redhat-developer · openshift-merge-bot · Dec 11, 2025 · Dec 11, 2025 · Dec 11, 2025 · Dec 11, 2025
diff --git a/.github/workflows/pr-1.8.yaml b/.github/workflows/pr-1.8.yaml
@@ -0,0 +1,202 @@
+# Copyright Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: PR
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches:
+      - release-1.7
+      - release-1.8
+
+env:
+  TURBO_SCM_BASE: ${{ github.event.pull_request.base.sha }}
+  TURBO_SCM_HEAD: ${{ github.sha }}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.event.pull_request.head.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check-commit-author:
+    # This job is used to check if the commit author is an active member of the rhdh team.
+    # It is used to determine if the PR should be run with the internal or external environment.
+    # The job is run on the main branch to ensure that the action is not tampered with.
+    runs-on: ubuntu-latest
+    outputs:
+      is_active_team_member: ${{ steps.team-check.outputs.is_active_member }}
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        with:
+          app-id: ${{ secrets.RHDH_GITHUB_APP_ID }}
+          private-key: ${{ secrets.RHDH_GITHUB_APP_PRIVATE_KEY }}
+      - name: Checkout main branch for secure version of check-author action
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 1
+          ref: main  # Always use main branch for security-critical action
+          persist-credentials: false
+      - name: Check if commit author is an active member of the team
+        id: team-check
+        uses: ./.github/actions/check-author
+        with:
+          author: ${{ github.actor }}
+          organization: redhat-developer
+          team: rhdh
+          gh_token: ${{ steps.app-token.outputs.token }}
+          whitelisted_authors: '["openshift-cherrypick-robot"]'
+
+  authorize:
+    # The 'external' environment is configured with the maintainers team as required reviewers.
+    # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
+    # Use 'internal' environment if the author is in the team OR if it's an internal PR (not from a fork)
+    # see list of approvers in OWNERS file
+    environment:
+      ${{ (needs.check-commit-author.outputs.is_active_team_member == 'true' || github.event.pull_request.head.repo.full_name == github.repository) && 'internal' || 'external' }}
+    runs-on: ubuntu-latest
+    needs: check-commit-author
+    steps:
+      - name: Check if internal PR
+        id: check
+        run: |
+          if [[ "${{ needs.check-commit-author.outputs.is_active_team_member }}" == "true" ]]; then
+            echo "✓ Commit author is in rhdh team - using internal environment"
+          elif [[ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]]; then
+            echo "✓ Internal PR (not from fork) - using internal environment"
+          else
+            echo "✓ External PR from fork from non-rhdh team member - using external environment for security"
+          fi
+  build:
+    name: Build with Node.js ${{ matrix.node-version }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [22]
+    needs: authorize
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Check Image and Relevant Changes
+        id: check-image
+        uses: ./.github/actions/check-image-and-changes
+
+      - name: Setup Node.js
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Setup local Turbo cache
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        uses: dtinth/setup-github-actions-caching-for-turbo@cc723b4600e40a6b8815b65701d8614b91e2669e # v1
+
+      - name: Use app-config.example.yaml
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        run: rm app-config.yaml && mv app-config.example.yaml app-config.yaml
+
+      - name: Install dependencies
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        uses: backstage/actions/yarn-install@b3c1841fd69e1658ac631afafd0fb140a2309024 # v0.6.17
+        with:
+          cache-prefix: ${{ runner.os }}-v${{ matrix.node-version }}
+
+      - name: Build packages
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        run: yarn run build --continue --affected
+
+  test:
+    name: Test with Node.js ${{ matrix.node-version }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [22]
+    needs: authorize
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Check Image and Relevant Changes
+        id: check-image
+        uses: ./.github/actions/check-image-and-changes
+
+      - name: Setup Node.js
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Setup local Turbo cache
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        uses: dtinth/setup-github-actions-caching-for-turbo@cc723b4600e40a6b8815b65701d8614b91e2669e # v1
+
+      - name: Use app-config.example.yaml
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        run: rm app-config.yaml && mv app-config.example.yaml app-config.yaml
+
+      - name: Install dependencies
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        uses: backstage/actions/yarn-install@b3c1841fd69e1658ac631afafd0fb140a2309024 # v0.6.17
+        with:
+          cache-prefix: ${{ runner.os }}-v${{ matrix.node-version }}
+
+      - name: Run prettier
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        run: yarn prettier:check --continue --affected
+
+      - name: Run lint
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        run: yarn run lint:check --continue --affected
+
+      - name: Run monorepo tools
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        run: yarn run monorepo:check
+
+      - name: Regenerate dockerfiles
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        run: |
+          yarn run build:dockerfile; if [[ $(git diff --name-only | grep Dockerfile || true) != "" ]]; then \
+            echo "ERROR: Workspace is dirty! Must run 'yarn build:dockerfile' and commit changes!"; exit 1; \
+          fi
+
+      - name: Run tests
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        run: yarn run test --continue --affected
+
+      - name: Change directory to dynamic-plugins
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        run: cd ./dynamic-plugins
+
+      - name: Install dynamic plugin dependencies
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        run: yarn install
+
+      - name: Test the dynamic plugin wrappers
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        run: yarn test --continue --affected
+
+      - name: Export the dynamic plugin wrappers
+        if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
+        run: yarn export-dynamic --continue --affected
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -18,8 +18,9 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened, ready_for_review]
     branches:
-    - main
-    - release-1.[0-9]+
+      - main
+      - release-1.9
+      - release-1.1[0-9]
 
 env:
   TURBO_SCM_BASE: ${{ github.event.pull_request.base.sha }}
@@ -165,6 +166,7 @@ jobs:
       - name: Install Python dependencies
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
         run: pip install -r python/requirements-dev.in -r python/requirements-build.in -r python/requirements.txt
+
       - name: Run prettier
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
         run: yarn prettier:check --continue --affected
@@ -187,9 +189,11 @@ jobs:
       - name: Run tests
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
         run: yarn run test --continue --affected
+
       - name: Run Python tests
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
         run: pytest docker/test_install-dynamic-plugins.py -v
+
       - name: Change directory to dynamic-plugins
         if: ${{ steps.check-image.outputs.is_skipped != 'true' }}
         run: cd ./dynamic-plugins