From 908f4d093dff1525085c3d1bee74664bf6b66c88 Mon Sep 17 00:00:00 2001
From: Michal Nasiadka <mnasiadka@gmail.com>
Date: Tue, 12 Aug 2025 16:11:16 +0200
Subject: [PATCH] Introduce check-review pipeline

In order to have secrets available in jobs under review, until we
eliminate the need for these secrets, we need to have a pipeline
that has post-review enabled.

That means they will run only after a review vote.
---
 zuul.d/pipelines.yaml | 56 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/zuul.d/pipelines.yaml b/zuul.d/pipelines.yaml
index f7499f3..0bbb774 100644
--- a/zuul.d/pipelines.yaml
+++ b/zuul.d/pipelines.yaml
@@ -53,6 +53,62 @@
         check: cancelled
         comment: false
 
+- pipeline:
+    name: check-review
+    description: |
+      Newly uploaded patchsets enter this pipeline after getting an
+      initial review to allow for secrets usage.
+    manager: independent
+    post-review: true
+    trigger:
+      github:
+        # Run this pipeline on new/changed pull requests
+        - event: pull_request
+          action:
+            - opened
+            - changed
+            - reopened
+        # Run in response to a pull request comment "recheck"
+        - event: pull_request
+          action: comment
+          comment: (?i)^\s*recheck\s*$
+        # When using the checks API to report results, failed runs
+        # will have a "re-run" button which emits this event.
+        - event: check_run
+          action: rerequested
+          check: .*/check:.*
+    start:
+      github:
+        check: 'in_progress'
+        comment: false
+        # It is recommended to use the checks API for consistency with
+        # other common CI tools that integrate with Github.  Results
+        # will appear on the "checks" tab of PR and changes.  There is
+        # generally no need to have Zuul leave comments when using the
+        # checks API.
+        #
+        # The older status API appears inline with the PR and can be
+        # enabled by uncommenting the "status:" in the various
+        # sections below.  You should choose one or the other
+        # depending on project preferences.
+        #
+        #status: 'pending'
+        #comment: false
+    success:
+      github:
+        check: 'success'
+        comment: false
+        #status: 'success'
+    failure:
+      github:
+        check: 'failure'
+        comment: false
+        #status: 'failure'
+    dequeue:
+      github:
+        check: cancelled
+        comment: false
+
 - pipeline:
     name: gate
     description: |