feat: Add check_approvals

.github/workflows/build-dev.yaml

@@ -11,70 +11,96 @@
     paths-ignore:
       - '.github/**'
 jobs:
+  check_approvals:
+    runs-on: ubuntu-latest
+    # Run this job only if the following conditions are met:
+    # 1. The pull request has the 'integration-test' label.
+    # 2. The event is either:
+    #   a. A 'pull_request' event where the base and head repositories are the same (internal PR).
+    #   b. A 'pull_request_target' event where the base and head repositories are different (external PR).
+    if: ${{ contains(github.event.pull_request.labels.*.name, 'integration-test') &&
+      (( github.event_name == 'pull_request' && github.event.pull_request.base.repo.clone_url == github.event.pull_request.head.repo.clone_url) ||
+      (github.event_name == 'pull_request_target' && github.event.pull_request.base.repo.clone_url != github.event.pull_request.head.repo.clone_url )) }}
+    outputs:
+      # Output the approval status for pull_request_target events, otherwise default to 'true'
+      check_approvals: ${{ github.event_name == 'pull_request_target' && steps.check_approvals.outputs.check_approvals || 'true' }}
+      # Output whether the PR is external
+      external_pr: ${{ github.event.pull_request.base.repo.clone_url != github.event.pull_request.head.repo.clone_url }}
+    steps:
+      - name: Check integration test allowance status
+        # Only run this step for pull_request_target events
+        if: ${{ github.event_name == 'pull_request_target' }}
+        id: check_approvals
+        # Use an external action to check if the PR has the necessary approvals
+        uses: nutanix-cloud-native/action-check-approvals@v1
+
   build-container:
+    if: ${{ (github.event_name == 'pull_request' && needs.check_approvals.outputs.external_pr == 'false') || (github.event_name == 'pull_request_target' && needs.check_approvals.outputs.external_pr == 'true' && needs.check_approvals.outputs.check_approvals == 'true') }}
+    needs: check_approvals
     runs-on: ubuntu-latest
     env:
       EXPORT_RESULT: true
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           ref: "${{ github.event.pull_request.head.sha }}"
 
       - name: Install devbox
         uses: jetify-com/[email protected]
         with:
           enable-cache: "true"
 
       - uses: actions/cache@v4
         with:
           path: |
             ~/.cache/golangci-lint
             ~/.cache/go-build
             ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
 
       - name: Test build
         run: devbox run -- make build
 
       - name: Run unit tests
         run: devbox run -- make unit-test
 
       # gocov-xml expects things to be properly placed under go path.
       # GHA clones into /home/runner/work/repository so we create
       # the directory under the right path and link it
       - run: mkdir -p /home/runner/go/src/github.com/nutanix-cloud-native/ && ln -s /home/runner/work/cloud-provider-nutanix/cloud-provider-nutanix /home/runner/go/src/github.com/nutanix-cloud-native
 
       - name: Run coverage report
         run: devbox run -- make coverage
 
       - name: Codecov
         uses: codecov/[email protected]
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         with:
           file: ./coverage.xml  # Replace with the path to your coverage report
           fail_ci_if_error: true
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/[email protected]
         env:
           TRIVY_DB_REPOSITORY: "ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db"
         with:
           scan-type: "fs"
           ignore-unfixed: true
           format: "table"
           exit-code: "1"
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH"
   e2e:
     strategy:
       matrix:
         e2e-labels:
           - "capx"
       fail-fast: false
+    needs: check_approvals
     uses: ./.github/workflows/e2e.yaml
     with:
       e2e-labels: ${{ matrix.e2e-labels }}