ci(e2e): allow fork PR runs via 'safe to test' label#55
Merged
Conversation
GitHub blocks secrets on workflows triggered by pull_request from a fork, which made the existing e2e-tests-saas job fail with empty tokens for every fork PR (e.g. #54). Updates: - Skip e2e-tests-saas on fork pull_request events to avoid the misleading red X. Internal PRs continue to run E2E unchanged. - Add a pull_request_target trigger gated on the 'safe to test' label so a maintainer can opt-in a fork PR to run E2E with secrets after reviewing the diff. Workflow checks out the PR head SHA explicitly with persist-credentials disabled. - Auto-remove the 'safe to test' label on synchronize so new commits require fresh maintainer approval before E2E runs again with secrets. - Add 'safe to test' to the PR Label Check allowlist so the labeled PR doesn't fail the label-check job. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
alenon
approved these changes
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GitHub blocks repository secrets on workflows triggered by
pull_requestfrom a fork. As a result, the SaaS E2E job ine2e-tests.ymlwas running on every fork PR with empty--jfrog.url,--jfrog.adminToken,--jfrog.evidenceToken,--jfrog.projectToken, and--jfrog.projectKey, and exiting withERROR: Project token is required for Evidence Project CLI.(e.g. #54, run 25363481561).This PR introduces an opt-in, label-gated path for fork PRs:
pull_requestevents. Removes the misleading red X. Internal PRs continue to run unchanged.pull_request_targettrigger gated on asafe to testlabel. A maintainer applies the label only after reviewing the fork's diff; the job then checks out the PR head SHA (persist-credentials: false) and runs E2E.safe to testlabel onsynchronize. New commits force a maintainer to re-review and re-apply the label before E2E runs again.safe to testto the PR Label Check allowlist so the labeled PR doesn't failpr-labels.yml.Notes
pull_request_targetruns the workflow file from the base ref (so the gate cannot be bypassed by editing the workflow inside a PR). The label is the trust boundary:go.mod,go.sum, scripts, tests) before applyingsafe to test. Treat applying the label as a code-execution approval.synchronizestep ensures new commits don't get a free re-run with the previously granted trust.Operating the flow after merge
safe to testlabel on the repo (gh label create "safe to test" --repo jfrog/jfrog-cli-evidence --color B60205 --description "Trusted reviewer approves running SaaS E2E on this PR").gh pr edit <num> --add-label "safe to test".E2E Tests on SaaS Environmentrun will appear on the PR, checked out at the PR head SHA, with allsecrets.*populated.Test plan
pull_request); no behavior change for internal PRs.safe to testlabel.E2E Tests on SaaS Environmentrun starts that checks out commit0df2f83…and runs past the token initialization (i.e. real test results, not the "Project token is required" error).