ci: add dependency guard backfill label trigger (#87866)

RomneyDa · web-flow · commit 5a6472718da9 · 2026-05-28T20:26:32.000-07:00
diff --git a/.github/workflows/dependency-guard.yml b/.github/workflows/dependency-guard.yml
@@ -2,7 +2,7 @@ name: Dependency Guard
 
 on:
   pull_request_target: # zizmor: ignore[dangerous-triggers] checks trusted base script only; never checks out PR head
-    types: [opened, reopened, synchronize, ready_for_review]
+    types: [opened, reopened, synchronize, ready_for_review, labeled]
 
 permissions:
   contents: read
@@ -15,7 +15,7 @@ concurrency:
 
 jobs:
   dependency-guard:
-    if: ${{ !github.event.pull_request.draft }}
+    if: ${{ !github.event.pull_request.draft && (github.event.action != 'labeled' || github.event.label.name == 'dependency-guard-backfill') }}
     runs-on: ubuntu-24.04
     timeout-minutes: 5
     steps:
diff --git a/test/scripts/dependency-guard-workflow.test.ts b/test/scripts/dependency-guard-workflow.test.ts
@@ -13,13 +13,19 @@ type WorkflowStep = {
 };
 
 type WorkflowJob = {
+  if?: string;
   name?: string;
   steps?: WorkflowStep[];
 };
 
 type Workflow = {
   jobs?: Record<string, WorkflowJob>;
   name?: string;
+  on?: {
+    pull_request_target?: {
+      types?: string[];
+    };
+  };
   permissions?: Record<string, string>;
 };
 
@@ -36,6 +42,21 @@ describe("dependency guard workflow", () => {
     expect(parsed.jobs?.["dependency-guard"]?.name).toBeUndefined();
   });
 
+  it("allows one temporary label trigger for required-check backfill", () => {
+    const parsed = readWorkflow();
+    const job = parsed.jobs?.["dependency-guard"];
+
+    expect(parsed.on?.pull_request_target?.types).toEqual([
+      "opened",
+      "reopened",
+      "synchronize",
+      "ready_for_review",
+      "labeled",
+    ]);
+    expect(job?.if).toContain("github.event.action != 'labeled'");
+    expect(job?.if).toContain("github.event.label.name == 'dependency-guard-backfill'");
+  });
+
   it("uses a metadata-only pull_request_target workflow with minimal write permissions", () => {
     const workflow = readFileSync(WORKFLOW, "utf8");
     const parsed = readWorkflow();
