From 1e18b984ab73e738cc8ef11eb0c5128f1d8c7ab7 Mon Sep 17 00:00:00 2001
From: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Date: Tue, 24 Sep 2024 10:49:51 -0400
Subject: [PATCH 1/2] ci: fix conditional skip and add safeguard

---
 .github/scripts/check_skip_ci.sh              | 23 +++++++++++++++----
 .github/workflows/build.yml                   | 14 ++++++++---
 .../workflows/consul-dataplane-checks.yaml    |  4 ++--
 .../workflows/reusable-conditional-skip.yml   | 12 +++++++++-
 .github/workflows/security-scan.yml           |  4 ++++
 5 files changed, 46 insertions(+), 11 deletions(-)

diff --git a/.github/scripts/check_skip_ci.sh b/.github/scripts/check_skip_ci.sh
index 0f65e46e..2396c53f 100755
--- a/.github/scripts/check_skip_ci.sh
+++ b/.github/scripts/check_skip_ci.sh
@@ -6,17 +6,30 @@ set -euo pipefail
 
 # Get the list of changed files
 # Using `git merge-base` ensures that we're always comparing against the correct branch point.
-#For example, given the commits:
+# For example, given the commits:
 #
 # A---B---C---D---W---X---Y---Z # origin/main
 #             \---E---F         # feature/branch
 #
-# ... `git merge-base origin/$SKIP_CHECK_BRANCH HEAD` would return commit `D`
-# `...HEAD` specifies from the common ancestor to the latest commit on the current branch (HEAD)..
-files_to_check=$(git diff --name-only "$(git merge-base origin/$SKIP_CHECK_BRANCH HEAD~)"...HEAD)
+# ... `git merge-base origin/$SKIP_CHECK_BRANCH HEAD~` would return commit `D` for a `pull_request` event.
+#
+# `HEAD~` means that:
+#   - For `push` events to a protected branch, the merge base is the commit before HEAD (the latest commit
+#     before the push). The diff will come from the pushed changes, assuming the repo requires squash-merge.
+#   - For `pull_request` events, the merge base is the last common commit between the base ref
+#     (`origin/$skip_check_branch`) and the last "real" commit on the PR branch, before the PR branch
+#     merge commit added by GH. The diff will come from the changes in the PR branch.
+skip_check_branch=${SKIP_CHECK_BRANCH:?SKIP_CHECK_BRANCH is required}
+merge_base=$(git merge-base origin/$skip_check_branch HEAD~)
+echo "merge_base: $merge_base"
+
+# `...HEAD` specifies from the common ancestor to the latest commit on the current branch (HEAD).
+echo "diff commits:"
+git log "$merge_base...HEAD" --oneline
+files_to_check=$(git diff --name-only $merge_base...HEAD)
 
 # Define the directories to check
-skipped_directories=("_doc/" ".changelog/")
+skipped_directories=("_doc/" ".changelog/" ".github/")
 
 # Loop through the changed files and find directories/files outside the skipped ones
 files_to_check_array=($files_to_check)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 42b38b49..e323c9c3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,15 +1,23 @@
 name: build
 
-# We now default to running this workflow on every push to every branch.
+# We now default to running this workflow on every pull_request push
+# in addition to protected branch push.
+#
 # This provides fast feedback when build issues occur, so they can be
-# fixed prior to being merged to the main branch.
+# fixed prior to being merged.
 #
 # If you want to opt out of this, and only run the build on certain branches
 # please refer to the documentation on branch filtering here:
 #
 #   https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore
 #
-on: [workflow_dispatch, push]
+on:
+  push:
+    branches:
+      - main
+      - release/**
+  pull_request:
+  workflow_dispatch:
 
 env:
   PKG_NAME: "consul-dataplane"
diff --git a/.github/workflows/consul-dataplane-checks.yaml b/.github/workflows/consul-dataplane-checks.yaml
index d0b59434..79d821ca 100644
--- a/.github/workflows/consul-dataplane-checks.yaml
+++ b/.github/workflows/consul-dataplane-checks.yaml
@@ -3,8 +3,8 @@ name: consul-dataplane-checks
 on:
   push:
     branches:
-    - main
-    - 'release/*.*.x'
+      - main
+      - release/**
   pull_request:
 
 jobs:
diff --git a/.github/workflows/reusable-conditional-skip.yml b/.github/workflows/reusable-conditional-skip.yml
index ef469ee9..649d9109 100644
--- a/.github/workflows/reusable-conditional-skip.yml
+++ b/.github/workflows/reusable-conditional-skip.yml
@@ -14,8 +14,18 @@ jobs:
     outputs:
       skip-ci: ${{ steps.check-changed-files.outputs.skip-ci }}
     env:
-      SKIP_CHECK_BRANCH: ${{ github.head_ref || github.ref_name }}
+      # Use the base branch for PR, or the head of the current branch for push.
+      SKIP_CHECK_BRANCH: ${{ github.base_ref || github.ref_name }} # tmp test
     steps:
+      - name: Ensure conditional check is allowed
+        if: ${{ !github.base_ref && !github.ref_protected }}
+        run: |
+          echo "Conditional skip requires a PR event with `base_ref` or `push` to a protected branch."
+          echo "github.base_ref: ${{ github.base_ref }}"
+          echo "github.ref_protected: ${{ github.ref_protected }}"
+          echo "github.ref_name: ${{ github.ref_name }}"
+          echo "Check the triggers of the calling workflow to ensure that these requirements are met."
+          exit 1
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 9bd0c638..ddcbb547 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -1,3 +1,5 @@
+# This job runs a non-blocking informational security scan on the repository.
+# For release-blocking security scans, see .release/security-scan.hcl.
 name: Security Scan
 
 on:
@@ -9,6 +11,8 @@ on:
     branches:
       - main
       - release/**
+    # paths-ignore only works for non-required checks.
+    # Jobs that are required for merge must use reusable-conditional-skip.yml.
     paths-ignore:
       - '_doc/**'
       - '.changelog/**'

From 6aa1c7ef080e0e20d6dd4ad2a6c1568b32a55408 Mon Sep 17 00:00:00 2001
From: Michael Zalimeni <michael.zalimeni@hashicorp.com>
Date: Tue, 24 Sep 2024 11:01:26 -0400
Subject: [PATCH 2/2] test skippable commit after non-skippable commit

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index a480bd35..bdf01d97 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,8 @@
   <span>Consul Dataplane</span>
 </h1>
 
+Test skippable commit
+
 Consul Dataplane is a lightweight process that manages Envoy for Consul service mesh workloads.
 
 Consul Dataplane's design removes the need to run Consul client agents. Removing Consul client