feature request: restricted presubmit triggering

[BenTheElder]

Currently we can specify who is allowed to rerun periodics and postsubmits via deck, this has been immensely useful for allowing builds to be retried without opening up to abuse from the entire internet.

What we can't do currently, is have presubmits that only certain users can trigger, with the exception of restricting all presubmit triggering to community members.

For SIG Scalability it would be helpful to be able to run large scale tests occasionally, while preventing anyone else discovering this and randomly using it on their PR.

The current mitigation is to react if/when this happens and talk to the contributor, and rely heavily on needs-ok-to-test otherwise.

previously discussed in #prow, filing this for tracking

cc @serathius

https://kubernetes.slack.com/archives/CDECRSC5U/p1742851876219149

[serathius]

Thanks, cc @wojtek-t @marseel

[BenTheElder]

This might be a little tricky and prow generally lacks developer bandwidth, but I think we should preemptively track the concept, it would be useful to have.

Another thought: Maybe we should have a way to not show this in the /test list of available jobs, so it's harder to stumble across and decide to invoke.

Or we could rename it like "/test pull-kubernetes-5k-node-manual-ask-sig-scalability-for-permission" 🙃
/sig testing
/lifecycle frozen

[serathius]

Right, a third option would be to disable the job (comment out?) and only enable it when needed. That would require going through SIG-scalability review.

[BenTheElder]

That seems like a good option to keep in mind if we start to have problems, maybe in the meantime we'll use the explicit name?

The main downside to the name I think is it's long to type, but otherwise it seems less annoying than having to go re-enable the job while pretty clearly

We can actually override just the trigger+rerun regexes without renaming the job though that could be confusing.
https://docs.prow.k8s.io/docs/jobs/