Approve GitHub Actions workflow runs on /ok-to-test

[cblecker]

Summary

When /ok-to-test is issued by a trusted user and TriggerGitHubWorkflows is enabled, automatically approve any pending GitHub Actions workflow runs for the PR. This enables a unified workflow where /ok-to-test both triggers Prow jobs AND approves GitHub Actions workflows from fork PRs.

Changes

GitHub Client (pkg/github/client.go)

• Added GetPendingApprovalActionRuns method to retrieve workflow runs with status=action_required for a PR's head SHA
• Added ApproveGitHubWorkflowRun method to approve pending workflow runs via GitHub API
• Updated Client interface to include both new methods

Trigger Plugin (pkg/plugins/trigger/)

• Added approval logic in generic-comment.go that triggers on /ok-to-test when TriggerGitHubWorkflows=true
• Added approveGitHubActionsWorkflowRuns helper function that:
  • Fetches pending workflow runs for the PR head SHA
  • Approves each run asynchronously using goroutines
  • Handles errors gracefully (403/404 logged at info level, others at error level)
  • Logs SHA used in lookup for debugging PR head sync issues
• Updated githubClient interface in trigger.go to include new methods

Fake Client (pkg/github/fakegithub/fakegithub.go)

• Added PendingApprovalRuns field to track pending runs by "org/repo/branch/sha"
• Added ApprovedWorkflowRuns field to track approval attempts
• Implemented fake versions of both new methods for testing

Tests

• GitHub Client Tests (pkg/github/client_test.go):

  • TestGetPendingApprovalActionRuns - Verifies API calls with correct query parameters (status=action_required, event filters)
  • TestApproveGitHubWorkflowRun - Tests successful approval and error cases (201, 403, 404)

• Trigger Plugin Tests (pkg/plugins/trigger/generic-comment_test.go):

  • TestApproveGitHubActionsWorkflowRuns - Comprehensive test covering:
    • Approval triggers on /ok-to-test with TriggerGitHubWorkflows=true ✓
    • No approval when TriggerGitHubWorkflows=false ✓
    • No approval on /test all or /retest ✓
    • No approval when IgnoreOkToTest=true ✓
    • Handles multiple pending runs ✓
    • Gracefully handles no pending runs ✓

Behavior

When approval is triggered:

• Only on /ok-to-test command (not /test all or /retest)
• Only when TriggerGitHubWorkflows configuration flag is enabled
• Only for pull_request and pull_request_target triggered workflows

Error handling:

• 403 (already approved) and 404 (run completed) errors are logged at info level as expected cases
• Unexpected errors are logged at error level
• Errors do not block the /ok-to-test command from proceeding

Design rationale:

• Reuses existing TriggerGitHubWorkflows flag (semantic expansion - existing users automatically get this behavior)
• Asynchronous approval via goroutines prevents blocking the main workflow
• Best-effort approach ensures the core /ok-to-test functionality isn't impacted by approval failures

Testing

All tests pass:

go test ./pkg/github/... -run 'TestGetPendingApprovalActionRuns|TestApproveGitHubWorkflowRun' -v
go test ./pkg/plugins/trigger/... -run 'TestApproveGitHubActionsWorkflowRuns' -v

No regressions in existing test suites:

go test ./pkg/github/...
go test ./pkg/plugins/trigger/...

[netlify]

✅ Deploy Preview for k8s-prow ready!

Name	Link
🔨 Latest commit	0f2446a
🔍 Latest deploy log	https://app.netlify.com/projects/k8s-prow/deploys/6984043eeaeac20008b6de46
😎 Deploy Preview	https://deploy-preview-612--k8s-prow.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cblecker

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/OWNERS [cblecker]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Prucek]

/lgtm
Just curious, what is the current state? What/Who approves the GitHub actions?

[stevehipwell]

@cblecker would this be implemented for a net-new project by adding an entry to triggers in the plugins config file of kubernetes/test-infra? There are a couple of sigs projects where I've implemented this directly in GH Actions and would like to swap over to this implementation. Are there any side effects to be aware of?

[cblecker]

@stevehipwell Yup, that should be all it takes. No side effects that I've seen so far.

[stevehipwell]

@cblecker for clarity, I meant what (if any) are the side effects of adding a repo to triggers not specifically the GitHub automation setting.

[cblecker]

@stevehipwell example:
https://github.com/kubernetes/test-infra/blob/09be71ac1de53122da89217b2c440cbd05eac4b1/config/prow/plugins.yaml#L43-L48

[stevehipwell]

@cblecker I'm just checking that by adding repos (metrics-server & external-dns) to the triggers to get the new behaviour (and replace a custom workflow), I wont introduce any new behaviour as a side effect?

[cblecker]

@stevehipwell No, I am not aware of any side effects. That doesn't mean you might not find any as we're all just humans working with code, but to the best of my knowledge and experience, this is pretty straight forward. If you do find anything strange, feel free to open an issue. 😄