | Test | Workflow Run | Result | |---|---|---| | PR to main **without** label — GSSA should be skipped, pre-publish should block | [Run #22358328636](https://github.com/splunk/splunk-add-on-for-ibm-websphere-application-server/actions/runs/22358328636) | PASS — GSSA skipped, pre-publish set `run-publish=false` with error annotation | | PR to main **with** `execute_gs_scorecard` label — GSSA should run, pre-publish should proceed | [Run #22370270246](https://github.com/splunk/splunk-add-on-for-ibm-websphere-application-server/actions/runs/22370270246) | PASS — GSSA ran (failed), pre-publish succeeded (result ignored) | JIRA: [ADDON-85652](https://splunk.atlassian.net/browse/ADDON-85652)
diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml
@@ -256,10 +256,6 @@ jobs:
               echo "spl2::true"
             fi
 
-            # GS Scorecard is always available
-            TESTS_TO_CONSIDER_FOR_EXECUTION+=("execute_gs_scorecard")
-            echo "gs_scorecard::true"
-
             found_unit_test=false
             for test_name in "${TESTS_TO_CONSIDER_FOR_EXECUTION[@]}"; do
               if [[ "$test_name" == "execute_unit" ]]; then
@@ -328,6 +324,14 @@ jobs:
               echo "No tests were labeled for execution!"
               ;;
             esac
+
+            # GS Scorecard: runs when label is present (any PR) or on push to main
+            # Required (must not be skipped) for merging PRs to main -- enforced in pre-publish
+            if [[ "${{ github.event_name }}" == "pull_request" ]] && [[ "$labels" =~ execute_gs_scorecard ]]; then
+              EXECUTION_FLAGS["execute_gs_scorecard"]="true"
+            elif [[ "${{ github.event_name }}" == "push" ]] && [[ "${{ github.ref_name }}" == "main" ]]; then
+              EXECUTION_FLAGS["execute_gs_scorecard"]="true"
+            fi
           fi
           echo "Tests to be executed:"
           for test_type in "${TESTSET[@]}"; do
@@ -2917,6 +2921,7 @@ jobs:
       - run-ucc-modinput-tests
       - run-ui-tests
       - validate-pr-title
+      - run-gs-scorecard
     runs-on: ubuntu-latest
     env:
       NEEDS: ${{ toJson(needs) }}
@@ -2925,7 +2930,19 @@ jobs:
         id: check
         shell: bash
         run: |
-          RUN_PUBLISH=$(echo "$NEEDS" | jq ".[] |  select(  ( .result != \"skipped\" ) and .result != \"success\" ) | length == 0")
+          # GS Scorecard: must have run for PRs to main (result doesn't matter, but skipped = blocked)
+          GS_RESULT=$(echo "$NEEDS" | jq -r '.["run-gs-scorecard"].result')
+          if [[ "${{ github.event_name }}" == "pull_request" ]] && [[ "${{ github.base_ref }}" == "main" ]] && [[ "$GS_RESULT" == "skipped" ]]; then
+            echo "::error::GS Scorecard is required for PRs to main. Add the 'execute_gs_scorecard' label and re-run the workflow."
+            echo "## GS Scorecard Required" >> "$GITHUB_STEP_SUMMARY"
+            echo "Add the \`execute_gs_scorecard\` label to this PR and re-run the workflow. GS Scorecard must complete before merging to main (result does not need to pass)." >> "$GITHUB_STEP_SUMMARY"
+            echo "run-publish=false" >> "$GITHUB_OUTPUT"
+            echo "Publish conditions are not met."
+            exit 1
+          fi
+
+          # Exclude run-gs-scorecard from the general check since it has its own handling above
+          RUN_PUBLISH=$(echo "$NEEDS" | jq 'del(.["run-gs-scorecard"]) | .[] | select((.result != "skipped") and .result != "success") | length == 0')
           if [[ "$RUN_PUBLISH" != *'false'* ]] && [[ "${{ needs.check-docs-changes.outputs.docs-only }}" == 'false' ]]
           then
               echo "run-publish=true" >> "$GITHUB_OUTPUT"
