Merge branch 'main' into distributed-tracing

Author: zakisk

.github/scripts/check-pr-permissions.js

@@ -26,36 +26,6 @@ module.exports = async ({ github, context, core }) => {
   core.info(`📋 Repository: ${repoOwner}/${repoName}`);
   core.info(`🏢 Target organization: ${targetOrg}`);
 
-  // Security: On non-labeled events (opened, reopened, synchronize),
-  // remove the ok-to-test label if present. This prevents an external
-  // contributor from pushing malicious code after a maintainer approved via label.
-  if (context.payload.action !== "labeled") {
-    const currentLabels = context.payload.pull_request.labels.map(
-      (l) => l.name,
-    );
-    if (currentLabels.includes("ok-to-test")) {
-      core.info(
-        `🔒 Removing ok-to-test label due to '${context.payload.action}' event — re-approval required.`,
-      );
-      try {
-        await github.rest.issues.removeLabel({
-          owner: repoOwner,
-          repo: repoName,
-          issue_number: context.payload.pull_request.number,
-          name: "ok-to-test",
-        });
-        core.info(`   Label removed successfully.`);
-      } catch (err) {
-        // 404 is expected when multiple matrix jobs race to remove the same label
-        if (err.status === 404) {
-          core.info(`   Label already removed (likely by another matrix job).`);
-        } else {
-          core.warning(`   Failed to remove ok-to-test label: ${err.message}`);
-        }
-      }
-    }
-  }
-
   // Condition 1: Check if the user is a trusted bot.
   const trustedBots = ["dependabot[bot]", "renovate[bot]"];
   core.info(`🤖 Checking if @${actor} is a trusted bot...`);
@@ -207,8 +177,24 @@ module.exports = async ({ github, context, core }) => {
     context.payload.label.name === "ok-to-test"
   ) {
     core.info(
-      `✅ Condition met: ok-to-test label applied by @${context.actor}. Proceeding with tests.`,
+      `✅ Condition met: ok-to-test label applied by @${context.actor}. Removing label and proceeding with tests.`,
     );
+    try {
+      await github.rest.issues.removeLabel({
+        owner: repoOwner,
+        repo: repoName,
+        issue_number: context.payload.pull_request.number,
+        name: "ok-to-test",
+      });
+      core.info(`   ok-to-test label removed successfully.`);
+    } catch (err) {
+      // 404 is expected when multiple matrix jobs race to remove the same label
+      if (err.status !== 404) {
+        core.setFailed(`   Failed to remove ok-to-test label: ${err.message}`);
+        return;
+      }
+      core.info(`   Label already removed (likely by another matrix job).`);
+    }
     return;
   }
 

.github/workflows/e2e.yaml

@@ -25,6 +25,7 @@ on:
       - ".github/workflows/**"
       - "test/testdata/**"
       - "vendor/**"
+      - ".github/scripts/**"
 
 jobs:
   e2e-tests:

test/github_pullrequest_retest_test.go

@@ -7,11 +7,13 @@ import (
 	"fmt"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/google/go-github/v84/github"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/apis/pipelinesascode/keys"
 	tgithub "github.com/openshift-pipelines/pipelines-as-code/test/pkg/github"
 	twait "github.com/openshift-pipelines/pipelines-as-code/test/pkg/wait"
+	tektonv1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
 	"gotest.tools/v3/assert"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -98,21 +100,21 @@ func TestGithubGHEPullRequestGitopsCommentCancel(t *testing.T) {
 		&github.IssueComment{Body: github.Ptr("/cancel pr-gitops-comment")})
 	assert.NilError(t, err)
 
-	waitOpts = twait.Opts{
+	cancelWaitOpts := twait.Opts{
 		RepoName:        g.TargetNamespace,
 		Namespace:       g.TargetNamespace,
-		MinNumberStatus: 3,
-		PollTimeout:     twait.DefaultTimeout,
+		MinNumberStatus: 1,
+		PollTimeout:     90 * time.Second,
 		TargetSHA:       g.SHA,
 	}
-	g.Cnx.Clients.Log.Info("Waiting for Repository to be updated")
-	_, err = twait.UntilRepositoryUpdated(ctx, g.Cnx.Clients, waitOpts)
+
+	g.Cnx.Clients.Log.Info("Waiting for PipelineRun to be cancelled")
+	err = twait.UntilPipelineRunHasReason(ctx, g.Cnx.Clients, tektonv1.PipelineRunReasonCancelled, cancelWaitOpts)
 	assert.NilError(t, err)
 
-	g.Cnx.Clients.Log.Infof("Check if we have the repository set as succeeded")
-	repo, err := g.Cnx.Clients.PipelineAsCode.PipelinesascodeV1alpha1().Repositories(g.TargetNamespace).Get(ctx, g.TargetNamespace, metav1.GetOptions{})
+	g.Cnx.Clients.Log.Info("Waiting for Repository status to reflect cancellation")
+	_, err = twait.UntilRepositoryHasStatusReason(ctx, g.Cnx.Clients, cancelWaitOpts, tektonv1.PipelineRunReasonCancelled.String())
 	assert.NilError(t, err)
-	assert.Equal(t, repo.Status[len(repo.Status)-1].Conditions[0].Status, corev1.ConditionFalse)
 
 	pruns, err = g.Cnx.Clients.Tekton.TektonV1().PipelineRuns(g.TargetNamespace).List(ctx, metav1.ListOptions{
 		LabelSelector: fmt.Sprintf("%s=%s", keys.SHA, g.SHA),