Skip to content

ci(github): split default CI and label-triggered optional checks#1100

Merged
muddlebee merged 3 commits intoTracer-Cloud:mainfrom
muddlebee:ci/pr-label-triggered-windows-k8s
Apr 30, 2026
Merged

ci(github): split default CI and label-triggered optional checks#1100
muddlebee merged 3 commits intoTracer-Cloud:mainfrom
muddlebee:ci/pr-label-triggered-windows-k8s

Conversation

@muddlebee
Copy link
Copy Markdown
Collaborator

@muddlebee muddlebee commented Apr 30, 2026
edited
Loading

Trigger flow for reviewers

  1. Open PR as usual: default CI runs only when relevant code paths change.
  2. Add ci:windows label: CI Labels workflow runs Windows jobs.
  3. Add ci:k8s label: CI Labels workflow runs k8s job.
  4. Remove labels when done; unlabeled events re-evaluate optional jobs.

@muddlebee
ci(github): run PR CI on label events; ci:windows and ci:k8s
133b1c5 
- Subscribe pull_request to labeled/unlabeled so adding ci:windows re-runs CI
- Drop paths filter on pull_request so label-only events are not skipped
- Add matrix-prep job: Windows matrix on push to main or when PR has ci:windows
- Gate test-kubernetes on PR with ci:k8s label (or k8s in title)
@muddlebee muddlebee requested a review from VaibhavUpreti April 30, 2026 06:46
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 30, 2026

Greptile Summary

This PR subscribes the pull_request event to labeled/unlabeled activity types, adds a matrix-prep job that includes windows-latest when the ci:windows label is present, and gates test-kubernetes on the ci:k8s label in addition to the existing title-match logic. The overall approach is sound, but the matrix-prep shell script inlines label names via ${{ join(...) }} directly into the script body — a shell-injection risk that should be addressed by passing the value through env: instead.

  • P1 — shell injection: .github/workflows/ci.yml line 43 — label names interpolated directly into a run script; backtick/$() payloads in label names would execute as commands.

Confidence Score: 3/5

Hold for the shell-injection fix before merging — the label-name interpolation is an exploitable security pattern.

One P1 security finding: label names are interpolated directly into a run shell script via ${{ join(...) }}. Any collaborator with label-create/triage access could craft a label name with backticks or $() to execute arbitrary code in the CI runner. This is a well-documented GitHub Actions hardening failure and should be fixed before merge.

.github/workflows/ci.yml — specifically the matrix-prep step that inlines label names into the shell script body.

Security Review
  • Shell injection in matrix-prep (.github/workflows/ci.yml, line 43): ${{ join(github.event.pull_request.labels.*.name, ',') }} is inlined directly into a run shell script. GitHub label names allow arbitrary characters including backticks and $(), which the shell evaluates when they appear inside a double-quoted string. Any collaborator with triage access who can add a label could exploit this. Fix: pass the value through an env: key so the shell treats it as data, not code.

Important Files Changed

Filename Overview
.github/workflows/ci.yml Adds labeled/unlabeled PR triggers, a matrix-prep job for label-driven Windows matrix, and ci:k8s label support — but the label-name interpolation in the shell script is a shell-injection risk (P1).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GitHub Event] --> B{Event Type?}
    B -->|push to main| C[matrix-prep: ubuntu + windows]
    B -->|pull_request labeled/unlabeled/opened/sync/reopened| D{ci:windows label?}
    D -->|yes| E[matrix-prep: ubuntu + windows]
    D -->|no| F[matrix-prep: ubuntu only]

    C & E & F --> G[quality job]
    C & E & F --> H[typecheck job]

    G & H --> I[test job]
    G & H --> J{k8s trigger?}

    J -->|push OR title contains k8s/kubernetes OR ci:k8s label| K[test-kubernetes]
    J -->|none match| L[skip test-kubernetes]

    I -->|push to main only| M[test-thorough]
Loading

Reviews (1): Last reviewed commit: "ci(github): run PR CI on label events; c..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 30, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml Outdated
Comment thread .github/workflows/ci.yml Outdated
@muddlebee
ci(github): run Windows matrix only when PR has ci:windows
f5cde83 
Push to main stays Ubuntu-only; no Windows on merge without a label (N/A on push).
@muddlebee
ci(github): split label-triggered checks workflow
817ea97 
- restore path-scoped pull_request trigger for default CI workflow

- keep default matrix ubuntu-only in main CI workflow

- add dedicated CI Labels workflow for ci:windows and ci:k8s

- run optional windows and k8s jobs only when matching labels are present
@muddlebee muddlebee changed the title ci(github): trigger PR CI on label events (ci:windows, ci:k8s) ci(github): split default CI and label-triggered optional checks Apr 30, 2026
@muddlebee muddlebee merged commit b79e437 into Tracer-Cloud:main Apr 30, 2026
14 of 15 checks passed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 30, 2026

🌮 @muddlebee's PR: showed up unannounced, improved everything, left zero bugs. Just like a perfect taco. 🌮

👋 Join us on Discord - OpenSRE : hang out, contribute, or hunt for features and issues. Everyone's welcome.

@muddlebee muddlebee mentioned this pull request Apr 30, 2026
Merged
gitsofaryan pushed a commit to gitsofaryan/opensre that referenced this pull request May 3, 2026
@muddlebee @gitsofaryan
ci(github): label-triggered optional checks (Tracer-Cloud#1100)
d7d69c3 
* ci(github): run PR CI on label events; ci:windows and ci:k8s

- Subscribe pull_request to labeled/unlabeled so adding ci:windows re-runs CI
- Drop paths filter on pull_request so label-only events are not skipped
- Add matrix-prep job: Windows matrix on push to main or when PR has ci:windows
- Gate test-kubernetes on PR with ci:k8s label (or k8s in title)

* ci(github): run Windows matrix only when PR has ci:windows

Push to main stays Ubuntu-only; no Windows on merge without a label (N/A on push).

* ci(github): split label-triggered checks workflow

- restore path-scoped pull_request trigger for default CI workflow

- keep default matrix ubuntu-only in main CI workflow

- add dedicated CI Labels workflow for ci:windows and ci:k8s

- run optional windows and k8s jobs only when matching labels are present
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@VaibhavUpreti VaibhavUpreti Awaiting requested review from VaibhavUpreti

Assignees

No one assigned

Labels

ci:windows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@muddlebee