ci: add upstream folder change check#3431
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds a GitHub Actions workflow to detect and warn about changes to upstream folders in pull requests. The workflow triggers on pull requests that modify files in any **/upstream/** path and outputs a warning if such changes are detected.
Changes:
- Added
.github/workflows/check_upstream_changes.yamlworkflow that detects modifications to upstream folder structures - Added test string "Test123" to
applications/volumes-web-app/upstream/base/cluster-role-binding.yaml
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/check_upstream_changes.yaml | New workflow to detect upstream folder changes and emit warnings |
| applications/volumes-web-app/upstream/base/cluster-role-binding.yaml | Unintended test content added |
christian-heusel
force-pushed
the
ci/add-upstream-check
branch
3 times, most recently
from
b5a84ca to
a3cb231
Compare
christian-heusel
changed the title
|
I think relying on #3464 is easier and faster, but please reopen if needed. |
|
@juliusvonkohout: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@christian-heusel I think we should aim to use PR checks rather than hoping the review agent detects it (and how could it know what the "true" upstream state is, as you would need to check it by checking out the upstream). I know this PR will need a lot of rebasing, but I am going to reopen so we can track. /reopen |
|
@thesuperzapper: Reopened this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
christian-heusel
force-pushed
the
ci/add-upstream-check
branch
from
a3cb231 to
1a4938c
Compare
|
This PR must be updated to not use pull_request_target. In its current form, it is a critical supply chain risk. /hold |
|
Nothing about this problem requires anything but the remote branch, and a trigger on only specific paths for PRs. What we are checking is if the upstream folder is literally the exact one referenced in some control file (probably called |
Adds a `pull_request_target` workflow that triggers whenever a pull
request touches files under any `upstream/` folder.
The workflow:
- Applies the
- `upstream-changed` label to the pull request if there are changed
files
- `hold/do-not-merge` label to the pull request for outside
contributors
- Posts a pull request review with a GitHub markdown alert warning with
- "Request changes" for pull requests opened from forks by
non-organization members
- "Comment" otherwise (GitHub does not allow the repository token to
submit REQUEST_CHANGES reviews on pull requests from within the
same repository)
Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Christian Heusel <christian@heusel.eu>
christian-heusel
force-pushed
the
ci/add-upstream-check
branch
from
1a4938c to
5c5eed7
Compare
|
@thesuperzapper I have now dropped the code path that would potentially handle untrusted input (the filenames), I think you can unhold the PR. I'll work on a separate approach for this topic as we discussed via PM, however until then this is what I can offer 🤗 |
|
There is no reason why this check needs to be done using pull request target, and it is not safe to do so. We must not merge this PR until a new approach is taken. |
Pull Request Template for Kubeflow Manifests
✏️ Summary of Changes
See christian-heusel/community-distribution-playground#3 (review) for a test of this new Github Action 🤗
📦 Dependencies
upstream-changedlabel🐛 Related Issues
none
✅ Contributor Checklist