From dae39d2245ac1f07b10c03195e09e24e3f602637 Mon Sep 17 00:00:00 2001 From: Shubhika Garg Date: Wed, 17 Jun 2026 10:06:46 +0200 Subject: [PATCH 1/6] ci: skip ci when no mandatory ci label present on PR - Add check-labels job that runs first on the PR events - Fail early if none of the mandatory CI labels are present (BUILD-ONLY, documentation, 4G-LTE, 5G-NR, nrUE, CI, retrigger-ci) - Skip detect-changes, require-maintainer-approval and trigger-jenkins when no mandatory CI label is found - Push events are unaffected by the label check - For labeled events, only retrigger-ci triggers the pipeline; any other label addition is skipped Signed-off-by: Shubhika Garg --- .github/workflows/jenkins-dispatch.yml | 36 +++++++++++++++++++++++-- ci-scripts/Jenkinsfile-GitHub-Container | 12 --------- 2 files changed, 34 insertions(+), 14 deletions(-) diff --git a/.github/workflows/jenkins-dispatch.yml b/.github/workflows/jenkins-dispatch.yml index 839d60c59b..86b79863d1 100644 --- a/.github/workflows/jenkins-dispatch.yml +++ b/.github/workflows/jenkins-dispatch.yml @@ -17,12 +17,43 @@ permissions: pull-requests: write jobs: + check-labels: + runs-on: ubuntu-24.04 + + if: github.event_name == 'pull_request_target' + + steps: + - name: Check for mandatory CI label + run: | + PR_LABELS=$(echo '${{ toJson(github.event.pull_request.labels) }}' | jq -r '.[].name') + + for label in \ + "${{ vars.BUILD_ONLY_LABEL }}" \ + "${{ vars.DOC_LABEL }}" \ + "${{ vars.NR_LABEL }}" \ + "${{ vars.NRUE_LABEL }}" \ + "${{ vars.LTE_LABEL }}" \ + "${{ vars.CI_LABEL }}" \ + "${{ vars.RETRIGGER_CI_LABEL }}"; do + if echo "$PR_LABELS" | grep -qxF "$label"; then + exit 0 + fi + done + + exit 1 + detect-changes: + needs: check-labels runs-on: ubuntu-24.04 if: | - github.event.action != 'labeled' || - github.event.label.name == vars.RETRIGGER_CI_LABEL + always() && ( + github.event_name == 'push' || + needs.check-labels.result == 'success' + ) && ( + github.event.action != 'labeled' || + github.event.label.name == vars.RETRIGGER_CI_LABEL + ) outputs: protected_files_changed: ${{ steps.filter.outputs.protected }} @@ -61,6 +92,7 @@ jobs: trigger-jenkins: needs: + - check-labels - detect-changes - require-maintainer-approval diff --git a/ci-scripts/Jenkinsfile-GitHub-Container b/ci-scripts/Jenkinsfile-GitHub-Container index 65c389e9aa..8b783cd46e 100644 --- a/ci-scripts/Jenkinsfile-GitHub-Container +++ b/ci-scripts/Jenkinsfile-GitHub-Container @@ -96,18 +96,6 @@ pipeline { echo '\u2705 \u001B[32mVerify Labels\u001B[0m' script { if (env.GITHUB_PR_NUMBER) { - if (!(env.GITHUB_PR_LABELS)) { - def gitBaseUrl = env.GIT_URL.trim().replace('.git', '') - def message = "**CI Build:** [#${env.BUILD_NUMBER}](${BUILD_URL}) | Not performing CI due to the absence of one of the following mandatory labels:\n" - message += "- ${gitBaseUrl}/labels/documentation (don't perform any stages)\n" - message += "- ${gitBaseUrl}/labels/BUILD-ONLY (execute only build stages)\n" - message += "- ${gitBaseUrl}/labels/4G-LTE (perform 4G tests)\n" - message += "- ${gitBaseUrl}/labels/5G-NR (perform 5G tests)\n" - message += "- ${gitBaseUrl}/labels/nrUE (perform only 5G-UE related tests including physims excluding LDPC tests)\n" - message += "- ${gitBaseUrl}/labels/CI (perform both 4G and 5G tests)\n" - githubPRComment comment: githubPRMessage(message) - error('Not performing CI due to lack of mandatory labels') - } if (env.GITHUB_PR_LABELS.contains('CI')) { do4Gtest = true do5Gtest = true From 16e9aa8ae6e38f4028406a631e21b0964850d631 Mon Sep 17 00:00:00 2001 From: Shubhika Garg Date: Wed, 17 Jun 2026 13:38:12 +0200 Subject: [PATCH 2/6] ci: Add check for unsigned commits in the PR - Add verify-signed-commits job that runs on PR - check-labels and all downstream jobs are skipped if signed commmit verifications fails - Fetch all commits in the PR via GitHub API and check verification status - Fail and print the unsigned commit SHAs if any unsigned commits are found. Signed-off-by: Shubhika Garg --- .github/workflows/jenkins-dispatch.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/jenkins-dispatch.yml b/.github/workflows/jenkins-dispatch.yml index 86b79863d1..4706d0306e 100644 --- a/.github/workflows/jenkins-dispatch.yml +++ b/.github/workflows/jenkins-dispatch.yml @@ -17,7 +17,26 @@ permissions: pull-requests: write jobs: + verify-signed-commits: + runs-on: ubuntu-24.04 + + if: github.event_name == 'pull_request_target' + + steps: + - name: Check all commits are signed + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + UNSIGNED=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \ + --paginate --jq '[.[] | select(.commit.verification.verified == false) | .sha[:7]] | join(", ")') + + if [ -n "$UNSIGNED" ]; then + echo "::error::Unsigned commits found: $UNSIGNED" + exit 1 + fi + check-labels: + needs: verify-signed-commits runs-on: ubuntu-24.04 if: github.event_name == 'pull_request_target' From 90545e6b7c03da9b4a04ecb7507349ccf8b207b2 Mon Sep 17 00:00:00 2001 From: Jaroslava Fiedlerova Date: Wed, 17 Jun 2026 15:13:15 +0200 Subject: [PATCH 3/6] test from jfiedlerova fork Signed-off-by: Jaroslava Fiedlerova --- .github/workflows/jenkins-dispatch.yml | 32 +++++++------------------- 1 file changed, 8 insertions(+), 24 deletions(-) diff --git a/.github/workflows/jenkins-dispatch.yml b/.github/workflows/jenkins-dispatch.yml index 4706d0306e..0ad5ac8994 100644 --- a/.github/workflows/jenkins-dispatch.yml +++ b/.github/workflows/jenkins-dispatch.yml @@ -3,10 +3,10 @@ name: Duranta Jenkins Dispatch on: pull_request_target: types: [opened, synchronize, reopened, labeled] - branches: [develop] + branches: [ci-duranta-fixes] push: branches: - - develop + - ci-duranta-fixes concurrency: group: ${{ github.event_name }}-${{ github.event.action }}-${{ github.event.pull_request.number || github.ref }} @@ -47,13 +47,10 @@ jobs: PR_LABELS=$(echo '${{ toJson(github.event.pull_request.labels) }}' | jq -r '.[].name') for label in \ - "${{ vars.BUILD_ONLY_LABEL }}" \ - "${{ vars.DOC_LABEL }}" \ - "${{ vars.NR_LABEL }}" \ - "${{ vars.NRUE_LABEL }}" \ - "${{ vars.LTE_LABEL }}" \ - "${{ vars.CI_LABEL }}" \ - "${{ vars.RETRIGGER_CI_LABEL }}"; do + "BUILD-ONLY" \ + "documentation" \ + "5G-NR" \ + "nrUE" \ if echo "$PR_LABELS" | grep -qxF "$label"; then exit 0 fi @@ -103,11 +100,8 @@ jobs: runs-on: ubuntu-24.04 - environment: - name: ci-approval - steps: - - run: echo "Maintainer has approved the changes" + - run: echo "Changes to be approved" trigger-jenkins: needs: @@ -144,17 +138,7 @@ jobs: if [ "$EVENT_NAME" = "pull_request_target" ]; then EVENT_NAME="pull_request" fi - - curl -X POST "https://${{ secrets.J_USER }}:${{ secrets.J_PASS }}@${{ secrets.J_URL }}" \ - -H "Accept: */*" \ - -H "Content-Type: application/json" \ - -H "User-Agent: GitHub-Hookshot/${{ secrets.H_AGENT }}" \ - -H "X-Github-Delivery: ${{ secrets.GITHUB_TOKEN }}" \ - -H "X-Github-Event: $EVENT_NAME" \ - -H "X-Github-Hook-Id: ${{ secrets.H_ID }}" \ - -H "X-Github-Hook-Installation-Target-Id: ${{ secrets.H_TARGET }}" \ - -H "X-Github-Hook-Installation-Target-Type: repository" \ - --data @/tmp/filtered_payload.json + echo '${{ toJson(github.event) }}' - name: Remove retrigger-ci label if: always() && github.event.action == 'labeled' && github.event.label.name == vars.RETRIGGER_CI_LABEL From b9172b2e2cb44fe203f24fe6170a98d9120da2be Mon Sep 17 00:00:00 2001 From: Shubhika Garg Date: Wed, 17 Jun 2026 15:21:41 +0200 Subject: [PATCH 4/6] Test GitHub actions CI from fork Signed-off-by: Shubhika Garg --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0bee583535..b925cbbfd8 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ +

Duranta OAI

From 245fdeb1184a26c79e7cf975b728263c1c890b72 Mon Sep 17 00:00:00 2001 From: Shubhika Garg Date: Wed, 17 Jun 2026 15:33:47 +0200 Subject: [PATCH 5/6] fix label check syntax in actions Signed-off-by: Shubhika Garg --- .github/workflows/jenkins-dispatch.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/jenkins-dispatch.yml b/.github/workflows/jenkins-dispatch.yml index 0ad5ac8994..b39189a322 100644 --- a/.github/workflows/jenkins-dispatch.yml +++ b/.github/workflows/jenkins-dispatch.yml @@ -50,7 +50,7 @@ jobs: "BUILD-ONLY" \ "documentation" \ "5G-NR" \ - "nrUE" \ + "nrUE"; do if echo "$PR_LABELS" | grep -qxF "$label"; then exit 0 fi From 4b0c7759606d9684a0d2efd31ffe8985a3b94289 Mon Sep 17 00:00:00 2001 From: Shubhika Garg Date: Wed, 17 Jun 2026 15:53:01 +0200 Subject: [PATCH 6/6] test sans signed commits Signed-off-by: Shubhika Garg --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b925cbbfd8..92ccffea79 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ +