diff --git a/.github/workflows/crd-validation.yml b/.github/workflows/crd-validation.yml index f43e4b7d89..8eb8991ce0 100644 --- a/.github/workflows/crd-validation.yml +++ b/.github/workflows/crd-validation.yml @@ -2,10 +2,11 @@ name: CRD Validation on: pull_request: - types: [opened, edited, synchronize, reopened] + types: [opened, edited, synchronize, reopened, labeled, unlabeled] permissions: contents: read + pull-requests: write jobs: crd-validation: @@ -28,7 +29,17 @@ jobs: run: | go install sigs.k8s.io/crdify@latest + - name: Reset Validation Approval + if: github.event.action == 'synchronize' && contains(github.event.pull_request.labels.*.name, 'ack-breaking-changes') + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh pr edit ${{ github.event.pull_request.number }} --remove-label "ack-breaking-changes" + echo "⚠️ Removed 'ack-breaking-changes' label due to new changes. Re-approval required." + - name: Run CRD Validation Check + env: + ALLOW_BREAKING: ${{ contains(github.event.pull_request.labels.*.name, 'ack-breaking-changes') && github.event.action != 'synchronize' }} run: | git fetch origin ${{ github.base_ref }}:upstream_base BASE_SHA=$(git rev-parse upstream_base) @@ -37,15 +48,21 @@ jobs: for crd in config/crd/bases/*.yaml; do if ! crdify "git://${BASE_SHA}?path=$crd" "git://HEAD?path=$crd"; then echo "❌ Incompatible change detected in $crd" - ((FAILED++)) + FAILED=$((FAILED + 1)) else echo "✅ $crd is valid" fi done if [ "$FAILED" -gt 0 ]; then - echo "::error::Validation failed! Found $FAILED incompatible CRD change(s)." - exit 1 + if [[ "$ALLOW_BREAKING" == "true" ]]; then + echo "⚠️ Validation failed with $FAILED incompatible change(s), but allowed via 'ack-breaking-changes' label." + exit 0 + else + echo "❌ error: Validation failed! Found $FAILED incompatible CRD change(s)." + echo "⚠️ notice: To allow these changes, a reviewer must add the 'ack-breaking-changes' label to the PR." + exit 1 + fi fi echo "All CRDs are compatible."