bcgov · DerekRoberts · Mar 4, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026
@@ -10,6 +10,9 @@ concurrency:
 
 permissions: {}
 
+env:
+  CLEANUP_LABEL: "app=${{ github.event.repository.name }}-${{ github.event.number }}"
+
 jobs:
   schema-spy:
     name: Schema Spy
@@ -98,6 +101,56 @@ jobs:
       packages: backend frontend migrations
       tag_promote: latest
 
+  label-setup:
+    name: Label Cleanup (setup)
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Create labeled ConfigMap
+        uses: bcgov/action-oc-runner@57a28c38359c93e43edf609d35b9a3f50a070131 # v1.4.0
+        with:
+          oc_namespace: ${{ secrets.oc_namespace }}
+          oc_token: ${{ secrets.oc_token }}
+          oc_server: ${{ vars.oc_server }}
+          commands: |
+            # Create (or update) a ConfigMap labeled for label-based cleanup test
+            oc apply -f - <<EOF
+            apiVersion: v1
+            kind: ConfigMap
+            metadata:
+              name: test-label-cleanup-${{ github.event.number }}
+              labels:
+                app: ${{ github.event.repository.name }}-${{ github.event.number }}
+            data:
+              test: "true"
+            EOF
+
+  label-cleanup:
+    name: Label Cleanup (cleanup)
+    needs: [label-setup]
+    permissions:
+      packages: write
+    uses: ./.github/workflows/.pr-close.yml
+    secrets: inherit
+    with:
+      cleanup: label
+
+  label-verify:
+    name: Label Cleanup (verify)
+    needs: [label-cleanup]
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Verify labeled resources are gone
+        uses: bcgov/action-oc-runner@57a28c38359c93e43edf609d35b9a3f50a070131 # v1.4.0
+        with:
+          oc_namespace: ${{ secrets.oc_namespace }}
+          oc_token: ${{ secrets.oc_token }}
+          oc_server: ${{ vars.oc_server }}
+          commands: |
+            # Fail if any resources with the cleanup label still exist
+            oc get cm -l "app=${{ github.event.repository.name }}-${{ github.event.number }}" -o name | grep . && exit 1 || true
+
   csr-generator: # testing, will be deleted
     name: Certificate Generation
     uses: ./.github/workflows/csr-generator.yml
@@ -106,11 +159,11 @@ jobs:
       oc_token: ${{ secrets.oc_token }}
     with:
       domain: example.gov.bc.ca
-      oc_server: https://api.silver.devops.gov.bc.ca:6443
+      oc_server: ${{ vars.oc_server }}
 
   results:
     name: Results
-    needs: [builds, csr-generator, deploys, schema-spy, validate]
+    needs: [builds, csr-generator, deploys, label-verify, schema-spy, validate]
     runs-on: ubuntu-24.04
     steps:
       - if: contains(needs.*.result, 'failure')||contains(needs.*.result, 'canceled')

@@ -0,0 +1,57 @@
+# Plan: Test `.pr-close.yml` with `cleanup: label`
+
+## Problem
+
+No test coverage exists for `.pr-close.yml` using `cleanup: label`. The existing [`cleanup` job](../.github/workflows/pr-open.yml:89) in `pr-open.yml` only tests `cleanup: helm`.
+
+## Flow
+
+```mermaid
+graph TD
+    A[label-setup] -->|creates ConfigMap with label| B[label-cleanup]
+    B -->|calls .pr-close.yml with cleanup: label| C[label-verify]
+    C -->|confirms object is gone| D[results]
+```
+
+## Three new jobs in `pr-open.yml`
+
+### 1. `label-setup` — Create a sacrificial ConfigMap with the right label
+
+- Uses `bcgov/action-oc-runner` (same pinned SHA: `57a28c38359c93e43edf609d35b9a3f50a070131`)
+- Creates a ConfigMap named `test-label-cleanup-<PR#>`
+- Labels it `app=quickstart-openshift-helpers-<PR#>` — matching the default selector from `.pr-close.yml` line 145
+- Verifies it exists before proceeding (sanity check)
+- No dependencies on other jobs — runs independently
+
+### 2. `label-cleanup` — Calls `.pr-close.yml` with `cleanup: label`
+
+- `needs: [label-setup]`
+- Passes `cleanup: label` and **nothing else** for `cleanup_name` — letting it default to `github.event.repository.name` = `quickstart-openshift-helpers`
+- `target` defaults to `github.event.number` = the PR number
+- Uses `secrets: inherit` (same pattern as the existing `cleanup` job)
+- Side effects: the `remove_pvc` step will fire with its default PVC name but harmlessly echo "Not found" since that PVC won't exist. The `retags` job won't run since `packages` is empty.
+
+### 3. `label-verify` — Confirm the labeled resources are gone
+
+- `needs: [label-cleanup]`
+- Uses `bcgov/action-oc-runner` to query: `oc get all,cm,pvc,secret -l app=quickstart-openshift-helpers-<PR#>`
+- If any resources remain → `exit 1` (test fails)
+- If empty → test passes
+
+### 4. Update `results` job
+
+- Add `label-verify` to the `needs` array so it gates the final status check
+
+## What changes and what doesn't
+
+| File | Change |
+|------|--------|
+| `pr-open.yml` | Add 3 new jobs + update `results.needs` |
+| `.pr-close.yml` | **No changes** |
+
+## Key design decisions
+
+- **ConfigMap** is the simplest OpenShift object to create/verify — no ports, no images, no waiting for pods
+- **No `cleanup_name`** passed — exercises the default path which is the whole point of the test
+- **No `packages`** passed — avoids triggering the retags job, keeping the test focused on label cleanup only
+- The `label-setup` job verifies the ConfigMap can be retrieved by label before handing off (trust-but-verify)