Skip to content

Approval-Gated CI setup for self managed repo #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 35 commits into from
Nov 6, 2025
Merged

Approval-Gated CI setup for self managed repo #91

merged 35 commits into from
Nov 6, 2025

Conversation

@jshiwamV
Copy link
Collaborator

@jshiwamV jshiwamV commented Oct 20, 2025
edited
Loading

Overview

Adds approval-gated testing for AWS/GCP/Azure infrastructure to prevent accidental resource provisioning and manage costs.

Key Features

  • Merge Queue Based Test CI runs.
  • Only triggers on .tf/.go files, ignores README/docs
  • Shared changes (test/utils/, kubernetes/modules/) run all clouds

New Workflows

  • test-aws.yml, test-gcp.yml, test-azure.yml

CI infra setup

  • .github/setup/ - Complete Terraform configuration for AWS/GCP/Azure infra/oidc rbac setup.

NOTE
1. the oidc setup for all the cloud providers exists in terraform files under .github/setup/ I am using s3 backend for tfstate. if you make some changes to the setup you should add the aws profile of the mz-scratch aws account.
2. AWS and Azure don’t follow principle of least privilege and the OIDC service principal has borader access for now. For azure it was mostly because I lacked permissions myself. So i will fix that in future CI enhancements.

Behavior

  1. Create PR → No tests run (saves resources)
  2. Get approval → Tests run automatically as a part of Merge Queue
  3. Push changes → Approval dismissed and Tests will run in Merge Queue After Approval.

jshiwamV added 24 commits October 20, 2025 14:10
@jshiwamV
feat(lint): add go-lint and validate
70bfbad
@jshiwamV
feat(push): remove push trigger
83cf53f
@jshiwamV
feat(fix): fix tf version
0597184
@jshiwamV
feat(fmt): fix fmt
e9bc59e
@jshiwamV
feat(idp): add aws setup tfs
bb0306f
@jshiwamV
feat(oidc): add aws oidc setup
40e3904
@jshiwamV
feat(push): make aws test workflow visible
53f9427
@jshiwamV
feat(push): make aws test workflow logs visible
d5257c3
@jshiwamV
feat(test): fix cleanup with safeLoad
6fdf26e
@jshiwamV
feat(test): fix hardcoded regions
c040b17
@jshiwamV
feat(role): add role duration to be 4 hours
0e388fb
@jshiwamV
feat(role): add role duration to be 4 hours
3fb5b45
@jshiwamV
feat(iam): max duration is 8 hours
24ab5ec
@jshiwamV
feat(fixture): fix dependencies in fixtures
9f3ba15
@jshiwamV
feat(gcp) gcp ci with SA based OIDC
f945867
@jshiwamV
feat(gcp): fix compute perms for SA
9e41000
@jshiwamV
feat(azure): az ci config
c619ed0
@jshiwamV
feat(azure): az ci config unsaved changes
9a85cda
@jshiwamV
feat(oidc): fix trigger option for test and oidc fed cred refs
eb11ea9
@jshiwamV
feat(oidc): fix envs
e9b36f0
@jshiwamV
feat(location): add under envs
eb52ddf
@jshiwamV
feat(role): use contributor role for now to make things work
96bbcb8
@jshiwamV
feat(on-approval): trigger on approval
4069100
@jshiwamV
feat(bugs): fix test-on-approval pr event bugs
9e072cf
@jshiwamV jshiwamV changed the title feat(lint): add go-lint and validate CI setup for self managed repo Oct 27, 2025
@jshiwamV jshiwamV changed the title CI setup for self managed repo Apporval-Gated CI setup for self managed repo Oct 27, 2025
@jshiwamV jshiwamV changed the title Apporval-Gated CI setup for self managed repo Approval-Gated CI setup for self managed repo Oct 27, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Nov 3, 2025
@jshiwamV jshiwamV enabled auto-merge November 3, 2025 16:59
@jshiwamV jshiwamV added this pull request to the merge queue Nov 3, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Nov 3, 2025
@jshiwamV jshiwamV added this pull request to the merge queue Nov 4, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Nov 4, 2025
@jshiwamV jshiwamV added this pull request to the merge queue Nov 4, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Nov 4, 2025
@jshiwamV jshiwamV added this pull request to the merge queue Nov 5, 2025
@jshiwamV jshiwamV removed this pull request from the merge queue due to a manual request Nov 5, 2025
@jshiwamV jshiwamV enabled auto-merge November 5, 2025 07:21
@jshiwamV jshiwamV added this pull request to the merge queue Nov 5, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Nov 5, 2025
@jubrad jubrad added this pull request to the merge queue Nov 5, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Nov 5, 2025
@jshiwamV jshiwamV added this pull request to the merge queue Nov 6, 2025
Merged via the queue into main with commit 9c28b71 Nov 6, 2025
5 checks passed
@jshiwamV jshiwamV deleted the test-ci branch November 6, 2025 10:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bobbyiliev bobbyiliev bobbyiliev approved these changes

@alex-hunt-materialize alex-hunt-materialize alex-hunt-materialize left review comments

Assignees

@jshiwamV jshiwamV

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jshiwamV @bobbyiliev @alex-hunt-materialize