TEST: validate api-break-allowed escape hatch (do not merge)

[ChrisJBurns]

⚠️ DO NOT MERGE

Phase 2 enforcement validation. Pairs with #4988 (pre-enforcement) to close the loop: the same breaking change that previously only turned the check red should now block the PR, and applying api-break-allowed should unblock it.

Close this PR once the escape hatch has been demonstrated.

What changed

Same surgical change as #4988: the JSON tag on MCPGroupSpec.Description is renamed from "description" to "summary". Go field name stays, only the schema-visible key moves. task operator-generate + task operator-manifests regenerated the CRD YAML and Helm template.

Test procedure

1. Observe enforcement kicks in.

   • CRD Schema Compatibility runs, reports 2× NoFieldRemoval on mcpgroups (v1alpha1 and v1beta1).
   • Check run conclusion: failure.
   • Workflow conclusion: also failure (unlike TEST: rename mcpgroups.spec.description → summary (do not merge) #4988, there's no continue-on-error softening it).
   • mergeStateStatus: BLOCKED — the PR cannot be merged.

2. Apply the escape hatch.

   • Add the api-break-allowed label to the PR.
   • Important caveat: the workflow's pull_request trigger uses default types (opened, synchronize, reopened) — label changes don't trigger a re-run on their own. After labelling, do one of:
     • Push a new commit (e.g. git commit --allow-empty -m trigger && git push).
     • Close + reopen the PR.
     • Manually re-run the failed job from the Actions UI.
   • The workflow re-evaluates its if: guard: !contains(labels.*.name, 'api-break-allowed') is now false, so the crd-schema-check job is skipped.
   • GitHub treats a skipped required check as passing. mergeStateStatus flips to an unblocked state.

3. Close the PR without merging.

Expected signals

Stage	check conclusion	workflow conclusion	mergeStateStatus
Initial (no label)	failure	failure	BLOCKED
After label + re-trigger	skipped	skipped (or whatever the other jobs produce)	CLEAN or similar

Recommended follow-up (not this PR)

Add types: [opened, synchronize, reopened, labeled, unlabeled] to the pull_request trigger in .github/workflows/api-compat.yml. That would let the escape hatch work without the push/reopen/manual-rerun dance — applying the label alone would re-run the workflow and skip the job. Small, self-contained follow-up PR.

Type of change

• Other (test-only / CI validation)

Test plan

• task operator-generate / task operator-manifests regenerated cleanly
• Both v1alpha1 and v1beta1 CRD versions now expose spec.summary instead of spec.description
• Phase 1: CRD Schema Compatibility check fails, workflow fails, PR is BLOCKED
• Phase 2: after applying api-break-allowed and re-triggering, the job is skipped and the PR is no longer blocked by this check
• PR closed without merging

API Compatibility

• This PR does not break the v1beta1 API, OR the api-break-allowed label is applied and the migration guidance is described above.

(This is a test PR. The "break" is intentional and will be reverted by closing the PR without merging. The checkbox above is for contributor-facing PRs; this PR deliberately trips the check to validate enforcement.)

Does this introduce a user-facing change?

No. This PR will never be merged.

Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.99%. Comparing base (f9b540d) to head (44b20dc).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4992      +/-   ##
==========================================
- Coverage   69.03%   68.99%   -0.05%     
==========================================
  Files         552      552              
  Lines       72996    72996              
==========================================
- Hits        50395    50364      -31     
- Misses      19601    19632      +31     
  Partials     3000     3000              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ChrisJBurns]

Closing — test served its purpose and uncovered a real gap.

What we validated:

• Phase 2 enforcement works: the initial run failed the PR with failure / BLOCKED, unlike the advisory-mode counterpart TEST: rename mcpgroups.spec.description → summary (do not merge) #4988 which softened to success via continue-on-error.
• The api-break-allowed label's if: guard works: after an empty-commit retrigger, the job conclusion flipped to skipped and the api-compat check stopped blocking the PR.

What we uncovered:

• Applying the label alone does not re-run the workflow. GitHub's default pull_request trigger types (opened, synchronize, reopened) don't fire on label changes, and re-running the existing job from the Actions UI replays the original event payload — so the label addition is invisible to the if: guard in that context. Users had to push an empty commit (or close+reopen) to get the skip.

Follow-up opened: #4993 adds labeled and unlabeled to the trigger types, closing both the UX gap (single click to activate escape hatch) and the security gap (unlabelling re-validates, so apply-skip-unlabel-merge can't sneak past).