diff --git a/.github/workflows/benchmark-chatterbox-tts-onnx.yml b/.github/workflows/benchmark-chatterbox-tts-onnx.yml index ffd96af03a..c5449e54de 100644 --- a/.github/workflows/benchmark-chatterbox-tts-onnx.yml +++ b/.github/workflows/benchmark-chatterbox-tts-onnx.yml @@ -69,8 +69,28 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} benchmark-chatterbox: - if: github.event_name == 'workflow_dispatch' || (github.event_name == 'release' && startsWith(github.event.release.tag_name, 'onnx-tts-v')) + if: needs.label-gate.outputs.authorised == 'true' && (github.event_name == 'workflow_dispatch' || (github.event_name == 'release' && startsWith(github.event.release.tag_name, 'onnx-tts-v'))) runs-on: macos-14-xlarge environment: release timeout-minutes: 180 @@ -508,3 +528,5 @@ jobs: fi rm -f /tmp/sa-credentials.json + needs: + - label-gate diff --git a/.github/workflows/benchmark-embed-llamacpp.yml b/.github/workflows/benchmark-embed-llamacpp.yml index 89dfa45a76..5f8c5bb33c 100644 --- a/.github/workflows/benchmark-embed-llamacpp.yml +++ b/.github/workflows/benchmark-embed-llamacpp.yml @@ -134,6 +134,26 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} benchmark: runs-on: ai-run-linux-gpu environment: release @@ -412,4 +432,7 @@ jobs: path: | ${{ env.WORKDIR }}/benchmarks/server/server.log ${{ env.WORKDIR }}/logs/ - retention-days: 90 \ No newline at end of file + retention-days: 90 + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/benchmark-llm-llamacpp.yml b/.github/workflows/benchmark-llm-llamacpp.yml index 9ef74be39a..7fa05f4398 100644 --- a/.github/workflows/benchmark-llm-llamacpp.yml +++ b/.github/workflows/benchmark-llm-llamacpp.yml @@ -178,6 +178,26 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} benchmark: runs-on: ai-run-linux-gpu environment: release @@ -457,3 +477,6 @@ jobs: ${{ inputs.workdir }}/benchmarks/server/server.log ${{ inputs.workdir }}/logs/ retention-days: 90 + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/benchmark-ocr-onnx.yml b/.github/workflows/benchmark-ocr-onnx.yml index d8086813ee..e31038ae40 100644 --- a/.github/workflows/benchmark-ocr-onnx.yml +++ b/.github/workflows/benchmark-ocr-onnx.yml @@ -31,6 +31,26 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} setup: runs-on: ubuntu-latest timeout-minutes: 10 @@ -59,8 +79,10 @@ jobs: fi build: - needs: setup - if: needs.setup.outputs.qvac_needed == 'true' + needs: + - setup + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.setup.outputs.qvac_needed == 'true') runs-on: ubuntu-24.04 environment: release timeout-minutes: 120 @@ -148,11 +170,12 @@ jobs: retention-days: 1 evaluate: - needs: [setup, build] - if: | - always() && - needs.setup.result == 'success' && - (needs.build.result == 'success' || needs.build.result == 'skipped') + needs: + - setup + - build + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.setup.result == 'success' && (needs.build.result == 'success' || needs.build.result == 'skipped')) runs-on: ubuntu-24.04 environment: release timeout-minutes: 180 diff --git a/.github/workflows/benchmark-performance-infer-llm-llamacpp.yml b/.github/workflows/benchmark-performance-infer-llm-llamacpp.yml index 6745cd2ac1..3f6c6cb4d0 100644 --- a/.github/workflows/benchmark-performance-infer-llm-llamacpp.yml +++ b/.github/workflows/benchmark-performance-infer-llm-llamacpp.yml @@ -43,6 +43,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} context: runs-on: ubuntu-latest outputs: @@ -63,7 +83,9 @@ jobs: echo "ref=$ref" >> "$GITHUB_OUTPUT" prebuild: - needs: context + needs: + - context + - label-gate permissions: contents: write packages: write @@ -75,9 +97,13 @@ jobs: repository: ${{ needs.context.outputs.repository }} ref: ${{ needs.context.outputs.ref }} + if: needs.label-gate.outputs.authorised == 'true' desktop-benchmarks: - needs: [context, prebuild] - if: ${{ inputs.run_desktop }} + needs: + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (inputs.run_desktop) permissions: contents: read packages: read @@ -92,8 +118,11 @@ jobs: qvac_perf_only: true mobile-benchmarks: - needs: [context, prebuild] - if: ${{ inputs.run_mobile }} + needs: + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (inputs.run_mobile) permissions: contents: read packages: read @@ -112,8 +141,12 @@ jobs: # `if: always()` lets summarize run even when one of the benchmark # jobs was skipped via the run_desktop / run_mobile toggles or # failed mid-run; we still want the partial report. - needs: [context, desktop-benchmarks, mobile-benchmarks] - if: ${{ always() && needs.context.result == 'success' }} + needs: + - context + - desktop-benchmarks + - mobile-benchmarks + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (always() && needs.context.result == 'success') runs-on: ubuntu-latest timeout-minutes: 10 permissions: diff --git a/.github/workflows/benchmark-performance-transcription-parakeet.yml b/.github/workflows/benchmark-performance-transcription-parakeet.yml index ef281e3f50..c1b0a96fd7 100644 --- a/.github/workflows/benchmark-performance-transcription-parakeet.yml +++ b/.github/workflows/benchmark-performance-transcription-parakeet.yml @@ -18,6 +18,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} context: runs-on: ubuntu-latest outputs: @@ -38,7 +58,9 @@ jobs: echo "ref=$ref" >> "$GITHUB_OUTPUT" prebuild: - needs: context + needs: + - context + - label-gate permissions: contents: write packages: write @@ -50,8 +72,12 @@ jobs: repository: ${{ needs.context.outputs.repository }} ref: ${{ needs.context.outputs.ref }} + if: needs.label-gate.outputs.authorised == 'true' desktop-benchmarks: - needs: [context, prebuild] + needs: + - context + - prebuild + - label-gate permissions: contents: read packages: read @@ -64,9 +90,13 @@ jobs: run_integration_tests: false run_rtf_benchmarks: true + if: needs.label-gate.outputs.authorised == 'true' summarize: - needs: [context, desktop-benchmarks] - if: always() + needs: + - context + - desktop-benchmarks + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (always()) runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/benchmark-performance-transcription-whispercpp.yml b/.github/workflows/benchmark-performance-transcription-whispercpp.yml index 10a347d1bb..c26e5365dc 100644 --- a/.github/workflows/benchmark-performance-transcription-whispercpp.yml +++ b/.github/workflows/benchmark-performance-transcription-whispercpp.yml @@ -23,6 +23,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} context: runs-on: ubuntu-latest outputs: @@ -46,7 +66,9 @@ jobs: echo "include_desktop=${INPUT_INCLUDE_DESKTOP}" >> "$GITHUB_OUTPUT" prebuild: - needs: context + needs: + - context + - label-gate permissions: contents: write packages: write @@ -58,9 +80,13 @@ jobs: repository: ${{ needs.context.outputs.repository }} ref: ${{ needs.context.outputs.ref }} + if: needs.label-gate.outputs.authorised == 'true' desktop-benchmarks: - needs: [context, prebuild] - if: needs.context.outputs.include_desktop != 'false' + needs: + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.include_desktop != 'false') permissions: contents: read packages: read @@ -73,10 +99,12 @@ jobs: run_integration_tests: false run_rtf_benchmarks: true - summarize: - needs: [context, desktop-benchmarks] - if: always() + needs: + - context + - desktop-benchmarks + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (always()) runs-on: ubuntu-latest permissions: contents: read @@ -96,7 +124,6 @@ jobs: path: benchmark-artifacts/desktop merge-multiple: true - - name: Generate consolidated benchmark report run: | node scripts/perf-report/aggregate-whisper-rtf.js \ diff --git a/.github/workflows/benchmark-performance-tts-onnx.yml b/.github/workflows/benchmark-performance-tts-onnx.yml index d3fbeaf0cd..ab31c4160e 100644 --- a/.github/workflows/benchmark-performance-tts-onnx.yml +++ b/.github/workflows/benchmark-performance-tts-onnx.yml @@ -53,6 +53,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} context: runs-on: ubuntu-latest outputs: @@ -91,7 +111,9 @@ jobs: echo "include_desktop=${INPUT_INCLUDE_DESKTOP}" >> "$GITHUB_OUTPUT" prebuild: - needs: context + needs: + - context + - label-gate permissions: contents: write packages: write @@ -103,9 +125,13 @@ jobs: repository: ${{ needs.context.outputs.repository }} ref: ${{ needs.context.outputs.ref }} + if: needs.label-gate.outputs.authorised == 'true' desktop-benchmarks: - needs: [context, prebuild] - if: needs.context.outputs.include_desktop != 'false' + needs: + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.include_desktop != 'false') runs-on: ${{ matrix.os }} environment: release timeout-minutes: 180 @@ -532,8 +558,11 @@ jobs: if-no-files-found: ignore summarize: - needs: [context, desktop-benchmarks] - if: always() + needs: + - context + - desktop-benchmarks + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (always()) runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/benchmark-supertonic-tts-onnx.yml b/.github/workflows/benchmark-supertonic-tts-onnx.yml index f2b7f4491c..0b01660ecb 100644 --- a/.github/workflows/benchmark-supertonic-tts-onnx.yml +++ b/.github/workflows/benchmark-supertonic-tts-onnx.yml @@ -51,8 +51,28 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} benchmark-supertonic: - if: github.event_name == 'workflow_dispatch' || (github.event_name == 'release' && startsWith(github.event.release.tag_name, 'onnx-tts-v')) + if: needs.label-gate.outputs.authorised == 'true' && (github.event_name == 'workflow_dispatch' || (github.event_name == 'release' && startsWith(github.event.release.tag_name, 'onnx-tts-v'))) runs-on: macos-14-xlarge environment: release timeout-minutes: 180 @@ -225,3 +245,5 @@ jobs: name: supertonic-benchmark-results-v${{ steps.version.outputs.version }} path: packages/tts-onnx/benchmarks/results/ retention-days: 30 + needs: + - label-gate diff --git a/.github/workflows/benchmark-transcription-parakeet.yml b/.github/workflows/benchmark-transcription-parakeet.yml index ca28218f84..0f607aabc2 100644 --- a/.github/workflows/benchmark-transcription-parakeet.yml +++ b/.github/workflows/benchmark-transcription-parakeet.yml @@ -27,6 +27,26 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} generate-matrix: runs-on: ai-run-linux outputs: @@ -117,7 +137,9 @@ jobs: echo "$MATRIX" | jq . benchmark-parakeet: - needs: generate-matrix + needs: + - generate-matrix + - label-gate runs-on: ai-run-linux environment: release timeout-minutes: 1440 @@ -464,3 +486,4 @@ jobs: echo "❌ **Results file not found**" >> $GITHUB_STEP_SUMMARY fi echo "" >> $GITHUB_STEP_SUMMARY + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/benchmark-transcription-whispercpp.yml b/.github/workflows/benchmark-transcription-whispercpp.yml index 460ffe1583..9086897fc3 100644 --- a/.github/workflows/benchmark-transcription-whispercpp.yml +++ b/.github/workflows/benchmark-transcription-whispercpp.yml @@ -84,6 +84,26 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} generate-matrix: runs-on: ubuntu-latest outputs: @@ -228,7 +248,9 @@ jobs: echo "$MATRIX" | jq . benchmark-whispercpp: - needs: generate-matrix + needs: + - generate-matrix + - label-gate runs-on: ubuntu-latest environment: release timeout-minutes: 1440 @@ -793,3 +815,4 @@ jobs: else echo "❌ Results file not found: $RESULT_FILE" >> $GITHUB_STEP_SUMMARY fi + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/docs-post-merge-sync.yml b/.github/workflows/docs-post-merge-sync.yml index 9b6b57b7de..9f58419eb4 100644 --- a/.github/workflows/docs-post-merge-sync.yml +++ b/.github/workflows/docs-post-merge-sync.yml @@ -16,6 +16,26 @@ concurrency: cancel-in-progress: false jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} sync-docs: runs-on: ubuntu-latest permissions: @@ -70,3 +90,6 @@ jobs: git commit -m "chore(docs): regenerate SDK API docs [skip ci]" git remote set-url origin "https://x-access-token:${TOKEN}@github.com/${{ github.repository }}.git" git push origin main + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/docs-release-pipeline.yml b/.github/workflows/docs-release-pipeline.yml index 59e8fa83e5..bc3674c34a 100644 --- a/.github/workflows/docs-release-pipeline.yml +++ b/.github/workflows/docs-release-pipeline.yml @@ -34,9 +34,29 @@ env: DOCS_DIR: docs/website jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} generate-and-publish: runs-on: ubuntu-latest - if: ${{ !vars.DOCS_SYNC_BOT_USER || github.actor != vars.DOCS_SYNC_BOT_USER }} + if: needs.label-gate.outputs.authorised == 'true' && (!vars.DOCS_SYNC_BOT_USER || github.actor != vars.DOCS_SYNC_BOT_USER) steps: # Dual checkout to close the race window where a PR landing on `main` @@ -203,3 +223,5 @@ jobs: git config user.email "$BOT_EMAIL" git commit -m "chore(docs): release v${VERSION} (API summary + release notes) [skip ci]" git push origin main + needs: + - label-gate diff --git a/.github/workflows/on-merge-bci-whispercpp.yml b/.github/workflows/on-merge-bci-whispercpp.yml index 323dcf9216..6ead27c11a 100644 --- a/.github/workflows/on-merge-bci-whispercpp.yml +++ b/.github/workflows/on-merge-bci-whispercpp.yml @@ -34,6 +34,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} publish-logic: runs-on: ubuntu-latest outputs: @@ -85,8 +105,7 @@ jobs: release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -103,12 +122,11 @@ jobs: changelog-path: packages/bci-whispercpp/CHANGELOG.md build: - needs: publish-logic + needs: + - publish-logic + - label-gate if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_release == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') permissions: contents: write packages: write @@ -124,9 +142,7 @@ jobs: publish-gpr: needs: [build, publish-logic] if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true' continue-on-error: true outputs: published_version: ${{ steps.capture_version.outputs.published_version }} @@ -194,12 +210,13 @@ jobs: fi publish-npm: - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - needs.build.result == 'success' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) outputs: published_version: ${{ steps.capture_version.outputs.published_version }} runs-on: ubuntu-latest @@ -298,8 +315,10 @@ jobs: packages: read id-token: write uses: ./.github/workflows/integration-test-bci-whispercpp.yml - needs: post-build-gate - if: needs.post-build-gate.outputs.should_run_tests == 'true' + needs: + - post-build-gate + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.post-build-gate.outputs.should_run_tests == 'true') secrets: inherit with: repository: ${{ github.repository }} @@ -308,8 +327,10 @@ jobs: mobile-integration-tests: uses: ./.github/workflows/integration-mobile-test-bci-whispercpp.yml - needs: post-build-gate - if: needs.post-build-gate.outputs.should_run_tests == 'true' + needs: + - post-build-gate + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.post-build-gate.outputs.should_run_tests == 'true') permissions: contents: read packages: read diff --git a/.github/workflows/on-merge-decoder-audio.yml b/.github/workflows/on-merge-decoder-audio.yml index 91789373d7..fbe178bca9 100644 --- a/.github/workflows/on-merge-decoder-audio.yml +++ b/.github/workflows/on-merge-decoder-audio.yml @@ -33,6 +33,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} publish-logic: runs-on: ubuntu-latest outputs: @@ -91,8 +111,7 @@ jobs: release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -109,12 +128,11 @@ jobs: changelog-path: packages/decoder-audio/CHANGELOG.md run-integration-tests: - needs: publish-logic - if: | - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_release == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - publish-logic + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') uses: ./.github/workflows/integration-test-decoder-audio.yml secrets: inherit with: @@ -123,17 +141,16 @@ jobs: workdir: "packages/decoder-audio" mobile-integration-tests: - needs: publish-logic + needs: + - publish-logic + - label-gate permissions: contents: read packages: read pull-requests: write id-token: write - if: | - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_release == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + if: |- + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') uses: ./.github/workflows/integration-mobile-test-decoder-audio.yml secrets: inherit with: @@ -142,11 +159,13 @@ jobs: workdir: "packages/decoder-audio" publish-gpr: - needs: [publish-logic, run-integration-tests, mobile-integration-tests] - if: | - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - publish-logic + - run-integration-tests + - mobile-integration-tests + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -168,11 +187,14 @@ jobs: name-suffix: "-mono" publish-release-npm: - needs: [publish-logic, release-merge-guard, run-integration-tests, mobile-integration-tests] - if: | - !cancelled() && - needs.publish-logic.outputs.publish_release == 'true' && - needs.release-merge-guard.result == 'success' + needs: + - publish-logic + - release-merge-guard + - run-integration-tests + - mobile-integration-tests + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.publish-logic.outputs.publish_release == 'true' && needs.release-merge-guard.result == 'success') runs-on: ubuntu-latest environment: npm outputs: diff --git a/.github/workflows/on-merge-diffusion-cpp.yml b/.github/workflows/on-merge-diffusion-cpp.yml index 923f7ad287..d113d8c197 100644 --- a/.github/workflows/on-merge-diffusion-cpp.yml +++ b/.github/workflows/on-merge-diffusion-cpp.yml @@ -41,6 +41,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} publish-logic: runs-on: ubuntu-latest environment: release @@ -90,11 +110,13 @@ jobs: echo "publish_tmp=$publish_tmp" >> "$GITHUB_OUTPUT" echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')) runs-on: ubuntu-latest environment: release steps: @@ -111,14 +133,15 @@ jobs: package-json-path: packages/diffusion-cpp/package.json changelog-path: packages/diffusion-cpp/CHANGELOG.md - # Build prebuilds (build + merge only, no publishing) + # Build prebuilds (build + merge only, no publishing) + needs: + - label-gate build: - needs: publish-logic + needs: + - publish-logic + - label-gate if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_release == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') permissions: contents: write packages: write @@ -131,11 +154,12 @@ jobs: # Publish to GitHub Package Registry (GPR) for non-release branches publish-gpr: - needs: [build, publish-logic] + needs: + - build + - publish-logic + - label-gate if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') continue-on-error: true runs-on: ubuntu-latest environment: release @@ -179,12 +203,13 @@ jobs: # Publish to NPM for release branches publish-npm: - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - needs.build.result == 'success' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) runs-on: ubuntu-latest environment: npm outputs: @@ -239,9 +264,7 @@ jobs: publish-release: needs: [publish-npm] if: >- - !cancelled() && - needs.publish-npm.result == 'success' && - needs.publish-npm.outputs.published_version != '' + !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml diff --git a/.github/workflows/on-merge-embed-llamacpp.yml b/.github/workflows/on-merge-embed-llamacpp.yml index 80cd8fee79..3466e6c292 100644 --- a/.github/workflows/on-merge-embed-llamacpp.yml +++ b/.github/workflows/on-merge-embed-llamacpp.yml @@ -34,6 +34,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} publish-logic: runs-on: ubuntu-latest environment: release @@ -83,11 +103,13 @@ jobs: echo "publish_tmp=$publish_tmp" >> "$GITHUB_OUTPUT" echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')) runs-on: ubuntu-latest environment: release steps: @@ -104,14 +126,15 @@ jobs: package-json-path: packages/embed-llamacpp/package.json changelog-path: packages/embed-llamacpp/CHANGELOG.md - # Build prebuilds (build + merge only, no publishing) + # Build prebuilds (build + merge only, no publishing) + needs: + - label-gate build: - needs: publish-logic + needs: + - publish-logic + - label-gate if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_release == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') permissions: contents: write packages: write @@ -124,11 +147,12 @@ jobs: # Publish to GitHub Package Registry (GPR) for non-release branches publish-gpr: - needs: [build, publish-logic] + needs: + - build + - publish-logic + - label-gate if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') continue-on-error: true runs-on: ubuntu-latest environment: release @@ -160,12 +184,13 @@ jobs: # Publish to NPM for release branches publish-npm: - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - needs.build.result == 'success' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) runs-on: ubuntu-latest environment: npm outputs: @@ -206,9 +231,7 @@ jobs: publish-release: needs: [publish-npm] if: >- - !cancelled() && - needs.publish-npm.result == 'success' && - needs.publish-npm.outputs.published_version != '' + !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml diff --git a/.github/workflows/on-merge-llm-llamacpp.yml b/.github/workflows/on-merge-llm-llamacpp.yml index cb5f0a3abf..182521bb31 100644 --- a/.github/workflows/on-merge-llm-llamacpp.yml +++ b/.github/workflows/on-merge-llm-llamacpp.yml @@ -40,8 +40,27 @@ permissions: packages: read id-token: write - jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} publish-logic: runs-on: ubuntu-latest environment: release @@ -91,11 +110,13 @@ jobs: echo "publish_tmp=$publish_tmp" >> "$GITHUB_OUTPUT" echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')) runs-on: ubuntu-latest environment: release steps: @@ -112,14 +133,15 @@ jobs: package-json-path: packages/llm-llamacpp/package.json changelog-path: packages/llm-llamacpp/CHANGELOG.md - # Build prebuilds (build + merge only, no publishing) + # Build prebuilds (build + merge only, no publishing) + needs: + - label-gate build: - needs: publish-logic + needs: + - publish-logic + - label-gate if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_release == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') permissions: contents: write packages: write @@ -132,11 +154,12 @@ jobs: # Publish to GitHub Package Registry (GPR) for non-release branches publish-gpr: - needs: [build, publish-logic] + needs: + - build + - publish-logic + - label-gate if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') continue-on-error: true runs-on: ubuntu-latest environment: release @@ -180,12 +203,13 @@ jobs: # Publish to NPM for release branches publish-npm: - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - needs.build.result == 'success' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) runs-on: ubuntu-latest environment: npm outputs: @@ -240,9 +264,7 @@ jobs: publish-release: needs: [publish-npm] if: >- - !cancelled() && - needs.publish-npm.result == 'success' && - needs.publish-npm.outputs.published_version != '' + !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml diff --git a/.github/workflows/on-merge-ocr-onnx.yml b/.github/workflows/on-merge-ocr-onnx.yml index 048b08ecfb..7a099c8b33 100644 --- a/.github/workflows/on-merge-ocr-onnx.yml +++ b/.github/workflows/on-merge-ocr-onnx.yml @@ -37,6 +37,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} publish-logic: runs-on: ubuntu-latest environment: release @@ -86,11 +106,13 @@ jobs: echo "publish_tmp=$publish_tmp" >> "$GITHUB_OUTPUT" echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')) runs-on: ubuntu-latest environment: release steps: @@ -107,19 +129,15 @@ jobs: package-json-path: packages/ocr-onnx/package.json changelog-path: packages/ocr-onnx/CHANGELOG.md + needs: + - label-gate build: - needs: [publish-logic, release-merge-guard] + needs: + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - ( - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' || - ( - needs.publish-logic.outputs.publish_release == 'true' && - needs.release-merge-guard.result == 'success' - ) - ) + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && ( needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true' || ( needs.publish-logic.outputs.publish_release == 'true' && needs.release-merge-guard.result == 'success' ) )) permissions: contents: write packages: write @@ -131,9 +149,7 @@ jobs: publish-gpr: needs: [build, publish-logic] if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true' continue-on-error: true outputs: published_version: ${{ steps.publish.outputs.npm_published_version }} @@ -165,12 +181,13 @@ jobs: name-suffix: "-mono" publish-npm: - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - needs.build.result == 'success' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) continue-on-error: false outputs: published_version: ${{ steps.publish.outputs.npm_published_version }} @@ -254,8 +271,10 @@ jobs: packages: read id-token: write uses: ./.github/workflows/integration-test-ocr-onnx.yml - needs: post-build-gate - if: needs.post-build-gate.outputs.should_run_tests == 'true' + needs: + - post-build-gate + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.post-build-gate.outputs.should_run_tests == 'true') secrets: inherit with: repository: ${{ github.repository }} diff --git a/.github/workflows/on-merge-onnx.yml b/.github/workflows/on-merge-onnx.yml index 2f228f04b0..03b6724e60 100644 --- a/.github/workflows/on-merge-onnx.yml +++ b/.github/workflows/on-merge-onnx.yml @@ -37,6 +37,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} publish-logic: runs-on: ubuntu-latest environment: release @@ -86,11 +106,13 @@ jobs: echo "publish_tmp=$publish_tmp" >> "$GITHUB_OUTPUT" echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')) runs-on: ubuntu-latest environment: release steps: @@ -107,13 +129,14 @@ jobs: package-json-path: packages/onnx/package.json changelog-path: packages/onnx/CHANGELOG.md + needs: + - label-gate build: - needs: publish-logic + needs: + - publish-logic + - label-gate if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_release == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') permissions: contents: write packages: write @@ -125,9 +148,7 @@ jobs: publish-gpr: needs: [build, publish-logic] if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true' continue-on-error: true outputs: published_version: ${{ steps.publish.outputs.npm_published_version }} @@ -159,12 +180,13 @@ jobs: name-suffix: "-mono" publish-npm: - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - needs.build.result == 'success' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) outputs: published_version: ${{ steps.publish.outputs.npm_published_version }} runs-on: ubuntu-latest @@ -207,9 +229,7 @@ jobs: publish-release: needs: [publish-npm] if: >- - !cancelled() && - needs.publish-npm.result == 'success' && - needs.publish-npm.outputs.published_version != '' + !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release-onnx.yml diff --git a/.github/workflows/on-merge-transcription-parakeet.yml b/.github/workflows/on-merge-transcription-parakeet.yml index 2e8ae4b782..960393eaaa 100644 --- a/.github/workflows/on-merge-transcription-parakeet.yml +++ b/.github/workflows/on-merge-transcription-parakeet.yml @@ -34,6 +34,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} publish-logic: runs-on: ubuntu-latest environment: release @@ -83,11 +103,13 @@ jobs: echo "publish_tmp=$publish_tmp" >> "$GITHUB_OUTPUT" echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')) runs-on: ubuntu-latest environment: release steps: @@ -104,14 +126,15 @@ jobs: package-json-path: packages/transcription-parakeet/package.json changelog-path: packages/transcription-parakeet/CHANGELOG.md - # Build prebuilds (build + merge only, no publishing) + # Build prebuilds (build + merge only, no publishing) + needs: + - label-gate build: - needs: publish-logic + needs: + - publish-logic + - label-gate if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_release == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') permissions: contents: write packages: write @@ -128,9 +151,7 @@ jobs: publish-gpr: needs: [build, publish-logic] if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true' continue-on-error: true runs-on: ubuntu-latest outputs: @@ -188,12 +209,13 @@ jobs: # Publish to NPM for release branches publish-npm: - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - needs.build.result == 'success' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) runs-on: ubuntu-latest environment: npm outputs: @@ -244,9 +266,7 @@ jobs: publish-release: needs: [publish-npm] if: >- - !cancelled() && - needs.publish-npm.result == 'success' && - needs.publish-npm.outputs.published_version != '' + !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -284,8 +304,10 @@ jobs: packages: read id-token: write uses: ./.github/workflows/integration-test-transcription-parakeet.yml - needs: post-build-gate - if: needs.post-build-gate.outputs.should_run_tests == 'true' + needs: + - post-build-gate + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.post-build-gate.outputs.should_run_tests == 'true') secrets: inherit with: repository: ${{ github.repository }} @@ -293,8 +315,10 @@ jobs: mobile-integration-tests: uses: ./.github/workflows/integration-mobile-test-transcription-parakeet.yml - needs: post-build-gate - if: needs.post-build-gate.outputs.should_run_tests == 'true' + needs: + - post-build-gate + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.post-build-gate.outputs.should_run_tests == 'true') permissions: contents: read packages: read diff --git a/.github/workflows/on-merge-transcription-whispercpp.yml b/.github/workflows/on-merge-transcription-whispercpp.yml index 2815cadf56..93bb3fd169 100644 --- a/.github/workflows/on-merge-transcription-whispercpp.yml +++ b/.github/workflows/on-merge-transcription-whispercpp.yml @@ -34,6 +34,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} publish-logic: runs-on: ubuntu-latest outputs: @@ -85,8 +105,7 @@ jobs: release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -103,12 +122,11 @@ jobs: changelog-path: packages/transcription-whispercpp/CHANGELOG.md build: - needs: publish-logic + needs: + - publish-logic + - label-gate if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_release == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') permissions: contents: write packages: write @@ -124,9 +142,7 @@ jobs: publish-gpr: needs: [build, publish-logic] if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true' continue-on-error: true outputs: published_version: ${{ steps.capture_version.outputs.published_version }} @@ -194,12 +210,13 @@ jobs: fi publish-npm: - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - needs.build.result == 'success' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) outputs: published_version: ${{ steps.capture_version.outputs.published_version }} runs-on: ubuntu-latest @@ -297,8 +314,10 @@ jobs: packages: read id-token: write uses: ./.github/workflows/integration-test-transcription-whispercpp.yml - needs: post-build-gate - if: needs.post-build-gate.outputs.should_run_tests == 'true' + needs: + - post-build-gate + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.post-build-gate.outputs.should_run_tests == 'true') secrets: inherit with: repository: ${{ github.repository }} @@ -307,8 +326,10 @@ jobs: mobile-integration-tests: uses: ./.github/workflows/integration-mobile-test-transcription-whispercpp.yml - needs: post-build-gate - if: needs.post-build-gate.outputs.should_run_tests == 'true' + needs: + - post-build-gate + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.post-build-gate.outputs.should_run_tests == 'true') permissions: contents: read packages: read @@ -323,8 +344,10 @@ jobs: name: Trigger Benchmark (Whispercpp) runs-on: ubuntu-latest environment: release - needs: post-build-gate - if: "!cancelled() && needs.post-build-gate.outputs.should_run_tests == 'true'" + needs: + - post-build-gate + - label-gate + if: "needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.post-build-gate.outputs.should_run_tests == 'true')" steps: - name: Trigger benchmark workflow env: diff --git a/.github/workflows/on-merge-translation-nmtcpp.yml b/.github/workflows/on-merge-translation-nmtcpp.yml index 7d89f3e150..064238d935 100644 --- a/.github/workflows/on-merge-translation-nmtcpp.yml +++ b/.github/workflows/on-merge-translation-nmtcpp.yml @@ -36,6 +36,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} publish-logic: runs-on: ubuntu-latest environment: release @@ -85,11 +105,13 @@ jobs: echo "publish_tmp=$publish_tmp" >> "$GITHUB_OUTPUT" echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')) runs-on: ubuntu-latest environment: release steps: @@ -106,19 +128,15 @@ jobs: package-json-path: packages/translation-nmtcpp/package.json changelog-path: packages/translation-nmtcpp/CHANGELOG.md + needs: + - label-gate build: - needs: [publish-logic, release-merge-guard] + needs: + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - ( - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' || - ( - needs.publish-logic.outputs.publish_release == 'true' && - needs.release-merge-guard.result == 'success' - ) - ) + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && ( needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true' || ( needs.publish-logic.outputs.publish_release == 'true' && needs.release-merge-guard.result == 'success' ) )) permissions: contents: write packages: write @@ -130,9 +148,7 @@ jobs: publish-gpr: needs: [build, publish-logic] if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true' continue-on-error: true outputs: published_version: ${{ steps.publish.outputs.npm_published_version }} @@ -164,12 +180,13 @@ jobs: name-suffix: "-mono" publish-npm: - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - needs.build.result == 'success' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) continue-on-error: false outputs: published_version: ${{ steps.publish.outputs.npm_published_version }} @@ -251,8 +268,10 @@ jobs: packages: read id-token: write uses: ./.github/workflows/integration-test-translation-nmtcpp.yml - needs: post-build-gate - if: needs.post-build-gate.outputs.should_run_tests == 'true' + needs: + - post-build-gate + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.post-build-gate.outputs.should_run_tests == 'true') secrets: inherit with: repository: ${{ github.repository }} diff --git a/.github/workflows/on-merge-tts-ggml.yml b/.github/workflows/on-merge-tts-ggml.yml index 1fc636a64c..2ad874e771 100644 --- a/.github/workflows/on-merge-tts-ggml.yml +++ b/.github/workflows/on-merge-tts-ggml.yml @@ -34,6 +34,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} publish-logic: runs-on: ubuntu-latest environment: release @@ -83,11 +103,13 @@ jobs: echo "publish_tmp=$publish_tmp" >> "$GITHUB_OUTPUT" echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')) runs-on: ubuntu-latest environment: release steps: @@ -104,13 +126,14 @@ jobs: package-json-path: packages/tts-ggml/package.json changelog-path: packages/tts-ggml/CHANGELOG.md + needs: + - label-gate build: - needs: publish-logic + needs: + - publish-logic + - label-gate if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_release == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') permissions: contents: write packages: write @@ -126,9 +149,7 @@ jobs: publish-gpr: needs: [build, publish-logic] if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true' continue-on-error: true runs-on: ubuntu-latest outputs: @@ -185,12 +206,13 @@ jobs: fi publish-npm: - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - needs.build.result == 'success' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) runs-on: ubuntu-latest environment: npm outputs: @@ -240,9 +262,7 @@ jobs: publish-release: needs: [publish-npm] if: >- - !cancelled() && - needs.publish-npm.result == 'success' && - needs.publish-npm.outputs.published_version != '' + !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -280,8 +300,10 @@ jobs: packages: read id-token: write uses: ./.github/workflows/integration-test-tts-ggml.yml - needs: post-build-gate - if: needs.post-build-gate.outputs.should_run_tests == 'true' + needs: + - post-build-gate + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.post-build-gate.outputs.should_run_tests == 'true') secrets: inherit with: repository: ${{ github.repository }} @@ -289,8 +311,10 @@ jobs: mobile-integration-tests: uses: ./.github/workflows/integration-mobile-test-tts-ggml.yml - needs: post-build-gate - if: needs.post-build-gate.outputs.should_run_tests == 'true' + needs: + - post-build-gate + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.post-build-gate.outputs.should_run_tests == 'true') permissions: contents: read packages: read diff --git a/.github/workflows/on-merge-tts-onnx.yml b/.github/workflows/on-merge-tts-onnx.yml index 5fa3ed2bdd..4a6024e694 100644 --- a/.github/workflows/on-merge-tts-onnx.yml +++ b/.github/workflows/on-merge-tts-onnx.yml @@ -34,6 +34,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} publish-logic: runs-on: ubuntu-latest environment: release @@ -83,11 +103,13 @@ jobs: echo "publish_tmp=$publish_tmp" >> "$GITHUB_OUTPUT" echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + needs.label-gate.outputs.authorised == 'true' && ((github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-')) runs-on: ubuntu-latest environment: release steps: @@ -104,13 +126,14 @@ jobs: package-json-path: packages/tts-onnx/package.json changelog-path: packages/tts-onnx/CHANGELOG.md + needs: + - label-gate build: - needs: publish-logic + needs: + - publish-logic + - label-gate if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_release == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_release == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true') permissions: contents: write packages: write @@ -126,9 +149,7 @@ jobs: publish-gpr: needs: [build, publish-logic] if: >- - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true' + needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_tmp == 'true' outputs: published_version: ${{ steps.publish.outputs.npm_published_version }} runs-on: ubuntu-latest @@ -158,12 +179,13 @@ jobs: name-suffix: "-mono" publish-npm: - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - !cancelled() && - needs.build.result == 'success' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (!cancelled() && needs.build.result == 'success' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) outputs: published_version: ${{ steps.capture_version.outputs.published_version }} runs-on: ubuntu-latest @@ -217,9 +239,7 @@ jobs: publish-release: needs: [publish-npm] if: >- - !cancelled() && - needs.publish-npm.result == 'success' && - needs.publish-npm.outputs.published_version != '' + !cancelled() && needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -257,8 +277,10 @@ jobs: packages: read id-token: write uses: ./.github/workflows/integration-test-tts-onnx.yml - needs: post-build-gate - if: needs.post-build-gate.outputs.should_run_tests == 'true' + needs: + - post-build-gate + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.post-build-gate.outputs.should_run_tests == 'true') secrets: inherit with: repository: ${{ github.repository }} @@ -267,8 +289,10 @@ jobs: mobile-integration-tests: uses: ./.github/workflows/integration-mobile-test-tts-onnx.yml - needs: post-build-gate - if: needs.post-build-gate.outputs.should_run_tests == 'true' + needs: + - post-build-gate + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.post-build-gate.outputs.should_run_tests == 'true') permissions: contents: read packages: read diff --git a/.github/workflows/on-pr-bci-whispercpp.yml b/.github/workflows/on-pr-bci-whispercpp.yml index 5f304d0c04..3298774dbc 100644 --- a/.github/workflows/on-pr-bci-whispercpp.yml +++ b/.github/workflows/on-pr-bci-whispercpp.yml @@ -54,6 +54,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -133,8 +153,11 @@ jobs: echo " workdir=$workdir" sanity-checks: - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, context] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - context + - label-gate runs-on: ubuntu-latest steps: - name: Checkout code @@ -151,8 +174,11 @@ jobs: workdir: ${{ needs.context.outputs.workdir }} cpp-lint: - needs: [authorize, context] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/cpp-lint.yaml secrets: inherit with: @@ -168,8 +194,11 @@ jobs: pull-requests: write actions: read id-token: write - needs: [authorize, context] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/cpp-test-coverage-bci-whispercpp.yml secrets: inherit with: @@ -182,8 +211,11 @@ jobs: packages: write pull-requests: write id-token: write - needs: [authorize, context] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/prebuilds-bci-whispercpp.yml secrets: inherit with: @@ -195,8 +227,12 @@ jobs: contents: read packages: read id-token: write - needs: [authorize, context, prebuild] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/integration-test-bci-whispercpp.yml secrets: inherit with: @@ -210,8 +246,12 @@ jobs: packages: read pull-requests: write id-token: write - needs: [authorize, context, prebuild] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/integration-mobile-test-bci-whispercpp.yml secrets: inherit with: diff --git a/.github/workflows/on-pr-close-bci-whispercpp.yml b/.github/workflows/on-pr-close-bci-whispercpp.yml index f1113a8e34..bd78843ca3 100644 --- a/.github/workflows/on-pr-close-bci-whispercpp.yml +++ b/.github/workflows/on-pr-close-bci-whispercpp.yml @@ -32,15 +32,33 @@ on: default: true run-name: >- - Delete NPM Versions (bci-whispercpp) - v=${{ inputs.version }} - pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} - dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + Delete NPM Versions (bci-whispercpp) v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} + print-context: runs-on: ubuntu-latest continue-on-error: true @@ -64,3 +82,6 @@ jobs: pattern: ${{ inputs.pattern }} packages: ${{ inputs.packages || 'bci-whispercpp' }} dry-run: ${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/on-pr-close-decoder-audio.yml b/.github/workflows/on-pr-close-decoder-audio.yml index 91a695a0c3..9d12845c97 100644 --- a/.github/workflows/on-pr-close-decoder-audio.yml +++ b/.github/workflows/on-pr-close-decoder-audio.yml @@ -32,15 +32,33 @@ on: default: true run-name: >- - Delete NPM Versions (decoder-audio) - v=${{ inputs.version }} - pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} - dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + Delete NPM Versions (decoder-audio) v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} + print-context: runs-on: ubuntu-latest continue-on-error: true @@ -64,3 +82,6 @@ jobs: pattern: ${{ inputs.pattern }} packages: ${{ inputs.packages || 'decoder-audio' }} dry-run: ${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/on-pr-close-diffusion-cpp.yml b/.github/workflows/on-pr-close-diffusion-cpp.yml index 7aa9a622fe..7346c7339f 100644 --- a/.github/workflows/on-pr-close-diffusion-cpp.yml +++ b/.github/workflows/on-pr-close-diffusion-cpp.yml @@ -36,6 +36,27 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} + print-context-trigger: runs-on: ubuntu-latest continue-on-error: true @@ -59,4 +80,6 @@ jobs: pattern: ${{ inputs.pattern }} packages: ${{ inputs.packages }} dry-run: ${{ inputs.dry-run || true }} - + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/on-pr-close-embed-llamacpp.yml b/.github/workflows/on-pr-close-embed-llamacpp.yml index 85d1983c7c..df9cfa3b9d 100644 --- a/.github/workflows/on-pr-close-embed-llamacpp.yml +++ b/.github/workflows/on-pr-close-embed-llamacpp.yml @@ -31,15 +31,32 @@ on: default: true run-name: >- - Delete NPM Versions - v=${{ inputs.version }} - pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} - dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + Delete NPM Versions v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} print-context: runs-on: ubuntu-latest continue-on-error: true @@ -65,3 +82,6 @@ jobs: # PR-close runs default to dry-run=true for safety; manual runs respect the UI toggle (true/false) dry-run: ${{ github.event_name == 'pull_request' && true || inputs.dry-run }} secrets: inherit + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/on-pr-close-llm-llamacpp.yml b/.github/workflows/on-pr-close-llm-llamacpp.yml index 39ca32b1ef..58890cbee8 100644 --- a/.github/workflows/on-pr-close-llm-llamacpp.yml +++ b/.github/workflows/on-pr-close-llm-llamacpp.yml @@ -34,8 +34,29 @@ run-name: Delete NPM Versions (llm-llamacpp) ${{ inputs.version }} ${{ inputs.pr permissions: contents: read - + jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} + print-context-trigger: runs-on: ubuntu-latest continue-on-error: true @@ -59,3 +80,6 @@ jobs: pattern: ${{ inputs.pattern }} packages: ${{ inputs.packages }} dry-run: ${{ inputs.dry-run || true }} + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/on-pr-close-ocr-onnx.yml b/.github/workflows/on-pr-close-ocr-onnx.yml index 5a9c25a8d7..02f4f742cc 100644 --- a/.github/workflows/on-pr-close-ocr-onnx.yml +++ b/.github/workflows/on-pr-close-ocr-onnx.yml @@ -32,8 +32,29 @@ run-name: Delete NPM Versions ${{ inputs.version }} ${{ inputs.pr-number }} ${{ permissions: contents: read - + jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} + print-context: runs-on: ubuntu-latest continue-on-error: true @@ -56,4 +77,6 @@ jobs: pattern: ${{ inputs.pattern }} packages: ${{ inputs.packages }} dry-run: ${{ inputs.dry-run || true }} - + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/on-pr-close-onnx.yml b/.github/workflows/on-pr-close-onnx.yml index b570b358e9..bf9d70e360 100644 --- a/.github/workflows/on-pr-close-onnx.yml +++ b/.github/workflows/on-pr-close-onnx.yml @@ -34,6 +34,27 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} + print-context: runs-on: ubuntu-latest continue-on-error: true @@ -56,3 +77,6 @@ jobs: pattern: ${{ inputs.pattern }} packages: ${{ inputs.packages }} dry-run: ${{ inputs.dry-run || true }} + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/on-pr-close-transcription-parakeet.yml b/.github/workflows/on-pr-close-transcription-parakeet.yml index 3692e7ab8d..c318f770e6 100644 --- a/.github/workflows/on-pr-close-transcription-parakeet.yml +++ b/.github/workflows/on-pr-close-transcription-parakeet.yml @@ -32,15 +32,33 @@ on: default: true run-name: >- - Delete NPM Versions (parakeet) - v=${{ inputs.version }} - pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} - dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + Delete NPM Versions (parakeet) v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} + print-context: runs-on: ubuntu-latest continue-on-error: true @@ -64,3 +82,6 @@ jobs: pattern: ${{ inputs.pattern }} packages: ${{ inputs.packages || 'transcription-parakeet' }} dry-run: ${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/on-pr-close-transcription-whispercpp.yml b/.github/workflows/on-pr-close-transcription-whispercpp.yml index c2412bda33..e80c8fd204 100644 --- a/.github/workflows/on-pr-close-transcription-whispercpp.yml +++ b/.github/workflows/on-pr-close-transcription-whispercpp.yml @@ -32,15 +32,33 @@ on: default: true run-name: >- - Delete NPM Versions (whispercpp) - v=${{ inputs.version }} - pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} - dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + Delete NPM Versions (whispercpp) v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} + print-context: runs-on: ubuntu-latest continue-on-error: true @@ -64,4 +82,7 @@ jobs: pattern: ${{ inputs.pattern }} packages: ${{ inputs.packages || 'transcription-whispercpp' }} dry-run: ${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/on-pr-close-tts-ggml.yml b/.github/workflows/on-pr-close-tts-ggml.yml index 8ee487a25c..1098f37536 100644 --- a/.github/workflows/on-pr-close-tts-ggml.yml +++ b/.github/workflows/on-pr-close-tts-ggml.yml @@ -32,15 +32,33 @@ on: default: true run-name: >- - Delete NPM Versions (tts-ggml) - v=${{ inputs.version }} - pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} - dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + Delete NPM Versions (tts-ggml) v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} + print-context: runs-on: ubuntu-latest continue-on-error: true @@ -64,3 +82,6 @@ jobs: pattern: ${{ inputs.pattern }} packages: ${{ inputs.packages || 'tts-ggml' }} dry-run: ${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/on-pr-close-tts-onnx.yml b/.github/workflows/on-pr-close-tts-onnx.yml index 3a89e04f75..98e9db88f0 100644 --- a/.github/workflows/on-pr-close-tts-onnx.yml +++ b/.github/workflows/on-pr-close-tts-onnx.yml @@ -32,15 +32,33 @@ on: default: true run-name: >- - Delete NPM Versions (onnx-tts) - v=${{ inputs.version }} - pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} - dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + Delete NPM Versions (onnx-tts) v=${{ inputs.version }} pr=${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr-number }} dry=${{ github.event_name == 'pull_request' && true || inputs.dry-run }} permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} + print-context: runs-on: ubuntu-latest continue-on-error: true @@ -64,3 +82,6 @@ jobs: pattern: ${{ inputs.pattern }} packages: ${{ inputs.packages || 'tts-onnx' }} dry-run: ${{ github.event_name == 'pull_request' && true || inputs.dry-run }} + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/on-pr-decoder-audio.yml b/.github/workflows/on-pr-decoder-audio.yml index e09e628814..c08bfc7f01 100644 --- a/.github/workflows/on-pr-decoder-audio.yml +++ b/.github/workflows/on-pr-decoder-audio.yml @@ -54,6 +54,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -133,8 +153,11 @@ jobs: echo " workdir=$workdir" sanity-checks: - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, context] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - context + - label-gate runs-on: ubuntu-latest steps: - name: Checkout code @@ -151,8 +174,10 @@ jobs: workdir: ${{ needs.context.outputs.workdir }} run-integration-tests: - needs: context - if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch' + needs: + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') permissions: contents: read packages: read @@ -170,8 +195,10 @@ jobs: packages: read pull-requests: write # Allow commenting on PRs id-token: write - needs: context - if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch' + needs: + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/integration-mobile-test-decoder-audio.yml secrets: inherit with: diff --git a/.github/workflows/on-pr-diffusion-cpp.yml b/.github/workflows/on-pr-diffusion-cpp.yml index d788bb9dbf..3442aa826a 100644 --- a/.github/workflows/on-pr-diffusion-cpp.yml +++ b/.github/workflows/on-pr-diffusion-cpp.yml @@ -29,6 +29,26 @@ env: PKG_DIR: packages/diffusion-cpp jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -46,8 +66,10 @@ jobs: github-token: ${{ github.token }} sanity-checks: - if: needs.authorize.outputs.allowed == 'true' - needs: authorize + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - label-gate runs-on: ubuntu-latest steps: - name: Checkout code @@ -64,8 +86,11 @@ jobs: workdir: packages/diffusion-cpp cpp-tests: - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, sanity-checks] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - sanity-checks + - label-gate uses: ./.github/workflows/cpp-tests-diffusion.yml secrets: inherit with: @@ -74,9 +99,11 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} cpp-lint: - if: needs.authorize.outputs.allowed == 'true' + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/cpp-lint.yaml - needs: authorize + needs: + - authorize + - label-gate secrets: inherit with: sha: ${{ github.event.pull_request.base.sha }} @@ -112,8 +139,11 @@ jobs: workdir: packages/diffusion-cpp prebuild: - needs: [authorize, sanity-checks] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - sanity-checks + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') permissions: contents: write packages: write @@ -126,8 +156,11 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} run-integration-tests: - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, prebuild] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - prebuild + - label-gate permissions: contents: read packages: read @@ -144,8 +177,11 @@ jobs: packages: read pull-requests: write # Allow commenting on PRs id-token: write - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, prebuild] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - prebuild + - label-gate uses: ./.github/workflows/integration-mobile-test-diffusion-cpp.yml secrets: inherit with: @@ -153,17 +189,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} merge-guard: - needs: - [ - authorize, - run-integration-tests, - run-mobile-integration-tests, - sanity-checks, - prebuild, - cpp-tests, - cpp-lint, - ts-checks, - ] + needs: [authorize, run-integration-tests, run-mobile-integration-tests, sanity-checks, prebuild, cpp-tests, cpp-lint, ts-checks] if: always() uses: ./.github/workflows/public-pr.yml permissions: diff --git a/.github/workflows/on-pr-embed-llamacpp.yml b/.github/workflows/on-pr-embed-llamacpp.yml index 1cf5243698..42a96277e1 100644 --- a/.github/workflows/on-pr-embed-llamacpp.yml +++ b/.github/workflows/on-pr-embed-llamacpp.yml @@ -24,6 +24,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -56,8 +76,11 @@ jobs: run: 'echo "Verified qvac-fabric version: ${{ steps.lockstep.outputs.version }}"' sanity-checks: - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, verify-fabric-lockstep] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - verify-fabric-lockstep + - label-gate runs-on: ubuntu-latest steps: - name: Checkout code @@ -74,8 +97,10 @@ jobs: workdir: packages/embed-llamacpp cpp-lint: - if: needs.authorize.outputs.allowed == 'true' - needs: authorize + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - label-gate uses: ./.github/workflows/cpp-lint.yaml secrets: inherit with: @@ -88,8 +113,11 @@ jobs: contents: read packages: read pull-requests: write - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, sanity-checks] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - sanity-checks + - label-gate uses: ./.github/workflows/cpp-tests-embed.yml secrets: inherit with: @@ -131,8 +159,11 @@ jobs: packages: write pull-requests: write id-token: write - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, sanity-checks] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - sanity-checks + - label-gate uses: ./.github/workflows/prebuilds-embed-llamacpp.yml secrets: inherit with: @@ -140,8 +171,11 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} integration-tests: - needs: [authorize, prebuild] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') permissions: contents: read packages: read @@ -158,8 +192,11 @@ jobs: packages: read pull-requests: write # Allow commenting on PRs id-token: write - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, prebuild] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - prebuild + - label-gate uses: ./.github/workflows/integration-mobile-test-embed-llamacpp.yml secrets: inherit with: diff --git a/.github/workflows/on-pr-llm-llamacpp.yml b/.github/workflows/on-pr-llm-llamacpp.yml index dbe8f9fabb..5b131fb2b3 100644 --- a/.github/workflows/on-pr-llm-llamacpp.yml +++ b/.github/workflows/on-pr-llm-llamacpp.yml @@ -16,7 +16,6 @@ on: - "packages/llm-llamacpp/**" - ".github/workflows/*llamacpp-llm*.yml" workflow_dispatch: - workflow_call: permissions: @@ -29,6 +28,26 @@ env: PKG_DIR: packages/llm-llamacpp jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -61,8 +80,11 @@ jobs: run: 'echo "Verified qvac-fabric version: ${{ steps.lockstep.outputs.version }}"' sanity-checks: - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, verify-fabric-lockstep] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - verify-fabric-lockstep + - label-gate runs-on: ubuntu-latest steps: - name: Checkout code @@ -79,8 +101,11 @@ jobs: workdir: packages/llm-llamacpp cpp-tests: - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, sanity-checks] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - sanity-checks + - label-gate uses: ./.github/workflows/cpp-tests-llm.yml secrets: inherit with: @@ -89,9 +114,11 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} cpp-lint: - if: needs.authorize.outputs.allowed == 'true' + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/cpp-lint.yaml - needs: authorize + needs: + - authorize + - label-gate secrets: inherit with: sha: ${{ github.event.pull_request.base.sha }} @@ -128,8 +155,11 @@ jobs: workdir: packages/llm-llamacpp prebuild: - needs: [authorize, sanity-checks] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - sanity-checks + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') permissions: contents: write packages: write @@ -142,8 +172,11 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} run-integration-tests: - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, prebuild] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - prebuild + - label-gate permissions: contents: read packages: read @@ -160,8 +193,11 @@ jobs: packages: read pull-requests: write # Allow commenting on PRs id-token: write - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, prebuild] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - prebuild + - label-gate uses: ./.github/workflows/integration-mobile-test-llm-llamacpp.yml secrets: inherit with: @@ -403,18 +439,7 @@ jobs: echo "" >> $GITHUB_STEP_SUMMARY merge-guard: - needs: - [ - authorize, - verify-fabric-lockstep, - run-integration-tests, - run-mobile-integration-tests, - sanity-checks, - prebuild, - cpp-tests, - cpp-lint, - ts-checks, - ] + needs: [authorize, verify-fabric-lockstep, run-integration-tests, run-mobile-integration-tests, sanity-checks, prebuild, cpp-tests, cpp-lint, ts-checks] if: always() uses: ./.github/workflows/public-pr.yml with: diff --git a/.github/workflows/on-pr-ocr-onnx.yml b/.github/workflows/on-pr-ocr-onnx.yml index 00975b09fb..3b84ecf8ff 100644 --- a/.github/workflows/on-pr-ocr-onnx.yml +++ b/.github/workflows/on-pr-ocr-onnx.yml @@ -25,6 +25,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -62,11 +82,12 @@ jobs: - ".github/workflows/*ocr*.yml" sanity-checks: - needs: [authorize, changes] - if: | - (needs.changes.outputs.pkg == 'true' && - needs.authorize.outputs.allowed == 'true') || - github.event_name == 'workflow_dispatch' + needs: + - authorize + - changes + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && ((needs.changes.outputs.pkg == 'true' && needs.authorize.outputs.allowed == 'true') || github.event_name == 'workflow_dispatch') runs-on: ubuntu-22.04 env: VCPKG_BINARY_SOURCES: "clear;files,${{ github.workspace }}/packages/ocr-onnx/vcpkg/cache,readwrite" @@ -157,8 +178,11 @@ jobs: fi cpp-lint: - needs: [authorize, changes] - if: needs.authorize.outputs.allowed == 'true' || github.event_name == 'workflow_dispatch' + needs: + - authorize + - changes + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/cpp-lint.yaml secrets: inherit with: @@ -172,13 +196,12 @@ jobs: pull-requests: write packages: write id-token: write - needs: [authorize, changes] - if: | - (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') && - ( - github.event_name == 'workflow_dispatch' || - needs.authorize.outputs.allowed == 'true' - ) + needs: + - authorize + - changes + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && ((needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') && ( github.event_name == 'workflow_dispatch' || needs.authorize.outputs.allowed == 'true' )) uses: ./.github/workflows/prebuilds-ocr-onnx.yml secrets: inherit with: @@ -190,13 +213,13 @@ jobs: contents: read packages: read id-token: write - needs: [authorize, changes, prebuild] - if: | - (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') && - ( - github.event_name == 'workflow_dispatch' || - needs.authorize.outputs.allowed == 'true' - ) + needs: + - authorize + - changes + - prebuild + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && ((needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') && ( github.event_name == 'workflow_dispatch' || needs.authorize.outputs.allowed == 'true' )) uses: ./.github/workflows/integration-test-ocr-onnx.yml secrets: inherit with: @@ -209,13 +232,13 @@ jobs: packages: read pull-requests: write # Allow commenting on PRs id-token: write - needs: [authorize, changes, prebuild] - if: | - (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') && - ( - github.event_name == 'workflow_dispatch' || - needs.authorize.outputs.allowed == 'true' - ) + needs: + - authorize + - changes + - prebuild + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && ((needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') && ( github.event_name == 'workflow_dispatch' || needs.authorize.outputs.allowed == 'true' )) uses: ./.github/workflows/integration-mobile-test-ocr-onnx.yml secrets: inherit with: diff --git a/.github/workflows/on-pr-onnx.yml b/.github/workflows/on-pr-onnx.yml index a6e4de0968..35f8cbaba4 100644 --- a/.github/workflows/on-pr-onnx.yml +++ b/.github/workflows/on-pr-onnx.yml @@ -25,6 +25,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -62,11 +82,12 @@ jobs: - ".github/workflows/*onnx*.yml" sanity-checks: - needs: [authorize, changes] - if: | - (needs.changes.outputs.pkg == 'true' && - needs.authorize.outputs.allowed == 'true') || - github.event_name == 'workflow_dispatch' + needs: + - authorize + - changes + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && ((needs.changes.outputs.pkg == 'true' && needs.authorize.outputs.allowed == 'true') || github.event_name == 'workflow_dispatch') runs-on: ubuntu-22.04 permissions: contents: read @@ -154,8 +175,11 @@ jobs: fi cpp-lint: - needs: [authorize, changes] - if: needs.authorize.outputs.allowed == 'true' || github.event_name == 'workflow_dispatch' + needs: + - authorize + - changes + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/cpp-lint.yaml secrets: inherit with: @@ -169,13 +193,12 @@ jobs: packages: write pull-requests: write id-token: write - needs: [authorize, changes] - if: | - (needs.changes.outputs.pkg == 'true') && - ( - github.event_name == 'workflow_dispatch' || - needs.authorize.outputs.allowed == 'true' - ) + needs: + - authorize + - changes + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && ((needs.changes.outputs.pkg == 'true') && ( github.event_name == 'workflow_dispatch' || needs.authorize.outputs.allowed == 'true' )) uses: ./.github/workflows/prebuilds-onnx.yml secrets: inherit with: diff --git a/.github/workflows/on-pr-test-sdk.yml b/.github/workflows/on-pr-test-sdk.yml index 1035b520de..713fe484ef 100644 --- a/.github/workflows/on-pr-test-sdk.yml +++ b/.github/workflows/on-pr-test-sdk.yml @@ -26,6 +26,26 @@ permissions: packages: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} resolve-config: runs-on: ubuntu-latest outputs: @@ -75,8 +95,10 @@ jobs: fi run-tests: - needs: resolve-config - if: needs.resolve-config.outputs.should-run == 'true' + needs: + - resolve-config + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.resolve-config.outputs.should-run == 'true') uses: ./.github/workflows/test-sdk.yml with: targets: all diff --git a/.github/workflows/on-pr-transcription-parakeet.yml b/.github/workflows/on-pr-transcription-parakeet.yml index e3104df735..b67a162438 100644 --- a/.github/workflows/on-pr-transcription-parakeet.yml +++ b/.github/workflows/on-pr-transcription-parakeet.yml @@ -45,6 +45,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -118,8 +138,11 @@ jobs: echo " run_verify=$run_verify" sanity-checks: - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, context] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - context + - label-gate runs-on: ubuntu-latest steps: - name: Checkout code @@ -136,8 +159,10 @@ jobs: workdir: ${{ github.workspace }}/packages/transcription-parakeet cpp-lint: - needs: context - if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch' + needs: + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/cpp-lint.yaml secrets: inherit with: @@ -153,8 +178,10 @@ jobs: pull-requests: write id-token: write actions: read - needs: context - if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch' + needs: + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/cpp-test-coverage-transcription-parakeet.yml secrets: inherit with: @@ -167,8 +194,10 @@ jobs: packages: write pull-requests: write id-token: write - needs: context - if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch' + needs: + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/prebuilds-transcription-parakeet.yml secrets: inherit with: @@ -180,8 +209,11 @@ jobs: contents: read packages: read id-token: write - needs: [context, prebuild] - if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch' + needs: + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/integration-test-transcription-parakeet.yml secrets: inherit with: @@ -194,8 +226,11 @@ jobs: packages: read pull-requests: write id-token: write - needs: [context, prebuild] - if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch' + needs: + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/integration-mobile-test-transcription-parakeet.yml secrets: inherit with: @@ -203,8 +238,12 @@ jobs: ref: ${{ needs.context.outputs.ref }} combine-unified-performance-report: - needs: [context, run-integration-tests, run-mobile-integration-tests] - if: always() && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') + needs: + - context + - run-integration-tests + - run-mobile-integration-tests + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (always() && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch')) runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/on-pr-transcription-whispercpp.yml b/.github/workflows/on-pr-transcription-whispercpp.yml index 110c432d59..0e49c4242e 100644 --- a/.github/workflows/on-pr-transcription-whispercpp.yml +++ b/.github/workflows/on-pr-transcription-whispercpp.yml @@ -54,6 +54,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -133,8 +153,11 @@ jobs: echo " workdir=$workdir" sanity-checks: - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, context] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - context + - label-gate runs-on: ubuntu-latest steps: - name: Checkout code @@ -151,8 +174,11 @@ jobs: workdir: ${{ needs.context.outputs.workdir }} cpp-lint: - needs: [authorize, context] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/cpp-lint.yaml secrets: inherit with: @@ -168,8 +194,11 @@ jobs: pull-requests: write actions: read id-token: write - needs: [authorize, context] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/cpp-test-coverage-transcription-whispercpp.yml secrets: inherit with: @@ -182,8 +211,11 @@ jobs: packages: write pull-requests: write id-token: write - needs: [authorize, context] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/prebuilds-transcription-whispercpp.yml secrets: inherit with: @@ -195,8 +227,12 @@ jobs: contents: read packages: read id-token: write - needs: [authorize, context, prebuild] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/integration-test-transcription-whispercpp.yml secrets: inherit with: @@ -210,8 +246,12 @@ jobs: packages: read pull-requests: write # Allow commenting on PRs id-token: write - needs: [authorize, context, prebuild] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/integration-mobile-test-transcription-whispercpp.yml secrets: inherit with: diff --git a/.github/workflows/on-pr-translation-nmtcpp.yml b/.github/workflows/on-pr-translation-nmtcpp.yml index 6a870dc6a1..a00be5b001 100644 --- a/.github/workflows/on-pr-translation-nmtcpp.yml +++ b/.github/workflows/on-pr-translation-nmtcpp.yml @@ -27,6 +27,26 @@ env: PKG_DIR: packages/translation-nmtcpp jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -73,8 +93,12 @@ jobs: run: 'echo "Verified qvac-fabric version: ${{ steps.lockstep.outputs.version }}"' sanity-checks: - needs: [authorize, changes, verify-fabric-lockstep] - if: always() && ((needs.changes.outputs.pkg == 'true' && needs.authorize.outputs.allowed == 'true') || github.event_name == 'workflow_dispatch') + needs: + - authorize + - changes + - verify-fabric-lockstep + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (always() && ((needs.changes.outputs.pkg == 'true' && needs.authorize.outputs.allowed == 'true') || github.event_name == 'workflow_dispatch')) runs-on: ubuntu-latest steps: - name: Checkout code @@ -113,11 +137,13 @@ jobs: run: npm run test:dts cpp-lint: - needs: [authorize, changes, sanity-checks] - if: | - always() && - needs.authorize.outputs.allowed == 'true' && - (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') + needs: + - authorize + - changes + - sanity-checks + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch')) uses: ./.github/workflows/cpp-lint.yaml secrets: inherit with: @@ -126,16 +152,18 @@ jobs: workdir: packages/translation-nmtcpp cpp-tests: - needs: [authorize, changes, sanity-checks] + needs: + - authorize + - changes + - sanity-checks + - label-gate permissions: contents: read packages: read pull-requests: write id-token: write - if: | - always() && - needs.authorize.outputs.allowed == 'true' && - (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch')) uses: ./.github/workflows/reusable-cpp-tests-translation-nmtcpp.yml secrets: inherit with: @@ -148,11 +176,13 @@ jobs: packages: write pull-requests: write id-token: write - needs: [authorize, changes, sanity-checks] - if: | - always() && - needs.authorize.outputs.allowed == 'true' && - (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') + needs: + - authorize + - changes + - sanity-checks + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch')) uses: ./.github/workflows/prebuilds-translation-nmtcpp.yml secrets: inherit with: @@ -160,11 +190,14 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} run-integration-tests: - needs: [authorize, changes, sanity-checks, prebuild] - if: | - always() && - needs.authorize.outputs.allowed == 'true' && - (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') + needs: + - authorize + - changes + - sanity-checks + - prebuild + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch')) permissions: contents: read packages: read @@ -181,11 +214,14 @@ jobs: packages: read pull-requests: write # Allow commenting on PRs id-token: write - needs: [authorize, changes, sanity-checks, prebuild] - if: | - always() && - needs.authorize.outputs.allowed == 'true' && - (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') + needs: + - authorize + - changes + - sanity-checks + - prebuild + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch')) uses: ./.github/workflows/integration-mobile-test-translation-nmtcpp.yml secrets: inherit with: @@ -193,19 +229,7 @@ jobs: ref: ${{ github.event.pull_request.head.ref }} merge-guard: - needs: - [ - authorize, - changes, - verify-fabric-lockstep, - sanity-checks, - ts-checks, - cpp-lint, - cpp-tests, - prebuild, - run-integration-tests, - run-mobile-integration-tests, - ] + needs: [authorize, changes, verify-fabric-lockstep, sanity-checks, ts-checks, cpp-lint, cpp-tests, prebuild, run-integration-tests, run-mobile-integration-tests] if: always() && (needs.changes.outputs.pkg == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/public-pr.yml with: diff --git a/.github/workflows/on-pr-tts-ggml.yml b/.github/workflows/on-pr-tts-ggml.yml index 25dda7deab..a6b2616fc7 100644 --- a/.github/workflows/on-pr-tts-ggml.yml +++ b/.github/workflows/on-pr-tts-ggml.yml @@ -45,6 +45,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -118,8 +138,11 @@ jobs: echo " run_verify=$run_verify" sanity-checks: - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, context] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - context + - label-gate runs-on: ubuntu-latest steps: - name: Checkout code @@ -136,8 +159,10 @@ jobs: workdir: ${{ github.workspace }}/packages/tts-ggml cpp-lint: - needs: context - if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch' + needs: + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/cpp-lint.yaml secrets: inherit with: @@ -158,8 +183,10 @@ jobs: pull-requests: write id-token: write actions: read - needs: context - if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch' + needs: + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/cpp-test-coverage-tts-ggml.yml secrets: inherit with: @@ -172,8 +199,10 @@ jobs: packages: write pull-requests: write id-token: write - needs: context - if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch' + needs: + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/prebuilds-tts-ggml.yml secrets: inherit with: @@ -185,8 +214,11 @@ jobs: contents: read packages: read id-token: write - needs: [context, prebuild] - if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch' + needs: + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/integration-test-tts-ggml.yml secrets: inherit with: @@ -199,8 +231,11 @@ jobs: packages: read pull-requests: write id-token: write - needs: [context, prebuild] - if: needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch' + needs: + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.context.outputs.run_verify == 'true' || github.event_name == 'workflow_dispatch') uses: ./.github/workflows/integration-mobile-test-tts-ggml.yml secrets: inherit with: diff --git a/.github/workflows/on-pr-tts-onnx.yml b/.github/workflows/on-pr-tts-onnx.yml index 76ff417c4d..e66a125eb0 100644 --- a/.github/workflows/on-pr-tts-onnx.yml +++ b/.github/workflows/on-pr-tts-onnx.yml @@ -68,6 +68,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -157,8 +177,11 @@ jobs: echo " tts_integration_profile=$tts_integration_profile" sanity-checks: - if: needs.authorize.outputs.allowed == 'true' - needs: [authorize, context] + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') + needs: + - authorize + - context + - label-gate runs-on: ubuntu-latest steps: - name: Checkout code @@ -175,8 +198,11 @@ jobs: workdir: ${{ needs.context.outputs.workdir }} cpp-lint: - needs: [authorize, context] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/cpp-lint.yaml secrets: inherit with: @@ -192,8 +218,11 @@ jobs: pull-requests: write id-token: write actions: read - needs: [authorize, context] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/cpp-test-coverage-tts-onnx.yml secrets: inherit with: @@ -207,8 +236,11 @@ jobs: packages: write pull-requests: write id-token: write - needs: [authorize, context] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/prebuilds-tts-onnx.yml secrets: inherit with: @@ -221,8 +253,12 @@ jobs: contents: read packages: read id-token: write - needs: [authorize, context, prebuild] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/integration-test-tts-onnx.yml secrets: inherit with: @@ -238,8 +274,12 @@ jobs: packages: read pull-requests: write id-token: write - needs: [authorize, context, prebuild] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - context + - prebuild + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') uses: ./.github/workflows/integration-mobile-test-tts-onnx.yml secrets: inherit with: @@ -248,13 +288,7 @@ jobs: workdir: ${{ needs.context.outputs.workdir }} aggregate-performance-report: - needs: - [ - authorize, - context, - run-integration-tests, - run-mobile-integration-tests, - ] + needs: [authorize, context, run-integration-tests, run-mobile-integration-tests] if: always() && needs.authorize.outputs.allowed == 'true' && github.event_name != 'pull_request_target' runs-on: ubuntu-latest permissions: @@ -327,17 +361,7 @@ jobs: if-no-files-found: ignore merge-guard: - needs: - [ - authorize, - sanity-checks, - cpp-lint, - cpp-tests-coverage, - prebuild, - run-integration-tests, - run-mobile-integration-tests, - aggregate-performance-report, - ] + needs: [authorize, sanity-checks, cpp-lint, cpp-tests-coverage, prebuild, run-integration-tests, run-mobile-integration-tests, aggregate-performance-report] if: always() uses: ./.github/workflows/public-pr.yml with: diff --git a/.github/workflows/on-publish-benchmark-translation-nmtcpp.yml b/.github/workflows/on-publish-benchmark-translation-nmtcpp.yml index 4f92b7c8df..981d0ffc13 100644 --- a/.github/workflows/on-publish-benchmark-translation-nmtcpp.yml +++ b/.github/workflows/on-publish-benchmark-translation-nmtcpp.yml @@ -25,6 +25,26 @@ permissions: id-token: write jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} prepare: runs-on: ubuntu-latest environment: release @@ -55,12 +75,17 @@ jobs: echo "pairs=$pairs" >> $GITHUB_OUTPUT echo "🎯 Released Bergamot model pairs: $pairs" + needs: + - label-gate + if: needs.label-gate.outputs.authorised == 'true' benchmark-bergamot: permissions: contents: read packages: read id-token: write - needs: prepare + needs: + - prepare + - label-gate uses: ./.github/workflows/benchmark-translation-nmtcpp.yml secrets: inherit with: @@ -75,6 +100,7 @@ jobs: use_batch: false hyperparams: 'fast' + if: needs.label-gate.outputs.authorised == 'true' summary: needs: [prepare, benchmark-bergamot] runs-on: ubuntu-latest diff --git a/.github/workflows/pr-models-validation-registry-server.yml b/.github/workflows/pr-models-validation-registry-server.yml index 928a586145..e91cd36485 100644 --- a/.github/workflows/pr-models-validation-registry-server.yml +++ b/.github/workflows/pr-models-validation-registry-server.yml @@ -25,6 +25,26 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -185,13 +205,13 @@ jobs: run: npm install && npm run lint && npm run test:unit sync-staging: - needs: [detect-changes, validate-json, test] - if: | - always() && - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - needs.detect-changes.outputs.models_changed == 'true' && - needs.validate-json.result == 'success' && - (needs.test.result == 'success' || needs.test.result == 'skipped') + needs: + - detect-changes + - validate-json + - test + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && needs.detect-changes.outputs.models_changed == 'true' && needs.validate-json.result == 'success' && (needs.test.result == 'success' || needs.test.result == 'skipped')) runs-on: ubuntu-latest environment: release env: @@ -239,7 +259,9 @@ jobs: timeout-minutes: 30 smoke-test: - needs: sync-staging + needs: + - sync-staging + - label-gate runs-on: ubuntu-latest env: QVAC_REGISTRY_CORE_KEY: ${{ secrets.QVAC_REGISTRY_CORE_KEY }} @@ -276,3 +298,4 @@ jobs: shell: bash run: node scripts/smoke-test-client.js --file=./data/models.prod.json timeout-minutes: 5 + if: needs.label-gate.outputs.authorised == 'true' diff --git a/.github/workflows/publish-registry-server.yml b/.github/workflows/publish-registry-server.yml index c4838759a0..df731626a4 100644 --- a/.github/workflows/publish-registry-server.yml +++ b/.github/workflows/publish-registry-server.yml @@ -35,6 +35,26 @@ env: NAME_SUFFIX: "-mono" jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -54,8 +74,7 @@ jobs: release-merge-guard-schema: name: Release Merge Guard (Schema) if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-qvac-registry-schema') + github.event_name == 'push' && startsWith(github.ref_name, 'release-qvac-registry-schema') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -74,8 +93,7 @@ jobs: release-merge-guard-client: name: Release Merge Guard (Client) if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-qvac-registry-client') + github.event_name == 'push' && startsWith(github.ref_name, 'release-qvac-registry-client') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -92,10 +110,12 @@ jobs: changelog-path: packages/registry-server/client/CHANGELOG.md detect-changes: - needs: [authorize] + needs: + - authorize + - label-gate runs-on: ubuntu-latest environment: release - if: needs.authorize.outputs.allowed == 'true' + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') outputs: schema_changed: ${{ steps.filter.outputs.schema }} client_changed: ${{ steps.filter.outputs.client }} @@ -207,13 +227,13 @@ jobs: echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" publish-schema-gpr: - needs: [authorize, detect-changes, publish-logic] - if: | - needs.authorize.outputs.allowed == 'true' && - needs.detect-changes.outputs.schema_changed == 'true' && - (needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true') + needs: + - authorize + - detect-changes + - publish-logic + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true' && needs.detect-changes.outputs.schema_changed == 'true' && (needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')) runs-on: ubuntu-latest environment: release permissions: @@ -244,13 +264,14 @@ jobs: name-suffix: ${{ env.NAME_SUFFIX }} publish-schema-npm: - needs: [authorize, detect-changes, publish-logic, release-merge-guard-schema] - if: | - always() && - needs.authorize.outputs.allowed == 'true' && - needs.detect-changes.outputs.schema_changed == 'true' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard-schema.result == 'success' || needs.release-merge-guard-schema.result == 'skipped') + needs: + - authorize + - detect-changes + - publish-logic + - release-merge-guard-schema + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && needs.detect-changes.outputs.schema_changed == 'true' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard-schema.result == 'success' || needs.release-merge-guard-schema.result == 'skipped')) runs-on: ubuntu-latest environment: npm outputs: @@ -317,10 +338,12 @@ jobs: workdir: "packages/registry-server/shared" lint-and-test: - needs: [authorize, detect-changes] - if: | - needs.authorize.outputs.allowed == 'true' && - needs.detect-changes.outputs.client_changed == 'true' + needs: + - authorize + - detect-changes + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true' && needs.detect-changes.outputs.client_changed == 'true') permissions: contents: read packages: read @@ -386,13 +409,14 @@ jobs: run: npm run typecheck publish-client-gpr: - needs: [authorize, detect-changes, publish-logic, lint-and-test] - if: | - needs.authorize.outputs.allowed == 'true' && - needs.detect-changes.outputs.client_changed == 'true' && - (needs.publish-logic.outputs.publish_feature == 'true' || - needs.publish-logic.outputs.publish_main == 'true' || - needs.publish-logic.outputs.publish_tmp == 'true') + needs: + - authorize + - detect-changes + - publish-logic + - lint-and-test + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true' && needs.detect-changes.outputs.client_changed == 'true' && (needs.publish-logic.outputs.publish_feature == 'true' || needs.publish-logic.outputs.publish_main == 'true' || needs.publish-logic.outputs.publish_tmp == 'true')) runs-on: ubuntu-latest environment: release permissions: @@ -425,13 +449,15 @@ jobs: name-suffix: ${{ env.NAME_SUFFIX }} publish-client-npm: - needs: [authorize, detect-changes, publish-logic, lint-and-test, release-merge-guard-client] - if: | - always() && - needs.authorize.outputs.allowed == 'true' && - needs.detect-changes.outputs.client_changed == 'true' && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard-client.result == 'success' || needs.release-merge-guard-client.result == 'skipped') + needs: + - authorize + - detect-changes + - publish-logic + - lint-and-test + - release-merge-guard-client + - label-gate + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.authorize.outputs.allowed == 'true' && needs.detect-changes.outputs.client_changed == 'true' && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard-client.result == 'success' || needs.release-merge-guard-client.result == 'skipped')) runs-on: ubuntu-latest environment: npm outputs: @@ -486,4 +512,4 @@ jobs: release_name: "QVAC Registry Client" published_version: ${{ needs.publish-client-npm.outputs.published_version }} prev_sha: ${{ github.event.before }} - workdir: "packages/registry-server/client" \ No newline at end of file + workdir: "packages/registry-server/client" diff --git a/.github/workflows/publish-sdk.yml b/.github/workflows/publish-sdk.yml index 9cdf3b2690..61624bcfef 100644 --- a/.github/workflows/publish-sdk.yml +++ b/.github/workflows/publish-sdk.yml @@ -43,6 +43,26 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} authorize: runs-on: ubuntu-latest permissions: @@ -62,8 +82,7 @@ jobs: release-merge-guard: name: Release Merge Guard if: >- - (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && - startsWith(github.ref_name, 'release-') + (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -80,8 +99,10 @@ jobs: changelog-path: packages/sdk/CHANGELOG.md build: - needs: [authorize] - if: needs.authorize.outputs.allowed == 'true' + needs: + - authorize + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.authorize.outputs.allowed == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -216,7 +237,7 @@ jobs: name: dist path: ${{ env.WORKDIR }}/dist/ retention-days: 1 - + - name: Determine version and tag id: version working-directory: ${{ env.WORKDIR }} @@ -245,7 +266,6 @@ jobs: tag: ${{ steps.version.outputs.tag }} branch: ${{ steps.version.outputs.branch }} - publish-logic: runs-on: ubuntu-latest outputs: @@ -355,10 +375,13 @@ jobs: publish-npm: name: Publish to NPM - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) runs-on: ubuntu-latest environment: npm outputs: @@ -397,7 +420,7 @@ jobs: # Create GitHub release only for actual releases (after NPM publish) publish-release: needs: [publish-npm] - if: needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != '' + if: needs.publish-npm.result == 'success' && needs.publish-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -406,4 +429,4 @@ jobs: release_name: "QVAC SDK" published_version: ${{ needs.publish-npm.outputs.published_version }} prev_sha: ${{ github.event.before }} - workdir: "packages/sdk" \ No newline at end of file + workdir: "packages/sdk" diff --git a/.github/workflows/repository-dispatch-bci-whispercpp.yml b/.github/workflows/repository-dispatch-bci-whispercpp.yml index da5ad34be5..5f2935bbab 100644 --- a/.github/workflows/repository-dispatch-bci-whispercpp.yml +++ b/.github/workflows/repository-dispatch-bci-whispercpp.yml @@ -13,8 +13,28 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} dispatch: - if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' + if: needs.label-gate.outputs.authorised == 'true' && (github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main') runs-on: ubuntu-latest environment: release steps: @@ -67,3 +87,5 @@ jobs: event-type: readme-changed client-payload: > {"repo_url":"https://github.com/${{ github.repository }}","workdir":"${{ env.WORKDIR }}"} + needs: + - label-gate diff --git a/.github/workflows/repository-dispatch-sdk.yml b/.github/workflows/repository-dispatch-sdk.yml index 8fedf1a974..f9bd8c37c1 100644 --- a/.github/workflows/repository-dispatch-sdk.yml +++ b/.github/workflows/repository-dispatch-sdk.yml @@ -13,8 +13,28 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} dispatch: - if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' + if: needs.label-gate.outputs.authorised == 'true' && (github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main') runs-on: ubuntu-latest environment: release steps: @@ -70,3 +90,5 @@ jobs: event-type: readme-changed client-payload: > {"repo_url":"https://github.com/${{ github.repository }}","workdir":"${{ env.WORKDIR }}"} + needs: + - label-gate diff --git a/.github/workflows/repository-dispatch-transcription-whispercpp.yml b/.github/workflows/repository-dispatch-transcription-whispercpp.yml index dcdc2a085e..a032f414ec 100644 --- a/.github/workflows/repository-dispatch-transcription-whispercpp.yml +++ b/.github/workflows/repository-dispatch-transcription-whispercpp.yml @@ -13,8 +13,28 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} dispatch: - if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' + if: needs.label-gate.outputs.authorised == 'true' && (github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main') runs-on: ubuntu-latest environment: release steps: @@ -69,3 +89,5 @@ jobs: event-type: readme-changed client-payload: > {"repo_url":"https://github.com/${{ github.repository }}","workdir":"${{ env.WORKDIR }}"} + needs: + - label-gate diff --git a/.github/workflows/trigger-docs-sdk.yml b/.github/workflows/trigger-docs-sdk.yml index 82aa0d0925..5f1cc41252 100644 --- a/.github/workflows/trigger-docs-sdk.yml +++ b/.github/workflows/trigger-docs-sdk.yml @@ -13,8 +13,28 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} dispatch: - if: github.event.pull_request.merged == true && (github.event.pull_request.base.ref == 'main' || startsWith(github.event.pull_request.base.ref, 'release-')) + if: needs.label-gate.outputs.authorised == 'true' && (github.event.pull_request.merged == true && (github.event.pull_request.base.ref == 'main' || startsWith(github.event.pull_request.base.ref, 'release-'))) runs-on: ubuntu-latest environment: release steps: @@ -48,3 +68,5 @@ jobs: event-type: readme-changed client-payload: > {"repo_url":"https://github.com/${{ github.repository }}"} + needs: + - label-gate diff --git a/.github/workflows/trigger-docs-translation-nmtcpp.yml b/.github/workflows/trigger-docs-translation-nmtcpp.yml index 30192352d1..0352f0e9b5 100644 --- a/.github/workflows/trigger-docs-translation-nmtcpp.yml +++ b/.github/workflows/trigger-docs-translation-nmtcpp.yml @@ -13,8 +13,28 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} dispatch: - if: github.event.pull_request.merged == true && (github.event.pull_request.base.ref == 'main' || startsWith(github.event.pull_request.base.ref, 'release-')) + if: needs.label-gate.outputs.authorised == 'true' && (github.event.pull_request.merged == true && (github.event.pull_request.base.ref == 'main' || startsWith(github.event.pull_request.base.ref, 'release-'))) runs-on: ubuntu-latest environment: release steps: @@ -47,3 +67,5 @@ jobs: event-type: readme-changed client-payload: > {"repo_url":"https://github.com/${{ github.repository }}"} + needs: + - label-gate diff --git a/.github/workflows/trigger-reusable-diagnostics.yml b/.github/workflows/trigger-reusable-diagnostics.yml index 2d24d3806c..0d55d84587 100644 --- a/.github/workflows/trigger-reusable-diagnostics.yml +++ b/.github/workflows/trigger-reusable-diagnostics.yml @@ -17,11 +17,30 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} release-merge-guard: name: Release Merge Guard if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-') + github.event_name == 'push' && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -86,8 +105,10 @@ jobs: echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" publish-main-gpr-dev: - needs: publish-logic - if: needs.publish-logic.outputs.publish_main == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -108,12 +129,15 @@ jobs: name-suffix: "-mono" publish-release-npm: - needs: [publish-logic, release-merge-guard] + needs: + - publish-logic + - release-merge-guard + - label-gate permissions: contents: write packages: write id-token: write - if: needs.publish-logic.outputs.publish_release == 'true' + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_release == 'true') uses: ./.github/workflows/public-reusable-npm.yml secrets: inherit with: @@ -123,7 +147,7 @@ jobs: # Create GitHub release only for actual releases (after NPM publish) publish-release: needs: [publish-release-npm] - if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' + if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -135,8 +159,10 @@ jobs: workdir: "packages/diagnostics" publish-feature-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_feature == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_feature == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -157,8 +183,10 @@ jobs: name-suffix: "-mono" publish-tmp-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_tmp == 'true') runs-on: ubuntu-latest environment: release permissions: diff --git a/.github/workflows/trigger-reusable-infer-base.yml b/.github/workflows/trigger-reusable-infer-base.yml index 112c960324..7f29e7e9b3 100644 --- a/.github/workflows/trigger-reusable-infer-base.yml +++ b/.github/workflows/trigger-reusable-infer-base.yml @@ -27,11 +27,30 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} release-merge-guard: name: Release Merge Guard if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-') + github.event_name == 'push' && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -96,8 +115,10 @@ jobs: echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" publish-main-gpr-dev: - needs: publish-logic - if: needs.publish-logic.outputs.publish_main == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -118,15 +139,16 @@ jobs: name-suffix: "-mono" publish-release-npm: - needs: [publish-logic, release-merge-guard] + needs: + - publish-logic + - release-merge-guard + - label-gate permissions: contents: write packages: write id-token: write - if: | - always() && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) uses: ./.github/workflows/public-reusable-npm.yml secrets: inherit with: @@ -136,7 +158,7 @@ jobs: # Create GitHub release only for actual releases (after NPM publish) publish-release: needs: [publish-release-npm] - if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' + if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -148,8 +170,10 @@ jobs: workdir: "packages/infer-base" publish-feature-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_feature == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_feature == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -170,8 +194,10 @@ jobs: name-suffix: "-mono" publish-tmp-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_tmp == 'true') runs-on: ubuntu-latest environment: release permissions: diff --git a/.github/workflows/trigger-reusable-langdetect-text-cld2.yml b/.github/workflows/trigger-reusable-langdetect-text-cld2.yml index 933873bd56..d0418b5423 100644 --- a/.github/workflows/trigger-reusable-langdetect-text-cld2.yml +++ b/.github/workflows/trigger-reusable-langdetect-text-cld2.yml @@ -33,8 +33,28 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} test: - if: github.event_name == 'pull_request' + if: needs.label-gate.outputs.authorised == 'true' && (github.event_name == 'pull_request') runs-on: ubuntu-latest environment: release steps: @@ -67,11 +87,12 @@ jobs: repo: context.repo.repo, body: `${status} Tests completed for langdetect-text-cld2` }) + needs: + - label-gate release-merge-guard: name: Release Merge Guard if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-') + github.event_name == 'push' && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -136,8 +157,10 @@ jobs: echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" publish-main-gpr-dev: - needs: publish-logic - if: needs.publish-logic.outputs.publish_main == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -158,15 +181,16 @@ jobs: name-suffix: "-mono" publish-release-npm: - needs: [publish-logic, release-merge-guard] + needs: + - publish-logic + - release-merge-guard + - label-gate permissions: contents: write packages: write id-token: write - if: | - always() && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) uses: ./.github/workflows/public-reusable-npm.yml secrets: inherit with: @@ -174,8 +198,10 @@ jobs: caller_event_name: ${{ github.event_name }} publish-feature-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_feature == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_feature == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -196,8 +222,10 @@ jobs: name-suffix: "-mono" publish-tmp-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_tmp == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -215,4 +243,4 @@ jobs: npm-token: ${{ secrets.NPM_TOKEN }} tag: ${{ needs.publish-logic.outputs.gpr_tag }} workdir: packages/langdetect-text-cld2 - name-suffix: "-mono" + name-suffix: "-mono" diff --git a/.github/workflows/trigger-reusable-langdetect-text.yml b/.github/workflows/trigger-reusable-langdetect-text.yml index 1c5644ecfe..0aa2139a20 100644 --- a/.github/workflows/trigger-reusable-langdetect-text.yml +++ b/.github/workflows/trigger-reusable-langdetect-text.yml @@ -27,11 +27,30 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} release-merge-guard: name: Release Merge Guard if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-') + github.event_name == 'push' && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -96,8 +115,10 @@ jobs: echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" publish-main-gpr-dev: - needs: publish-logic - if: needs.publish-logic.outputs.publish_main == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -118,15 +139,16 @@ jobs: name-suffix: "-mono" publish-release-npm: - needs: [publish-logic, release-merge-guard] + needs: + - publish-logic + - release-merge-guard + - label-gate permissions: contents: write packages: write id-token: write - if: | - always() && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) uses: ./.github/workflows/public-reusable-npm.yml secrets: inherit with: @@ -136,7 +158,7 @@ jobs: # Create GitHub release only for actual releases (after NPM publish) publish-release: needs: [publish-release-npm] - if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' + if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -148,8 +170,10 @@ jobs: workdir: "packages/langdetect-text" publish-feature-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_feature == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_feature == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -170,8 +194,10 @@ jobs: name-suffix: "-mono" publish-tmp-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_tmp == 'true') runs-on: ubuntu-latest environment: release permissions: diff --git a/.github/workflows/trigger-reusable-lib-cli.yml b/.github/workflows/trigger-reusable-lib-cli.yml index 668318b00e..0488f161cf 100644 --- a/.github/workflows/trigger-reusable-lib-cli.yml +++ b/.github/workflows/trigger-reusable-lib-cli.yml @@ -33,11 +33,30 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} release-merge-guard: name: Release Merge Guard if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-') + github.event_name == 'push' && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -128,8 +147,11 @@ jobs: echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" publish-main-gpr-dev: - needs: [build, publish-logic] - if: needs.publish-logic.outputs.publish_main == 'true' + needs: + - build + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -159,10 +181,13 @@ jobs: name-suffix: "-mono" publish-release-npm: - needs: [build, publish-logic, release-merge-guard] + needs: + - build + - publish-logic + - release-merge-guard + - label-gate if: >- - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) runs-on: ubuntu-latest environment: npm outputs: @@ -212,8 +237,11 @@ jobs: workdir: "packages/cli" publish-feature-gpr: - needs: [build, publish-logic] - if: needs.publish-logic.outputs.publish_feature == 'true' + needs: + - build + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_feature == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -243,8 +271,11 @@ jobs: name-suffix: "-mono" publish-tmp-gpr: - needs: [build, publish-logic] - if: needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - build + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_tmp == 'true') runs-on: ubuntu-latest environment: release permissions: diff --git a/.github/workflows/trigger-reusable-lib-dl-base.yml b/.github/workflows/trigger-reusable-lib-dl-base.yml index a71d0b6105..975baad8bc 100644 --- a/.github/workflows/trigger-reusable-lib-dl-base.yml +++ b/.github/workflows/trigger-reusable-lib-dl-base.yml @@ -27,11 +27,30 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} release-merge-guard: name: Release Merge Guard if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-') + github.event_name == 'push' && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -96,8 +115,10 @@ jobs: echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" publish-main-gpr-dev: - needs: publish-logic - if: needs.publish-logic.outputs.publish_main == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -118,15 +139,16 @@ jobs: name-suffix: "-mono" publish-release-npm: - needs: [publish-logic, release-merge-guard] + needs: + - publish-logic + - release-merge-guard + - label-gate permissions: contents: write packages: write id-token: write - if: | - always() && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) uses: ./.github/workflows/public-reusable-npm.yml secrets: inherit with: @@ -136,7 +158,7 @@ jobs: # Create GitHub release only for actual releases (after NPM publish) publish-release: needs: [publish-release-npm] - if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' + if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -148,8 +170,10 @@ jobs: workdir: "packages/dl-base" publish-feature-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_feature == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_feature == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -170,8 +194,10 @@ jobs: name-suffix: "-mono" publish-tmp-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_tmp == 'true') runs-on: ubuntu-latest environment: release permissions: diff --git a/.github/workflows/trigger-reusable-lib-dl-filesystem.yml b/.github/workflows/trigger-reusable-lib-dl-filesystem.yml index ad921021f5..2e262070fd 100644 --- a/.github/workflows/trigger-reusable-lib-dl-filesystem.yml +++ b/.github/workflows/trigger-reusable-lib-dl-filesystem.yml @@ -27,11 +27,30 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} release-merge-guard: name: Release Merge Guard if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-') + github.event_name == 'push' && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -96,8 +115,10 @@ jobs: echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" publish-main-gpr-dev: - needs: publish-logic - if: needs.publish-logic.outputs.publish_main == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -118,15 +139,16 @@ jobs: name-suffix: "-mono" publish-release-npm: - needs: [publish-logic, release-merge-guard] + needs: + - publish-logic + - release-merge-guard + - label-gate permissions: contents: write packages: write id-token: write - if: | - always() && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) uses: ./.github/workflows/public-reusable-npm.yml secrets: inherit with: @@ -136,7 +158,7 @@ jobs: # Create GitHub release only for actual releases (after NPM publish) publish-release: needs: [publish-release-npm] - if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' + if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -148,8 +170,10 @@ jobs: workdir: "packages/dl-filesystem" publish-feature-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_feature == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_feature == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -170,8 +194,10 @@ jobs: name-suffix: "-mono" publish-tmp-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_tmp == 'true') runs-on: ubuntu-latest environment: release permissions: diff --git a/.github/workflows/trigger-reusable-lib-error.yml b/.github/workflows/trigger-reusable-lib-error.yml index 018129044d..161f18243f 100644 --- a/.github/workflows/trigger-reusable-lib-error.yml +++ b/.github/workflows/trigger-reusable-lib-error.yml @@ -27,11 +27,30 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} release-merge-guard: name: Release Merge Guard if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-') + github.event_name == 'push' && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -96,8 +115,10 @@ jobs: echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" publish-main-gpr-dev: - needs: publish-logic - if: needs.publish-logic.outputs.publish_main == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -118,15 +139,16 @@ jobs: name-suffix: "-mono" publish-release-npm: - needs: [publish-logic, release-merge-guard] + needs: + - publish-logic + - release-merge-guard + - label-gate permissions: contents: write packages: write id-token: write - if: | - always() && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) uses: ./.github/workflows/public-reusable-npm.yml secrets: inherit with: @@ -136,7 +158,7 @@ jobs: # Create GitHub release only for actual releases (after NPM publish) publish-release: needs: [publish-release-npm] - if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' + if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -148,8 +170,10 @@ jobs: workdir: "packages/error" publish-feature-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_feature == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_feature == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -170,8 +194,10 @@ jobs: name-suffix: "-mono" publish-tmp-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_tmp == 'true') runs-on: ubuntu-latest environment: release permissions: diff --git a/.github/workflows/trigger-reusable-lib-hyperdrive.yml b/.github/workflows/trigger-reusable-lib-hyperdrive.yml index d1a2cd8c67..3920b652ff 100644 --- a/.github/workflows/trigger-reusable-lib-hyperdrive.yml +++ b/.github/workflows/trigger-reusable-lib-hyperdrive.yml @@ -27,11 +27,30 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} release-merge-guard: name: Release Merge Guard if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-') + github.event_name == 'push' && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -96,8 +115,10 @@ jobs: echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" publish-main-gpr-dev: - needs: publish-logic - if: needs.publish-logic.outputs.publish_main == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -118,15 +139,16 @@ jobs: name-suffix: "-mono" publish-release-npm: - needs: [publish-logic, release-merge-guard] + needs: + - publish-logic + - release-merge-guard + - label-gate permissions: contents: write packages: write id-token: write - if: | - always() && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) uses: ./.github/workflows/public-reusable-npm.yml secrets: inherit with: @@ -136,7 +158,7 @@ jobs: # Create GitHub release only for actual releases (after NPM publish) publish-release: needs: [publish-release-npm] - if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' + if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -148,8 +170,10 @@ jobs: workdir: "packages/dl-hyperdrive" publish-feature-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_feature == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_feature == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -170,8 +194,10 @@ jobs: name-suffix: "-mono" publish-tmp-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_tmp == 'true') runs-on: ubuntu-latest environment: release permissions: diff --git a/.github/workflows/trigger-reusable-lib-logging.yml b/.github/workflows/trigger-reusable-lib-logging.yml index 23ac1deb96..0e64bbf36d 100644 --- a/.github/workflows/trigger-reusable-lib-logging.yml +++ b/.github/workflows/trigger-reusable-lib-logging.yml @@ -27,11 +27,30 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} release-merge-guard: name: Release Merge Guard if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-') + github.event_name == 'push' && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -96,8 +115,10 @@ jobs: echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" publish-main-gpr-dev: - needs: publish-logic - if: needs.publish-logic.outputs.publish_main == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -118,15 +139,16 @@ jobs: name-suffix: "-mono" publish-release-npm: - needs: [publish-logic, release-merge-guard] + needs: + - publish-logic + - release-merge-guard + - label-gate permissions: contents: write packages: write id-token: write - if: | - always() && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) uses: ./.github/workflows/public-reusable-npm.yml secrets: inherit with: @@ -136,7 +158,7 @@ jobs: # Create GitHub release only for actual releases (after NPM publish) publish-release: needs: [publish-release-npm] - if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' + if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -148,8 +170,10 @@ jobs: workdir: "packages/logging" publish-feature-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_feature == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_feature == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -170,8 +194,10 @@ jobs: name-suffix: "-mono" publish-tmp-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_tmp == 'true') runs-on: ubuntu-latest environment: release permissions: diff --git a/.github/workflows/trigger-reusable-lib-rag.yml b/.github/workflows/trigger-reusable-lib-rag.yml index 24d4979788..b427951682 100644 --- a/.github/workflows/trigger-reusable-lib-rag.yml +++ b/.github/workflows/trigger-reusable-lib-rag.yml @@ -27,11 +27,30 @@ permissions: contents: read jobs: + label-gate: + name: Authorise (label-gate) + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + outputs: + authorised: ${{ steps.gate.outputs.authorised }} + steps: + - name: Checkout (label-gate action only) + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 + with: + ref: ${{ github.event.repository.default_branch }} + sparse-checkout: .github/actions/label-gate + sparse-checkout-cone-mode: false + - name: Run label-gate + id: gate + uses: ./.github/actions/label-gate + with: + github-token: ${{ secrets.PAT_TOKEN }} release-merge-guard: name: Release Merge Guard if: >- - github.event_name == 'push' && - startsWith(github.ref_name, 'release-') + github.event_name == 'push' && startsWith(github.ref_name, 'release-') runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 @@ -96,8 +115,10 @@ jobs: echo "gpr_tag=$gpr_tag" >> "$GITHUB_OUTPUT" publish-main-gpr-dev: - needs: publish-logic - if: needs.publish-logic.outputs.publish_main == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_main == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -118,15 +139,16 @@ jobs: name-suffix: "-mono" publish-release-npm: - needs: [publish-logic, release-merge-guard] + needs: + - publish-logic + - release-merge-guard + - label-gate permissions: contents: write packages: write id-token: write - if: | - always() && - needs.publish-logic.outputs.publish_release == 'true' && - (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped') + if: |- + needs.label-gate.outputs.authorised == 'true' && (always() && needs.publish-logic.outputs.publish_release == 'true' && (needs.release-merge-guard.result == 'success' || needs.release-merge-guard.result == 'skipped')) uses: ./.github/workflows/public-reusable-npm.yml secrets: inherit with: @@ -136,7 +158,7 @@ jobs: # Create GitHub release only for actual releases (after NPM publish) publish-release: needs: [publish-release-npm] - if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' + if: needs.publish-release-npm.result == 'success' && needs.publish-release-npm.outputs.published_version != '' permissions: contents: write uses: ./.github/workflows/create-github-release.yml @@ -148,8 +170,10 @@ jobs: workdir: "packages/rag" publish-feature-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_feature == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_feature == 'true') runs-on: ubuntu-latest environment: release permissions: @@ -170,8 +194,10 @@ jobs: name-suffix: "-mono" publish-tmp-gpr: - needs: publish-logic - if: needs.publish-logic.outputs.publish_tmp == 'true' + needs: + - publish-logic + - label-gate + if: needs.label-gate.outputs.authorised == 'true' && (needs.publish-logic.outputs.publish_tmp == 'true') runs-on: ubuntu-latest environment: release permissions: