fix: prevent stale ci-passed labels (#13095)

* fix: prevent stale ci-passed labels

- remove stale ci-passed labels immediately on synchronize and reopened
- re-add ci-passed only after a successful CI Check on a label-eligible PR
- guard against race condition where an older workflow_run could re-add
  the label after a new push by comparing head SHAs
- check whether ci-passed label exists before removal to avoid silently
  swallowing real API errors
- add issues: write permission required by the Labels API
- remove artifact handoff from ci-checks.yml; derive PR metadata directly
  from workflow_run

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>

* fix: handle ci-passed label eligibility transitions

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>

* fix: guard label triggers to avoid wasted CI runner minutes

Promote label eligibility checks from step-level to job-level conditions
so ineligible PRs are 'skipped' instead of 'success', preventing wasted
downstream workflow_run triggers. Guard 'unlabeled' events to only react
to eligibility-relevant label changes (needs-ok-to-test removal in
ci-checks, ok-to-test removal in add-ci-passed-label), avoiding the
50-min polling loop restart on unrelated label changes like size/L or
lgtm.

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>

* fix: add symmetric guard for labeled events in CI check workflow

Skip the polling loop when unrelated labels (size/L, lgtm, etc.) are
added to an eligible PR. Only the 'ok-to-test' label addition can
change eligibility, mirroring the existing 'unlabeled' guard.

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>

---------

Signed-off-by: Jaison Paul <paul.jaison@gmail.com>

Author: jsonmp-k8

.github/workflows/add-ci-passed-label.yml

@@ -1,88 +1,116 @@
-# This workflow adds the 'ci-passed' label to a pull request once the 'CI Check' workflow completes successfully.
-# Resets the 'ci-passed' label status when a pull request is synchronized or reopened, 
-# indicating that changes have been pushed and CI needs to rerun.
+# This workflow removes a stale 'ci-passed' label whenever a PR is updated
+# or its eligibility labels change, then adds it back only after the
+# 'CI Check' workflow completes successfully for a label-eligible PR.
 name: Add CI Passed Label
 
 on:
+  pull_request_target:
+    types:
+      - synchronize
+      - reopened
+      - labeled
+      - unlabeled
   workflow_run:
     workflows: ["CI Check"]
     types:
       - completed
 
 permissions:
   pull-requests: write
-  checks: read
-  actions: read
+  issues: write
 
 jobs:
   fetch_data:
-    name: Fetch workflow payload
+    name: Fetch PR eligibility
     runs-on: ubuntu-latest
     if: >
-      github.event.workflow_run.event == 'pull_request' &&
+      github.event_name == 'workflow_run' &&
       github.event.workflow_run.conclusion == 'success'
     outputs:
-      pr_number: ${{ steps.extract.outputs.pr_number }}
-      event_action: ${{ steps.extract.outputs.event_action }}
+      pr_number: ${{ steps.pr.outputs.pr_number }}
+      eligible: ${{ steps.pr.outputs.eligible }}
     steps:
-      - name: 'Download artifact'
+      - name: Check PR label eligibility
+        id: pr
         uses: actions/github-script@v8
         with:
           script: |
-            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+            const workflowEvent = context.payload.workflow_run.event;
+            if (workflowEvent !== "pull_request" && workflowEvent !== "pull_request_target") {
+              core.info(`Skipping workflow_run event ${workflowEvent}`);
+              core.setOutput("eligible", "false");
+              return;
+            }
+
+            const headRepositoryOwner = context.payload.workflow_run.head_repository?.owner?.login;
+            const headBranch = context.payload.workflow_run.head_branch;
+            const runHeadSha = context.payload.workflow_run.head_sha;
+            if (!headRepositoryOwner || !headBranch || !runHeadSha) {
+              core.info("workflow_run is missing head repository, branch, or SHA metadata.");
+              core.setOutput("eligible", "false");
+              return;
+            }
+
+            const { data: pullRequests } = await github.rest.pulls.list({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              run_id: ${{github.event.workflow_run.id}},
-            });
-            const matchArtifact = artifacts.data.artifacts.find((artifact) => {
-              return artifact.name === "pr";
+              state: "open",
+              head: `${headRepositoryOwner}:${headBranch}`,
             });
 
-            if (!matchArtifact) {
-              throw new Error(
-                `Required artifact "pr" was not found for workflow run ID ${{github.event.workflow_run.id}}. ` +
-                "It may have expired or failed to upload. Ensure the CI workflow uploads a 'pr' artifact."
+            const pullRequest = pullRequests.find((candidate) => candidate.head.sha === runHeadSha);
+            if (!pullRequest) {
+              core.info(
+                `No open pull request matched ${headRepositoryOwner}:${headBranch} at ${runHeadSha}.`
               );
+              core.setOutput("eligible", "false");
+              return;
             }
 
-            const download = await github.rest.actions.downloadArtifact({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              artifact_id: matchArtifact.id,
-              archive_format: 'zip',
-            });
-            const fs = require('fs');
-            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
+            const labels = new Set(pullRequest.labels.map((label) => label.name));
+            const eligible = labels.has("ok-to-test") && !labels.has("needs-ok-to-test");
 
-      - name: Unzip artifact
-        run: unzip pr.zip
+            core.info(`PR #${pullRequest.number} labels: ${Array.from(labels).join(", ")}`);
+            core.setOutput("pr_number", String(pullRequest.number));
+            core.setOutput("eligible", eligible ? "true" : "false");
 
-      - name: Extract PR information
-        id: extract
-        run: |
-          pr_number=$(cat ./pr_number)
-          event_action=$(cat ./event_action)
-          echo "pr_number=${pr_number}" >> "$GITHUB_OUTPUT"
-          echo "event_action=${event_action}" >> "$GITHUB_OUTPUT"
-          
   reset_ci_passed_label:
-    name: Reset 'ci-passed' label on PR Synchronization
+    name: Reset stale 'ci-passed' label
     runs-on: ubuntu-latest
-    needs: fetch_data
+    # Only run on pull_request_target events that can actually affect ci-passed:
+    #   - synchronize/reopened: new commits invalidate previous CI results
+    #   - labeled with 'needs-ok-to-test': PR became ineligible
+    #   - unlabeled with 'ok-to-test': PR became ineligible
+    # This avoids spinning up a runner for unrelated label changes.
+    if: >
+      github.event_name == 'pull_request_target' &&
+      (
+        github.event.action == 'synchronize' ||
+        github.event.action == 'reopened' ||
+        (github.event.action == 'labeled' && github.event.label.name == 'needs-ok-to-test') ||
+        (github.event.action == 'unlabeled' && github.event.label.name == 'ok-to-test')
+      )
     steps:
-      - name: Check and reset label
+      - name: Remove existing 'ci-passed' label
         run: |
-          if [[ "${{ needs.fetch_data.outputs.event_action }}" == "synchronize" || "${{ needs.fetch_data.outputs.event_action }}" == "reopened" ]]; then
-            echo "Resetting 'ci-passed' label as changes were pushed (event: ${{ needs.fetch_data.outputs.event_action }})."
-            gh pr edit ${{ needs.fetch_data.outputs.pr_number }} --remove-label "ci-passed" --repo "$GITHUB_REPOSITORY" || echo "Label not present"
+          pr_number=${{ github.event.pull_request.number }}
+          echo "Checking for stale 'ci-passed' label on PR #${pr_number} after ${{ github.event.action }}"
+          labels=$(gh pr view "${pr_number}" --repo "$GITHUB_REPOSITORY" --json labels --jq '.labels[].name')
+
+          if echo "${labels}" | grep -qx 'ci-passed'; then
+            echo "Removing stale 'ci-passed' label from PR #${pr_number}"
+            gh pr edit "${pr_number}" --remove-label "ci-passed" --repo "$GITHUB_REPOSITORY"
+          else
+            echo "Label 'ci-passed' not present on PR #${pr_number}; nothing to remove."
           fi
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   add_ci_passed_label:
     name: Add 'ci-passed' label
-    runs-on: ubuntu-latest    
-    needs: [fetch_data, reset_ci_passed_label]
+    runs-on: ubuntu-latest
+    needs: fetch_data
+    if: needs.fetch_data.outputs.eligible == 'true'
     steps:
       - name: Add 'ci-passed' label
         run: |

.github/workflows/ci-checks.yml

@@ -1,33 +1,28 @@
-# This workflow checks if all CI checks have passed by polling every 5 minutes for a total of 8 attempts.
+# This workflow checks if all CI checks have passed by polling every 5 minutes.
 name: CI Check
 
 on:
   pull_request_target:
-    types: [opened, synchronize, reopened, labeled]
+    types: [opened, synchronize, reopened, labeled, unlabeled]
 
 jobs:
   check_ci_status:
     runs-on: ubuntu-latest
+    # Only run for eligible PRs: must have 'ok-to-test' and not 'needs-ok-to-test'.
+    # For 'labeled' events, only react when 'ok-to-test' is added.
+    # For 'unlabeled' events, only react when 'needs-ok-to-test' is removed.
+    # These are the only label changes that can change eligibility, avoiding
+    # restarting the 50-min polling loop on unrelated labels like 'size/L' or 'lgtm'.
+    # Using a job-level condition so ineligible PRs are 'skipped' rather than 'success',
+    # which prevents a wasted downstream workflow_run trigger.
+    if: >
+      (github.event.action != 'labeled' || github.event.label.name == 'ok-to-test') &&
+      (github.event.action != 'unlabeled' || github.event.label.name == 'needs-ok-to-test') &&
+      contains(github.event.pull_request.labels.*.name, 'ok-to-test') &&
+      !contains(github.event.pull_request.labels.*.name, 'needs-ok-to-test')
     permissions:
       checks: read
     steps:
-      - name: Check out the repository
-        uses: actions/checkout@v6
-
-      - name: Check for 'needs-ok-to-test' and 'ok-to-test' labels
-        id: label_check
-        run: |
-          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'needs-ok-to-test') }}" == "true" ]]; then
-            echo "Label 'needs-ok-to-test' found. Skipping the workflow."
-            exit 0
-          fi
-          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}" == "true" ]]; then
-            echo "Label 'ok-to-test' found. Continuing the workflow."
-          else
-            echo "Label 'ok-to-test' not found. Skipping the workflow."
-            exit 0
-          fi
-
       - name: Check if all CI checks passed
         uses: wechuli/allcheckspassed@0b68b3b7d92e595bcbdea0c860d05605720cf479
         with:
@@ -41,13 +36,3 @@ jobs:
           checks_exclude: '^Cleanup artifacts$,^Upload results$,^Agent$,^Prepare$'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Save PR payload
-        shell: bash
-        run: |
-          mkdir -p ./pr
-          echo ${{ github.event.pull_request.number }} >> ./pr/pr_number          
-          echo ${{ github.event.action }} >> ./pr/event_action
-      - uses: actions/upload-artifact@v7
-        with:
-          name: pr
-          path: pr/