From cb245fd7d22ca19565cf85d8c2422c53f750c220 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Wed, 10 Jun 2026 14:10:55 -0700 Subject: [PATCH 1/2] chore: retire Mergify-replaceable reusable workflows (T8937) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Deletes 5 reusable workflows + labeler.yml now that the consumer fleet has been swept (Phase C + the Phase B straggler/LTS sweeps). Functionality preserved by central Mergify rules per spec ยง4a (base-branch labeling), ยง4b (author-assign), and the existing rules in vyos/mergify. Deleted: - .github/workflows/add-pr-labels.yml - .github/workflows/add-rebase-label.yml - .github/workflows/assign-author.yml - .github/workflows/check-pr-message.yml - .github/workflows/label-backport.yml - .github/labeler.yml (no remaining consumer) Preserved: - check-pr-conflict.yml โ€” final probe found 2 live consumers (vyos/vyos-documentation current + heads/rolling); deletion deferred. - check-pr-merge-conflict.yml (T8934 committed-marker case Mergify cannot replicate). - check-stale.yml (PR + issue stale stays in GHA per spec ยง2 deferred). - All lint/scan/CLA/build/trigger workflows + get-token composite. Advances: T8937 ๐Ÿค– Generated by [robots](https://vyos.io) --- .github/labeler.yml | 12 ----- .github/workflows/add-pr-labels.yml | 30 ----------- .github/workflows/add-rebase-label.yml | 33 ------------ .github/workflows/assign-author.yml | 22 -------- .github/workflows/check-pr-message.yml | 70 -------------------------- .github/workflows/label-backport.yml | 31 ------------ 6 files changed, 198 deletions(-) delete mode 100644 .github/labeler.yml delete mode 100644 .github/workflows/add-pr-labels.yml delete mode 100644 .github/workflows/add-rebase-label.yml delete mode 100644 .github/workflows/assign-author.yml delete mode 100644 .github/workflows/check-pr-message.yml delete mode 100644 .github/workflows/label-backport.yml diff --git a/.github/labeler.yml b/.github/labeler.yml deleted file mode 100644 index 697f6f7..0000000 --- a/.github/labeler.yml +++ /dev/null @@ -1,12 +0,0 @@ -equuleus: - - any: - - base-branch: 'equuleus' -rolling: - - any: - - base-branch: 'rolling' -circinus: - - any: - - base-branch: 'circinus' -sagitta: - - any: - - base-branch: 'sagitta' diff --git a/.github/workflows/add-pr-labels.yml b/.github/workflows/add-pr-labels.yml deleted file mode 100644 index 6b93986..0000000 --- a/.github/workflows/add-pr-labels.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -name: Add pull request labels - -on: - workflow_call: - -jobs: - add-pr-label: - name: Add PR Labels - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write - steps: - - name: Bullfrog Secure Runner - continue-on-error: true - uses: bullfrogsec/bullfrog@v0.8.4 - with: - egress-policy: audit - - - name: Checkout reusable actions repo - uses: actions/checkout@v6 - with: - repository: vyos/.github - ref: production - path: reusable-actions - - uses: actions/labeler@v6 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - configuration-path: ./reusable-actions/.github/labeler.yml diff --git a/.github/workflows/add-rebase-label.yml b/.github/workflows/add-rebase-label.yml deleted file mode 100644 index c3bf146..0000000 --- a/.github/workflows/add-rebase-label.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Add rebase label if the branch is > 50 commits behind - -on: - workflow_call: - -jobs: - add-rebase-label: - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write - steps: - - name: Checkout - uses: actions/checkout@v6 - with: - ref: ${{ github.event.pull_request.head.sha }} - fetch-depth: 0 - - - name: Bullfrog Secure Runner - continue-on-error: true - uses: bullfrogsec/bullfrog@v0.8.4 - with: - egress-policy: audit - - - name: Set custom variables - id: vars - run: | - echo "behind_by=$(git log --oneline origin/${{ github.base_ref }} ^${{ github.event.pull_request.head.sha }} | wc -l)" >> $GITHUB_OUTPUT - - name: Add rebase label if needed - if: ${{ steps.vars.outputs.behind_by > 50 }} - uses: actions-ecosystem/action-add-labels@v1 - with: - labels: rebase \ No newline at end of file diff --git a/.github/workflows/assign-author.yml b/.github/workflows/assign-author.yml deleted file mode 100644 index 5d255da..0000000 --- a/.github/workflows/assign-author.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: "PR Triage" -on: - workflow_call: - -jobs: - # https://github.com/marketplace/actions/auto-author-assign - assign-author: - runs-on: ubuntu-latest - permissions: - pull-requests: write - contents: read - steps: - - name: Bullfrog Secure Runner - continue-on-error: true - uses: bullfrogsec/bullfrog@v0.8.4 - with: - egress-policy: audit - - - name: "Assign Author to PR" - uses: toshimaru/auto-author-assign@v1.6.2 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/check-pr-message.yml b/.github/workflows/check-pr-message.yml deleted file mode 100644 index 2036424..0000000 --- a/.github/workflows/check-pr-message.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- - name: Check pull request message format - - on: - workflow_call: - - jobs: - check-pr-title: - name: Check pull request title - runs-on: ubuntu-latest - permissions: - pull-requests: write - contents: read - steps: - - uses: actions/checkout@v6 - timeout-minutes: 2 - - - name: Checkout reusable actions repo - uses: actions/checkout@v6 - with: - repository: vyos/.github - ref: production - path: reusable-actions - - - name: Check the PR title - timeout-minutes: 2 - env: - GH_TOKEN: ${{ github.token }} - run: | - source_pr_title=$(gh pr view "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" --json title -q .title) - if echo "$source_pr_title" | grep -Pq '^(([a-zA-Z0-9\-_.]+:\s)?)T\d+:\s+[^\s]+.*'; then - echo "PR title '$source_pr_title' is valid." - echo "error_message=No issues in PR Title / Commit Title" >> $GITHUB_ENV - else - echo "PR title '$source_pr_title' does not match the required format!" - echo "error_message=PR title does not match the required format" >> $GITHUB_ENV - echo "Valid title example: T99999: make IPsec secure" - exit 1 - fi - - - name: Check commit messages - timeout-minutes: 2 - env: - GH_TOKEN: ${{ github.token }} - run: | - # Fetch commit messages - commits=$(gh pr view "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" --json commits -q '.commits[].messageHeadline') - # Iterate over each commit message - echo "$commits" | while IFS= read -r commit_message; do - if echo "$commit_message" | grep -Pq '^(([a-zA-Z0-9\-_.]+:\s)?)T\d+:\s+[^\s]+.*'; then - echo "Commit message '$commit_message' is valid." - else - echo "Commit message '$commit_message' does not match the required format!" - echo "error_message=PR title does not match the required format" >> $GITHUB_ENV - echo "Valid commit message example: T99999: make IPsec secure" - exit 1 - fi - done - echo "All commit messages are valid." - echo "error_message=No issues in PR Title / Commit Title" >> $GITHUB_ENV - - - name: Add PR comment - if: always() - uses: mshick/add-pr-comment@v2 - with: - message: |- - ${{ env.error_message == 'No issues in PR Title / Commit Title' && '๐Ÿ‘' || 'โŒ' }} - ${{ env.error_message }} - message-id: "TITLE_COMMIT_VALIDATION" - allow-repeats: false \ No newline at end of file diff --git a/.github/workflows/label-backport.yml b/.github/workflows/label-backport.yml deleted file mode 100644 index 234756f..0000000 --- a/.github/workflows/label-backport.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Label backport - -on: - workflow_call: - -jobs: - mergifyio_backport: - runs-on: ubuntu-latest - permissions: - pull-requests: write - contents: read - steps: - - uses: actions/checkout@v6 - - - name: Bullfrog Secure Runner - continue-on-error: true - uses: bullfrogsec/bullfrog@v0.8.4 - with: - egress-policy: audit - - - uses: actions-ecosystem/action-regex-match@v2 - id: regex-match - with: - text: ${{ github.event.comment.body }} - regex: '@[Mm][Ee][Rr][Gg][Ii][Ff][Yy][Ii][Oo] backport ' - - - uses: actions-ecosystem/action-add-labels@v1 - if: ${{ steps.regex-match.outputs.match != '' }} - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - labels: backport From 06fb6bb7e1da73e1edd4258f5435e3830abe56e6 Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Wed, 10 Jun 2026 14:20:58 -0700 Subject: [PATCH 2/2] docs: update AGENTS.md for retired reusables (T8937 adversarial-review findings) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Advances: T8937 ๐Ÿค– Generated by [robots](https://vyos.io) --- AGENTS.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 282d8b5..923c54d 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -26,7 +26,7 @@ python scripts/transclude-template ## Repository layout -- `.github/workflows/` โ€” reusable workflows: PR labels (`add-pr-labels`, `add-rebase-label`, `label-backport`, `assign-author`, `check-stale`), PR validation (`check-pr-message`, `check-pr-conflict`, `check-pr-merge-conflict`), linting (`lint-doc`, `lint-j2`, `lint-with-ruff`, `lint-with-darker-ruff`, `check-unused-imports`, `check-typos`), security (`codeql-analysis`), CLA (`cla-check`), package rebuilds (`trigger-rebuild-repo-package`, `trigger-and-wait-rebuild-repo-package`), mirror (`pr-mirror-repo-sync`). +- `.github/workflows/` โ€” reusable workflows: staleness (`check-stale`), PR validation (`check-pr-conflict`, `check-pr-merge-conflict`), linting (`lint-doc`, `lint-j2`, `lint-with-ruff`, `lint-with-darker-ruff`, `check-unused-imports`, `check-typos`), security (`codeql-analysis`), CLA (`cla-check`), package rebuilds (`trigger-rebuild-repo-package`, `trigger-and-wait-rebuild-repo-package`), mirror (`pr-mirror-repo-sync`). PR labeling, author-assign, and title/commit-format checks moved to central Mergify rules in `vyos/mergify` (T8937 retirement). - `.github/doc-linter.py` โ€” RST/TXT linter (RFC 5737/3849 IPs, โ‰ค80-char lines, `.. stop_vyoslinter` toggles). - `.github/.typos.toml` โ€” default `typos` config; excludes `smoketest/**`, `mibs/**`. - `scripts/` โ€” helpers (Python + shell). @@ -39,8 +39,8 @@ This repo is the canonical workflow library for both orgs. Consumers reference w ## Conventions -- Commit / PR title format: `component: T12345: description`. Phorge task ID at https://vyos.dev mandatory. Enforced by `check-pr-message.yml` on the PR title and every commit. -- This repo's own default branch is `production` (renamed from `current` in rollout 1c). Release-train branch model (in consumer repos, mapped by `add-pr-labels.yml`): `rolling` (renamed from `current`), `circinus` (1.5 LTS), `sagitta` (1.4 LTS), `equuleus` (1.3 LTS). +- Commit / PR title format: `component: T12345: description`. Phorge task ID at https://vyos.dev mandatory. Enforced by Mergify merge protections (per-product-repo `invalid-task-id` rule + central `invalid-title`/`invalid-body`, T8966). +- This repo's own default branch is `production` (renamed from `current` in rollout 1c). Release-train branch model (in consumer repos, labeled by central Mergify base-branch rules): `rolling` (renamed from `current`), `circinus` (1.5 LTS), `sagitta` (1.4 LTS), `equuleus` (1.3 LTS). - Backports: `@Mergifyio backport ` (built-in Mergify command). The mirror pipeline injects these from `bp/` source labels. - Workflows here must be reusable (`workflow_call`); avoid adding non-reusable workflows unless necessary (the only current exception is `cla-check.yml`, which uses `pull_request_target`). - Most jobs include a `bullfrogsec/bullfrog@v0.8.4` egress-audit step (non-fatal).