Better trigger for CICD runs in flutter/packages and flutter/flutter #183554
Description
In order to improve the security and resource efficiency of Flutter's CI/CD runs, we have implemented label gating to trigger testing on pull requests in flutter/flutter and flutter/packages.
Now, when a PR is opened in flutter/flutter or flutter/packages, the CICD label will need to be applied in order to trigger presubmit testing.
Warning
- CICD will not be triggered if the PR is opened with this label. The label must be added after the PR is opened.
- For subsequent commits, the label must be removed and re-added.
We recognize this is not an ideal contributor experience, and will be following up with a better solution, tracking here in this issue. Feedback is welcome.
Opportunities we have already identified to improve the ux after this initial mitigation is deployed:
- when a label is added to a PR, we know the sender - we could check the sender has the correct permissions
- flutter/cocoon auto-runs the tests for members with correct permissions
- flutter/cocoon auto-removes the label and has a pr/hash look up to validate hash to authorized CICD run
- Autorollers like engine-flutter-autoroll and flutter-pub-roller-bot will require special handling to ensure they do not get stuck