From b8088ccc557936c769f32216d6afeab5dee7d220 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Tue, 19 May 2026 12:42:53 +0900 Subject: [PATCH 1/2] github: workflows: Restore ok-package-test trigger behavior Signed-off-by: Hiroshi Hatake --- .github/workflows/pr-package-tests.yaml | 27 +++++++++++++++---------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/.github/workflows/pr-package-tests.yaml b/.github/workflows/pr-package-tests.yaml index 9fb56c8587d..dfe6df08aa4 100644 --- a/.github/workflows/pr-package-tests.yaml +++ b/.github/workflows/pr-package-tests.yaml @@ -1,6 +1,9 @@ name: PR - packaging tests run on-demand via label on: - pull_request: + # This workflow is label-gated and should be triggerable by maintainers on + # PRs where the default pull_request event cannot access the required + # repository permissions. + pull_request_target: types: - labeled - opened @@ -11,14 +14,16 @@ on: # Cancel any running on push concurrency: - group: ${{ github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number }} cancel-in-progress: true jobs: # This job provides this metadata for the other jobs to use. pr-package-test-build-get-meta: # This is a long test to run so only on-demand for certain PRs - if: contains(github.event.pull_request.labels.*.name, 'ok-package-test') + if: >- + contains(github.event.pull_request.labels.*.name, 'ok-package-test') && + github.event.pull_request.head.repo.full_name == github.repository name: Get metadata to add to build runs-on: ubuntu-latest outputs: @@ -41,8 +46,8 @@ jobs: - pr-package-test-build-generate-matrix uses: ./.github/workflows/call-build-images.yaml with: - version: pr-${{ github.event.number }} - ref: ${{ github.ref }} + version: pr-${{ github.event.pull_request.number }} + ref: ${{ github.event.pull_request.head.sha }} registry: ghcr.io username: ${{ github.actor }} image: ${{ github.repository }}/pr @@ -80,8 +85,8 @@ jobs: - pr-package-test-build-generate-matrix uses: ./.github/workflows/call-build-linux-packages.yaml with: - version: pr-${{ github.event.number }} - ref: ${{ github.ref }} + version: pr-${{ github.event.pull_request.number }} + ref: ${{ github.event.pull_request.head.sha }} build_matrix: ${{ needs.pr-package-test-build-generate-matrix.outputs.build-matrix }} unstable: ${{ needs.pr-package-test-build-get-meta.outputs.date }} secrets: @@ -93,8 +98,8 @@ jobs: - pr-package-test-build-get-meta uses: ./.github/workflows/call-build-windows.yaml with: - version: pr-${{ github.event.number }} - ref: ${{ github.ref }} + version: pr-${{ github.event.pull_request.number }} + ref: ${{ github.event.pull_request.head.sha }} unstable: ${{ needs.pr-package-test-build-get-meta.outputs.date }} secrets: token: ${{ secrets.GITHUB_TOKEN }} @@ -105,8 +110,8 @@ jobs: - pr-package-test-build-get-meta uses: ./.github/workflows/call-build-macos.yaml with: - version: pr-${{ github.event.number }} - ref: ${{ github.ref }} + version: pr-${{ github.event.pull_request.number }} + ref: ${{ github.event.pull_request.head.sha }} unstable: ${{ needs.pr-package-test-build-get-meta.outputs.date }} secrets: token: ${{ secrets.GITHUB_TOKEN }} From 0504ab5ac244a471b1d2cd6be625267f70aa6291 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake Date: Tue, 19 May 2026 12:55:49 +0900 Subject: [PATCH 2/2] github: workflows: Set explicit permissions Signed-off-by: Hiroshi Hatake --- .github/workflows/pr-package-tests.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr-package-tests.yaml b/.github/workflows/pr-package-tests.yaml index dfe6df08aa4..743e53626b7 100644 --- a/.github/workflows/pr-package-tests.yaml +++ b/.github/workflows/pr-package-tests.yaml @@ -44,6 +44,9 @@ jobs: needs: - pr-package-test-build-get-meta - pr-package-test-build-generate-matrix + permissions: + contents: read + packages: write uses: ./.github/workflows/call-build-images.yaml with: version: pr-${{ github.event.pull_request.number }}