o11y update #251
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Environment Labels | |
| # Known limitation: labels are computed at PR-event time and are NOT | |
| # refreshed when the base branch (main) changes. Any structural change | |
| # to main that alters the dependency graph between files and overlays can | |
| # make labels on open PRs stale until the next push to those PRs. | |
| # | |
| # Examples: | |
| # - A new production cluster overlay is added to main that references | |
| # a component modified by an already-open PR. | |
| # - A kustomization in main gains a new resource/helmChart/generator | |
| # that pulls in a directory the PR modifies. | |
| # - An ApplicationSet in main changes its source path, shifting which | |
| # files map to which environment. | |
| # - An overlay is removed from main, but open PRs still carry its label. | |
| # | |
| # In practice this is rare — it requires the dependency structure to | |
| # change in main while an open PR touches the affected component, and | |
| # the PR to merge without any subsequent push. | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| jobs: | |
| label: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| contents: read | |
| steps: | |
| # Check out the BASE branch (trusted code) so we never execute fork code. | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: infra-tools/go.mod | |
| # Build the detector binary from the trusted base branch before | |
| # switching to the PR head. This ensures a malicious fork cannot | |
| # inject code that runs with the elevated GITHUB_TOKEN. | |
| - name: Build detector (from base branch) | |
| working-directory: infra-tools | |
| run: go build -o bin/env-detector ./cmd/env-detector | |
| # Fetch the GitHub-synthesized merge commit (main + PR merged) so the | |
| # tool analyses the post-merge state. This ensures overlay builds | |
| # reflect what will actually be deployed after the PR lands, and the | |
| # two-point diff against origin/main shows only the PR's own changes. | |
| - name: Checkout PR merge ref | |
| run: | | |
| git fetch origin pull/${{ github.event.pull_request.number }}/merge:pr-merge | |
| git checkout pr-merge | |
| - name: Detect and label | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| working-directory: infra-tools | |
| run: | | |
| ./bin/env-detector \ | |
| --repo-root=.. \ | |
| --base-ref=origin/${{ github.event.pull_request.base.ref }} \ | |
| --pr-number=${{ github.event.pull_request.number }} \ | |
| --github-token=$GITHUB_TOKEN \ | |
| --repo=${{ github.repository }} \ | |
| --log-file=../debug.log | |
| - name: Upload debug log | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: debug-log | |
| path: debug.log |