adding github workflow to check dspa integration test workflow

[nsingla]

The issue resolved by this Pull Request:

Resolves #<issue_number>

Description of your changes:

Testing instructions

Checklist

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

• Chores
  • Enforced stable branch protection: merges to stable are blocked until corresponding upstream integration tests pass.
  • PRs to stable now show a status check reflecting upstream test outcomes and provide a link to the upstream run.
  • New automated PR comment on open explains stable merge requirements and how status determines merge eligibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a GitHub Actions workflow .github/workflows/stable-branch-gate.yml that gates merges to the stable branch by querying an upstream repository's stable-merge-check.yml workflow runs, setting a commit status on the PR head SHA, and posting guidance comments on PR open events.

Changes

Cohort / File(s)

Summary

Stable branch gate workflow \.github/workflows/stable-branch-gate.yml``

New workflow with two jobs: check-remote-workflow-status queries the upstream repo for stable-merge-check.yml runs mapped from the PR head branch (maps main→master), determines success/failure and emits outputs; it then creates a commit status stable-branch-gate/remote-integration-tests. provide-instructions posts a PR comment when a PR to stable is opened explaining protection and upstream test requirements.

Sequence Diagram

sequenceDiagram
    actor Dev as Developer
    participant GH as GitHub
    participant Gate as stable-branch-gate.yml
    participant Up as Upstream Repo

    Dev->>GH: Open / update PR targeting `stable`
    GH->>Gate: Trigger workflow (PR events)

    rect rgb(210,230,250)
    Note over Gate,Up: check-remote-workflow-status
    Gate->>Up: Query `stable-merge-check.yml` runs for mapped branch
    Up-->>Gate: Return workflow runs
    Gate->>Gate: Filter completed & successful runs
    Gate-->>GH: Emit outputs (status, message, workflow_url)
    end

    rect rgb(230,240,220)
    Note over Gate,GH: set status check
    Gate->>GH: Create commit status on PR head SHA (context: stable-branch-gate/remote-integration-tests)
    GH-->>Gate: Acknowledge status
    end

    rect rgb(250,235,220)
    Note over Gate,GH: provide-instructions (on PR open)
    Gate->>GH: Post PR comment with branch protection & upstream test instructions
    GH-->>Gate: Comment posted
    end

    GH-->>Dev: Show status check and PR comment

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Areas to review:
  • Upstream workflow query and branch-name mapping logic (main → master)
  • Permission scopes and token usage for creating commit statuses and reading upstream runs
  • Correctness of filtering for completed/successful runs and error handling messages/URLs
  • PR comment content and triggering conditions (only on PR open to stable)

Poem

🐰 I hopped to guard the stable gate,
I checked the upstream tests for fate,
A status set, a note placed neat,
So merges wait till checks complete. 🥕✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a GitHub workflow to validate DSPA integration test outcomes before merging to stable.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/workflows/stable-branch-gate.yml (3)

81-81: Fix indentation inconsistency.

Line 81 has irregular indentation with extra leading spaces that may cause parsing issues.

                } else {
                  console.log('❌ No workflow runs found for this branch');
                  core.setOutput('status', 'failure');
                  core.setOutput('message', 'No remote integration test runs found for this branch');
-                    core.setOutput('workflow_url', `https://github.com/${remoteOwner}/${remoteRepo}/actions/workflows/stable-merge-check.yml`);
+                  core.setOutput('workflow_url', `https://github.com/${remoteOwner}/${remoteRepo}/actions/workflows/stable-merge-check.yml`);
                }

---

25-89: Add error recovery or timeout handling for remote API calls.

The remote workflow status check can fail silently or hang if the API is slow or unresponsive. Consider adding a timeout or retry mechanism to ensure the workflow doesn't get stuck waiting for the remote repository.

You could add request timeouts or retry logic using GitHub's API client options, or add a step timeout at the job level:

  check-remote-workflow-status:
    name: Check Remote Integration Tests
    runs-on: ubuntu-latest
+   timeout-minutes: 5

    # Only run on PRs targeting stable branch
    if: github.event.pull_request.base.ref == 'stable'

---

96-114: Ensure workflow step always completes even on API failures.

The "Set status check" step (lines 91–114) does not have error handling. If the check-remote step fails or outputs are malformed, this step may not execute or may produce unexpected behavior. Consider adding explicit error handling to ensure a status check is always set on the commit.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 324ddef and 87cf646.

📒 Files selected for processing (1)

• .github/workflows/stable-branch-gate.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: unittest
• GitHub Check: functest

🔇 Additional comments (2)

.github/workflows/stable-branch-gate.yml (2)

117-119: Verify provide-instructions job runs on all relevant PR events.

The job only runs when github.event.action == 'opened'. This means contributors who push updates (synchronize) or reopen the PR won't see the instructions again. Consider whether this is intentional or if the job should run on other events (e.g., synchronize, reopened) as well.

---

145-150: Critical: Incomplete script syntax.

The createComment call is missing its closing statement. Line 150 ends mid-function call, which will cause a syntax error when the workflow runs.

            await github.rest.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: prNumber,
              body: comment
-           });
+           });
+          `

Ensure the entire script block is closed with a backtick after the }); line.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify cross-repo API access and workflow_id parameter.

The workflow queries the remote repository's workflow runs using the default GITHUB_TOKEN. However, there are two potential concerns:

1. Workflow ID format (line 48): The workflow_id parameter is set to 'stable-merge-check.yml'. Verify this is the correct format—GitHub API expects either the workflow file name or numeric ID. If the remote repository has branch protections or is private, this request may fail.

2. Token permissions: The GITHUB_TOKEN generated in this repository may lack permissions to access workflow runs in the remote opendatahub-io/data-science-pipelines repository, especially if that repository restricts API access or has organization policies.

Please verify:

• The remote repository's workflow file name matches stable-merge-check.yml
• The GITHUB_TOKEN has sufficient permissions to query the remote repository's workflow runs (test with a manual workflow run or confirm the remote repo is public and API access is permitted)

---

🌐 Web query:

GitHub Actions API workflow_id parameter format and cross-repository workflow access permissions

💡 Result:

Short answer

• workflow_id accepts either the numeric workflow ID or the workflow file name (string, e.g. main.yml). [1]
• Permissions: the token you use must have rights on the target repository. The repo's GITHUB_TOKEN is an installation token limited to the repository where the workflow runs and its permissions are scoped; it can be used to create workflow_dispatch/repository_dispatch in the same repo but cannot be used to dispatch into a different repo. To trigger a workflow in another repository you must use a token with repo/Actions write permissions (for example a PAT or a GitHub App installation token with the appropriate repo Actions permissions). [2][3]

Sources

1. GitHub REST API — Workflows (shows workflow_id may be the numeric ID or file name). [1]
2. About GITHUB_TOKEN / token permissions (GITHUB_TOKEN is an installation token limited to the repository; behavior for dispatch events). [2]
3. Guidance / marketplace action docs (dispatching to a remote repo requires a token with repo/write permissions such as a PAT or GitHub App token). [3]

---

---

🏁 Script executed:

#!/bin/bash
# Examine the full stable-branch-gate.yml workflow to see how github context is initialized
# and whether a custom token is being passed
cat .github/workflows/stable-branch-gate.yml

Length of output: 6511

---

GitHub token lacks permissions to access remote repository workflow runs—will cause runtime failure.

The workflow uses the default GITHUB_TOKEN (line 17: github-token: ${{ secrets.GITHUB_TOKEN }}) to query workflow runs in the remote opendatahub-io/data-science-pipelines repository (lines 44-51). However, the default GITHUB_TOKEN is scoped to the repository where the workflow runs and cannot access other repositories. The listWorkflowRuns() call will fail at runtime.

Required fix: Replace the default token with a token that has cross-repository access permissions:

• Use a Personal Access Token (PAT) with repo and actions:read permissions, OR
• Use a GitHub App installation token with appropriate Actions read permissions

Store the token securely (as secrets.CROSS_REPO_TOKEN or similar) and update line 17 to: github-token: ${{ secrets.CROSS_REPO_TOKEN }}

Note: The workflow_id: 'stable-merge-check.yml' format (line 48) is correct; the API accepts both workflow file names and numeric IDs.

🤖 Prompt for AI Agents

.github/workflows/stable-branch-gate.yml lines 40-51: the workflow uses the
repository-scoped GITHUB_TOKEN to call github.rest.actions.listWorkflowRuns on
opendatahub-io/data-science-pipelines which will fail due to insufficient
cross-repo permissions; replace the default token with a secret that holds a
cross-repo-capable token (e.g., a PAT with repo + actions:read or a GitHub App
installation token) by adding that secret (e.g., secrets.CROSS_REPO_TOKEN) and
updating the workflow input that supplies github-token to use that secret
instead of GITHUB_TOKEN; ensure the secret is created and has the necessary
permissions before running the workflow.

[HumairAK]

the default branch in dspo is main whereas in dsp it's master wouldn't this break?

[nsingla]

good catch, I will make that change

[HumairAK]

sorry this will be stable, which is what we want I think

[HumairAK]

don't we also want to confirm that the head ref is main? otherwise this workflow will fail right?

[nsingla]

For hot fixes or cherry picks, the head ref will not be main, so I think we should run this check for all prs to stable branch

[HumairAK]

I might have missed it, but if the check upon PR open fails, can we retrigger it after having it opened?

[nsingla]

the check actually should not fail if the remote branch exists, I can add a polling wait for the remote workflow to either fail/pass though if the branch exists

[HumairAK]

correct me if I'm wrong but, in this scenario:

• I create a PR from main -> stable in dspo
• this is triggered, the workflow then checks workflows in dsp that are also running for a similar pr that target dsp main
• if it doesn't find any runs, or if any runs failed, it fails the check

Suppose I re-run the DSP CI on the DSP pr from master -> stable, and I want to retrigger this check on the DSPO master, how would I do that?

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from humairak. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/stable-branch-gate.yml (1)

29-29: [DUPLICATE] GITHUB_TOKEN lacks cross-repository permissions—will cause runtime failure.

This critical issue was flagged in the prior review and remains unresolved. Line 29 uses the default secrets.GITHUB_TOKEN, which is scoped to the current repository only. The API call at line 49 (github.rest.actions.listWorkflowRuns()) targeting the remote opendatahub-io/data-science-pipelines repository will fail at runtime with insufficient permissions.

Required fix: Create a secret (e.g., secrets.CROSS_REPO_TOKEN) with a Personal Access Token (PAT) or GitHub App token that has repo and actions:read permissions for the remote repository, then update line 29 to use that secret:

          github-token: ${{ secrets.CROSS_REPO_TOKEN }}

Verify the secret is configured in the repository settings before the workflow runs.

Also applies to: 49-55

🧹 Nitpick comments (1)

.github/workflows/stable-branch-gate.yml (1)

22-22: [OPTIONAL] Consolidate duplicated branch conditions.

Both the check-remote-workflow-status (line 22) and provide-instructions (line 123) jobs check the identical condition github.event.pull_request.base.ref == 'stable'. Consider moving this check to the workflow-level if or consolidating into a shared condition to reduce duplication:

jobs:
  check-remote-workflow-status:
    if: github.event.pull_request.base.ref == 'stable'
    ...
  provide-instructions:
    if: github.event.pull_request.base.ref == 'stable' && github.event.action == 'opened'
    ...

This is minor, but the stable check is repeated unnecessarily.

Also applies to: 123-123

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 87cf646 and dda67d4.

📒 Files selected for processing (1)

• .github/workflows/stable-branch-gate.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: functest
• GitHub Check: unittest

🔇 Additional comments (1)

.github/workflows/stable-branch-gate.yml (1)

1-14: LGTM.

The workflow trigger and permission scopes are appropriate for gating stable branch merges.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix misleading log message.

Line 57 logs headRef but the code actually queries remoteBranch (which may differ when headRef is 'main'). Update the log to reflect what was actually queried:

-            console.log(`Found ${workflows.total_count} workflow runs for branch ${headRef}`);
+            console.log(`Found ${workflows.total_count} workflow runs for branch ${remoteBranch}`);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	console.log(`Found ${workflows.total_count} workflow runs for branch ${headRef}`);
	console.log(`Found ${workflows.total_count} workflow runs for branch ${remoteBranch}`);

🤖 Prompt for AI Agents

.github/workflows/stable-branch-gate.yml around line 57: the log prints headRef
but the workflow query used remoteBranch, causing a misleading message when
headRef differs (e.g., 'main'). Change the log to reference the actual variable
used in the query (remoteBranch) and include both values if helpful (e.g.,
remoteBranch and headRef) so the message accurately reflects which branch was
queried.

[HumairAK]

I think I'm a bit confused, so stable-merge-check.yml runs on a pull request to stable in DSP, but doesn't the above code search runs on the stable branch (i.e. if we ran this check post-merge on stable)? would that work?