From 99462d0fdc171e1cc43e3d191a751f9c7c60668e Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Tue, 3 Mar 2026 15:16:54 -0800 Subject: [PATCH 1/9] test: add label cleanup coverage to pr-open workflow --- .github/workflows/pr-open.yml | 53 ++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index cb2463d..3bc2cc3 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -98,6 +98,57 @@ jobs: packages: backend frontend migrations tag_promote: latest + label-setup: + name: Label Cleanup (setup) + runs-on: ubuntu-24.04 + timeout-minutes: 5 + steps: + - name: Create labeled ConfigMap + uses: bcgov/action-oc-runner@57a28c38359c93e43edf609d35b9a3f50a070131 # v1.4.0 + with: + oc_namespace: ${{ secrets.oc_namespace }} + oc_token: ${{ secrets.oc_token }} + oc_server: ${{ secrets.oc_server || 'https://api.silver.devops.gov.bc.ca:6443' }} + commands: | + # Create a ConfigMap labeled for label-based cleanup test + label="app=${{ github.event.repository.name }}-${{ github.event.number }}" + oc create configmap test-label-cleanup-${{ github.event.number }} --from-literal=test=true + oc label configmap test-label-cleanup-${{ github.event.number }} ${label} + + # Verify it exists by label before handing off + oc get configmap -l ${label} + + label-cleanup: + name: Label Cleanup (cleanup) + needs: [label-setup] + uses: ./.github/workflows/.pr-close.yml + secrets: inherit + with: + cleanup: label + + label-verify: + name: Label Cleanup (verify) + needs: [label-cleanup] + runs-on: ubuntu-24.04 + timeout-minutes: 5 + steps: + - name: Verify labeled resources are gone + uses: bcgov/action-oc-runner@57a28c38359c93e43edf609d35b9a3f50a070131 # v1.4.0 + with: + oc_namespace: ${{ secrets.oc_namespace }} + oc_token: ${{ secrets.oc_token }} + oc_server: ${{ secrets.oc_server || 'https://api.silver.devops.gov.bc.ca:6443' }} + commands: | + # Confirm all labeled resources were removed + label="app=${{ github.event.repository.name }}-${{ github.event.number }}" + remaining=$(oc get all,cm,pvc,secret -l ${label} -o name 2>/dev/null || true) + if [ -n "${remaining}" ]; then + echo "ERROR: Resources with label ${label} still exist:" + echo "${remaining}" + exit 1 + fi + echo "All resources with label ${label} have been cleaned up." + csr-generator: # testing, will be deleted name: Certificate Generation uses: ./.github/workflows/csr-generator.yml @@ -110,7 +161,7 @@ jobs: results: name: Results - needs: [builds, csr-generator, deploys, schema-spy, validate] + needs: [builds, csr-generator, deploys, label-verify, schema-spy, validate] runs-on: ubuntu-24.04 steps: - if: contains(needs.*.result, 'failure')||contains(needs.*.result, 'canceled') From bfaf50b09a6459a5728b26695b462fc7bd7d958a Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Tue, 3 Mar 2026 15:20:58 -0800 Subject: [PATCH 2/9] fix: grant packages:write to label-cleanup job calling reusable workflow --- .github/workflows/pr-open.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 3bc2cc3..2cbe733 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -121,6 +121,8 @@ jobs: label-cleanup: name: Label Cleanup (cleanup) needs: [label-setup] + permissions: + packages: write uses: ./.github/workflows/.pr-close.yml secrets: inherit with: From 167a5f15cb2cb0f6b74730f1367c96c60c36c9a2 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Tue, 3 Mar 2026 15:22:13 -0800 Subject: [PATCH 3/9] fix: address Copilot review feedback on label cleanup test jobs --- .github/workflows/pr-open.yml | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 2cbe733..48462b0 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -111,9 +111,11 @@ jobs: oc_server: ${{ secrets.oc_server || 'https://api.silver.devops.gov.bc.ca:6443' }} commands: | # Create a ConfigMap labeled for label-based cleanup test + # Delete first so reruns don't fail with AlreadyExists label="app=${{ github.event.repository.name }}-${{ github.event.number }}" + oc delete configmap test-label-cleanup-${{ github.event.number }} --ignore-not-found oc create configmap test-label-cleanup-${{ github.event.number }} --from-literal=test=true - oc label configmap test-label-cleanup-${{ github.event.number }} ${label} + oc label --overwrite configmap test-label-cleanup-${{ github.event.number }} ${label} # Verify it exists by label before handing off oc get configmap -l ${label} @@ -141,15 +143,26 @@ jobs: oc_token: ${{ secrets.oc_token }} oc_server: ${{ secrets.oc_server || 'https://api.silver.devops.gov.bc.ca:6443' }} commands: | - # Confirm all labeled resources were removed + # Confirm all labeled resources were removed, with a short wait for async deletes label="app=${{ github.event.repository.name }}-${{ github.event.number }}" - remaining=$(oc get all,cm,pvc,secret -l ${label} -o name 2>/dev/null || true) - if [ -n "${remaining}" ]; then - echo "ERROR: Resources with label ${label} still exist:" + max_wait=60 + interval=5 + end_time=$((SECONDS + max_wait)) + while true; do + remaining=$(oc get all,cm,pvc,secret -l "${label}" -o name) + if [ -z "${remaining}" ]; then + echo "All resources with label ${label} have been cleaned up." + break + fi + if [ "${SECONDS}" -ge "${end_time}" ]; then + echo "ERROR: Resources with label ${label} still exist after ${max_wait}s:" + echo "${remaining}" + exit 1 + fi + echo "Resources still exist, rechecking in ${interval}s..." echo "${remaining}" - exit 1 - fi - echo "All resources with label ${label} have been cleaned up." + sleep "${interval}" + done csr-generator: # testing, will be deleted name: Certificate Generation From 26f45a55a8202706c1b946984a77f154974007f0 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Tue, 3 Mar 2026 15:33:32 -0800 Subject: [PATCH 4/9] fix: remove retry loop in label-verify, oc delete is synchronous --- .github/workflows/pr-open.yml | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 48462b0..1033da8 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -143,26 +143,16 @@ jobs: oc_token: ${{ secrets.oc_token }} oc_server: ${{ secrets.oc_server || 'https://api.silver.devops.gov.bc.ca:6443' }} commands: | - # Confirm all labeled resources were removed, with a short wait for async deletes + # Confirm all labeled resources were removed + # oc delete is synchronous; if anything remains, cleanup failed label="app=${{ github.event.repository.name }}-${{ github.event.number }}" - max_wait=60 - interval=5 - end_time=$((SECONDS + max_wait)) - while true; do - remaining=$(oc get all,cm,pvc,secret -l "${label}" -o name) - if [ -z "${remaining}" ]; then - echo "All resources with label ${label} have been cleaned up." - break - fi - if [ "${SECONDS}" -ge "${end_time}" ]; then - echo "ERROR: Resources with label ${label} still exist after ${max_wait}s:" - echo "${remaining}" - exit 1 - fi - echo "Resources still exist, rechecking in ${interval}s..." + remaining=$(oc get all,cm,pvc,secret -l "${label}" -o name) + if [ -n "${remaining}" ]; then + echo "ERROR: Resources with label ${label} still exist after cleanup:" echo "${remaining}" - sleep "${interval}" - done + exit 1 + fi + echo "All resources with label ${label} have been cleaned up." csr-generator: # testing, will be deleted name: Certificate Generation From 2bec21954069321472f957dd3496563cfcc97ecb Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Tue, 3 Mar 2026 15:42:55 -0800 Subject: [PATCH 5/9] fix: remove no-op oc get from label-setup --- .github/workflows/pr-open.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 1033da8..7cfc22a 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -117,9 +117,6 @@ jobs: oc create configmap test-label-cleanup-${{ github.event.number }} --from-literal=test=true oc label --overwrite configmap test-label-cleanup-${{ github.event.number }} ${label} - # Verify it exists by label before handing off - oc get configmap -l ${label} - label-cleanup: name: Label Cleanup (cleanup) needs: [label-setup] From 496b8c1445f650cb64baa8c21ef940a7f20b3fe7 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Tue, 3 Mar 2026 15:47:38 -0800 Subject: [PATCH 6/9] fix: simplify label-verify check and add env var for cleanup label --- .github/workflows/pr-open.yml | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 7cfc22a..685ce1b 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -10,6 +10,9 @@ concurrency: permissions: {} +env: + CLEANUP_LABEL: "app=${{ github.event.repository.name }}-${{ github.event.number }}" + jobs: schema-spy: name: Schema Spy @@ -102,6 +105,8 @@ jobs: name: Label Cleanup (setup) runs-on: ubuntu-24.04 timeout-minutes: 5 + env: + CLEANUP_LABEL: app=${{ github.event.repository.name }}-${{ github.event.number }} steps: - name: Create labeled ConfigMap uses: bcgov/action-oc-runner@57a28c38359c93e43edf609d35b9a3f50a070131 # v1.4.0 @@ -112,10 +117,9 @@ jobs: commands: | # Create a ConfigMap labeled for label-based cleanup test # Delete first so reruns don't fail with AlreadyExists - label="app=${{ github.event.repository.name }}-${{ github.event.number }}" oc delete configmap test-label-cleanup-${{ github.event.number }} --ignore-not-found oc create configmap test-label-cleanup-${{ github.event.number }} --from-literal=test=true - oc label --overwrite configmap test-label-cleanup-${{ github.event.number }} ${label} + oc label --overwrite configmap test-label-cleanup-${{ github.event.number }} ${{ env.CLEANUP_LABEL }} label-cleanup: name: Label Cleanup (cleanup) @@ -132,6 +136,8 @@ jobs: needs: [label-cleanup] runs-on: ubuntu-24.04 timeout-minutes: 5 + env: + CLEANUP_LABEL: app=${{ github.event.repository.name }}-${{ github.event.number }} steps: - name: Verify labeled resources are gone uses: bcgov/action-oc-runner@57a28c38359c93e43edf609d35b9a3f50a070131 # v1.4.0 @@ -140,16 +146,8 @@ jobs: oc_token: ${{ secrets.oc_token }} oc_server: ${{ secrets.oc_server || 'https://api.silver.devops.gov.bc.ca:6443' }} commands: | - # Confirm all labeled resources were removed - # oc delete is synchronous; if anything remains, cleanup failed - label="app=${{ github.event.repository.name }}-${{ github.event.number }}" - remaining=$(oc get all,cm,pvc,secret -l "${label}" -o name) - if [ -n "${remaining}" ]; then - echo "ERROR: Resources with label ${label} still exist after cleanup:" - echo "${remaining}" - exit 1 - fi - echo "All resources with label ${label} have been cleaned up." + # Fail if any resources with the cleanup label still exist + oc get all,cm,pvc,secret -l "${{ env.CLEANUP_LABEL }}" -o name | grep . && exit 1 || true csr-generator: # testing, will be deleted name: Certificate Generation From 028c49658ccdbdb6be833354e32f822be7bb5666 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Tue, 3 Mar 2026 15:49:55 -0800 Subject: [PATCH 7/9] Fix oc_server --- .github/workflows/pr-open.yml | 8 ++--- plans/label-cleanup-test.md | 57 +++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 4 deletions(-) create mode 100644 plans/label-cleanup-test.md diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 685ce1b..70040c3 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -113,7 +113,7 @@ jobs: with: oc_namespace: ${{ secrets.oc_namespace }} oc_token: ${{ secrets.oc_token }} - oc_server: ${{ secrets.oc_server || 'https://api.silver.devops.gov.bc.ca:6443' }} + oc_server: ${{ vars.oc_server }} commands: | # Create a ConfigMap labeled for label-based cleanup test # Delete first so reruns don't fail with AlreadyExists @@ -144,10 +144,10 @@ jobs: with: oc_namespace: ${{ secrets.oc_namespace }} oc_token: ${{ secrets.oc_token }} - oc_server: ${{ secrets.oc_server || 'https://api.silver.devops.gov.bc.ca:6443' }} + oc_server: ${{ vars.oc_server }} commands: | # Fail if any resources with the cleanup label still exist - oc get all,cm,pvc,secret -l "${{ env.CLEANUP_LABEL }}" -o name | grep . && exit 1 || true + oc get cm -l "${{ env.CLEANUP_LABEL }}" -o name | grep . && exit 1 || true csr-generator: # testing, will be deleted name: Certificate Generation @@ -157,7 +157,7 @@ jobs: oc_token: ${{ secrets.oc_token }} with: domain: example.gov.bc.ca - oc_server: https://api.silver.devops.gov.bc.ca:6443 + oc_server: ${{ vars.oc_server }} results: name: Results diff --git a/plans/label-cleanup-test.md b/plans/label-cleanup-test.md new file mode 100644 index 0000000..a550e1b --- /dev/null +++ b/plans/label-cleanup-test.md @@ -0,0 +1,57 @@ +# Plan: Test `.pr-close.yml` with `cleanup: label` + +## Problem + +No test coverage exists for `.pr-close.yml` using `cleanup: label`. The existing [`cleanup` job](../.github/workflows/pr-open.yml:89) in `pr-open.yml` only tests `cleanup: helm`. + +## Flow + +```mermaid +graph TD + A[label-setup] -->|creates ConfigMap with label| B[label-cleanup] + B -->|calls .pr-close.yml with cleanup: label| C[label-verify] + C -->|confirms object is gone| D[results] +``` + +## Three new jobs in `pr-open.yml` + +### 1. `label-setup` — Create a sacrificial ConfigMap with the right label + +- Uses `bcgov/action-oc-runner` (same pinned SHA: `57a28c38359c93e43edf609d35b9a3f50a070131`) +- Creates a ConfigMap named `test-label-cleanup-` +- Labels it `app=quickstart-openshift-helpers-` — matching the default selector from `.pr-close.yml` line 145 +- Verifies it exists before proceeding (sanity check) +- No dependencies on other jobs — runs independently + +### 2. `label-cleanup` — Calls `.pr-close.yml` with `cleanup: label` + +- `needs: [label-setup]` +- Passes `cleanup: label` and **nothing else** for `cleanup_name` — letting it default to `github.event.repository.name` = `quickstart-openshift-helpers` +- `target` defaults to `github.event.number` = the PR number +- Uses `secrets: inherit` (same pattern as the existing `cleanup` job) +- Side effects: the `remove_pvc` step will fire with its default PVC name but harmlessly echo "Not found" since that PVC won't exist. The `retags` job won't run since `packages` is empty. + +### 3. `label-verify` — Confirm the labeled resources are gone + +- `needs: [label-cleanup]` +- Uses `bcgov/action-oc-runner` to query: `oc get all,cm,pvc,secret -l app=quickstart-openshift-helpers-` +- If any resources remain → `exit 1` (test fails) +- If empty → test passes + +### 4. Update `results` job + +- Add `label-verify` to the `needs` array so it gates the final status check + +## What changes and what doesn't + +| File | Change | +|------|--------| +| `pr-open.yml` | Add 3 new jobs + update `results.needs` | +| `.pr-close.yml` | **No changes** | + +## Key design decisions + +- **ConfigMap** is the simplest OpenShift object to create/verify — no ports, no images, no waiting for pods +- **No `cleanup_name`** passed — exercises the default path which is the whole point of the test +- **No `packages`** passed — avoids triggering the retags job, keeping the test focused on label cleanup only +- The `label-setup` job verifies the ConfigMap can be retrieved by label before handing off (trust-but-verify) From 607cb289d522c614366086bdc041ed4794542136 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Tue, 3 Mar 2026 15:56:24 -0800 Subject: [PATCH 8/9] Drop extra envars --- .github/workflows/pr-open.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 70040c3..c61f228 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -105,8 +105,6 @@ jobs: name: Label Cleanup (setup) runs-on: ubuntu-24.04 timeout-minutes: 5 - env: - CLEANUP_LABEL: app=${{ github.event.repository.name }}-${{ github.event.number }} steps: - name: Create labeled ConfigMap uses: bcgov/action-oc-runner@57a28c38359c93e43edf609d35b9a3f50a070131 # v1.4.0 @@ -136,8 +134,6 @@ jobs: needs: [label-cleanup] runs-on: ubuntu-24.04 timeout-minutes: 5 - env: - CLEANUP_LABEL: app=${{ github.event.repository.name }}-${{ github.event.number }} steps: - name: Verify labeled resources are gone uses: bcgov/action-oc-runner@57a28c38359c93e43edf609d35b9a3f50a070131 # v1.4.0 From ee0352751906b9d2139e44ad1315eb6d2a625547 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Tue, 3 Mar 2026 15:58:18 -0800 Subject: [PATCH 9/9] fix: use oc apply for idempotent ConfigMap creation, fix dangling env var ref --- .github/workflows/pr-open.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index c61f228..72c6d97 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -113,11 +113,17 @@ jobs: oc_token: ${{ secrets.oc_token }} oc_server: ${{ vars.oc_server }} commands: | - # Create a ConfigMap labeled for label-based cleanup test - # Delete first so reruns don't fail with AlreadyExists - oc delete configmap test-label-cleanup-${{ github.event.number }} --ignore-not-found - oc create configmap test-label-cleanup-${{ github.event.number }} --from-literal=test=true - oc label --overwrite configmap test-label-cleanup-${{ github.event.number }} ${{ env.CLEANUP_LABEL }} + # Create (or update) a ConfigMap labeled for label-based cleanup test + oc apply -f - <