From ada8e116460ed85c8e9241b0a92cf47fd8de0b28 Mon Sep 17 00:00:00 2001 From: Muhamed Husic Date: Tue, 28 Apr 2026 14:22:09 +0200 Subject: [PATCH 1/2] Automating workflow exe for internal contributors only --- .github/workflows/performance.yaml | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/.github/workflows/performance.yaml b/.github/workflows/performance.yaml index 26fed3ef332..7d9e74fd819 100644 --- a/.github/workflows/performance.yaml +++ b/.github/workflows/performance.yaml @@ -67,11 +67,17 @@ env: jobs: get_config: runs-on: ubuntu-latest + permissions: + pull-requests: write if: > github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event.action == 'closed' || - contains(github.event.pull_request.labels.*.name, 'ok-to-test') + contains(github.event.pull_request.labels.*.name, 'ok-to-test') || + github.event.pull_request.head.repo.full_name == github.repository || + github.event.pull_request.author_association == 'OWNER' || + github.event.pull_request.author_association == 'COLLABORATOR' || + github.event.pull_request.author_association == 'MEMBER' outputs: rocm_version: ${{ steps.read_config.outputs.rocm_version }} utils_repo: ${{ steps.read_config.outputs.utils_repo }} @@ -85,6 +91,20 @@ jobs: perf_workspace: ${{ steps.read_config.outputs.perf_workspace }} runner_label: ${{ steps.read_config.outputs.runner_label }} steps: + - name: Remove ok-to-test label on new commits from forked PRs by external contributors + if: > + github.event.action == 'synchronize' && + contains(github.event.pull_request.labels.*.name, 'ok-to-test') && + github.event.pull_request.head.repo.full_name != github.repository && + github.event.pull_request.author_association != 'OWNER' && + github.event.pull_request.author_association != 'COLLABORATOR' && + github.event.pull_request.author_association != 'MEMBER' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh pr edit ${{ github.event.pull_request.number }} --remove-label "ok-to-test" --repo ${{ github.repository }} || true + echo "::error::New commits pushed, 'ok-to-test' label removed. Please review the changes and add the label back if tests should be run." + exit 1 - name: checkout uses: actions/checkout@v4 - name: read_config @@ -148,4 +168,4 @@ jobs: perf_workspace: ${{ github.event.inputs.perf_workspace || needs.get_config.outputs.perf_workspace }} runs_on: ${{ github.event.inputs.runner_label || needs.get_config.outputs.runner_label }} secrets: - BENCHMARK_UTILS_READ_TOKEN: ${{ secrets.BENCHMARK_UTILS_READ_TOKEN }} + BENCHMARK_UTILS_READ_TOKEN: ${{ secrets.BENCHMARK_UTILS_READ_TOKEN }} \ No newline at end of file From 67480619e30a10244ed75aa9cac043ffe1b16003 Mon Sep 17 00:00:00 2001 From: Muhamed Husic Date: Tue, 28 Apr 2026 15:03:12 +0200 Subject: [PATCH 2/2] Adding contents: read permission --- .github/workflows/performance.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/performance.yaml b/.github/workflows/performance.yaml index 7d9e74fd819..562c00dfa37 100644 --- a/.github/workflows/performance.yaml +++ b/.github/workflows/performance.yaml @@ -69,6 +69,7 @@ jobs: runs-on: ubuntu-latest permissions: pull-requests: write + contents: read if: > github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' ||