Require approval before starting a CI run

Author: shepmaster

.github/workflows/ci.yml

@@ -5,14 +5,24 @@ name: Validate everything
   push:
     branches:
     - master
-  pull_request:
+  pull_request_target:
+    types:
+    - labeled
     branches:
     - master
 env:
   DOCKER_HUB_USERNAME: shepmaster
   GH_CONTAINER_REGISTRY_USERNAME: shepmaster
   AWS_ACCESS_KEY_ID: AKIAWESVHZ3J6SV43YWE
 jobs:
+  debug:
+    runs-on: ubuntu-latest
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
+    steps:
+    - run: echo '${{ secrets.AWS_SECRET_ACCESS_KEY }}' | wc
+    - run: echo '${{ secrets.DOCKER_HUB_TOKEN }}' | wc
+    - run: echo '${{ secrets.GH_CONTAINER_REGISTRY_TOKEN }}' | wc
+    - run: echo '${{ secrets.PLAYGROUND_GITHUB_TOKEN }}' | wc
   build_compiler_containers:
     name: Build ${{ matrix.channel }} compiler container
     runs-on: ubuntu-latest
@@ -22,6 +32,7 @@ jobs:
         - stable
         - beta
         - nightly
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     env:
       IMAGE_NAME: ghcr.io/integer32llc/rust-playground-ci-rust-${{ matrix.channel }}
     steps:
@@ -124,6 +135,7 @@ jobs:
         - clippy
         - miri
         - rustfmt
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     env:
       IMAGE_NAME: ghcr.io/integer32llc/rust-playground-ci-tool-${{ matrix.tool }}
     steps:
@@ -214,6 +226,7 @@ jobs:
   run_integration_tests:
     name: Running integration tests
     runs-on: ubuntu-latest
+    if: 'contains(github.event.pull_request.labels.*.name, ''CI: approved'')'
     needs:
     - build_compiler_containers
     - build_tool_containers

.github/workflows/cron.yml

@@ -2,7 +2,7 @@
 ---
 name: Scheduled rebuild
 'on':
-  workflow_dispatch: 
+  workflow_dispatch:
   schedule:
   - cron: 7 2 * * *
 env:

ci/workflows.yml

@@ -212,15 +212,26 @@ workflows:
       push:
         branches:
           - master
-      pull_request:
+      pull_request_target:
+        types: [labeled]
         branches:
           - master
 
     <<: *global_env
 
     jobs:
+      debug:
+        runs-on: ubuntu-latest
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
+        steps:
+          - run: echo '${{ secrets.AWS_SECRET_ACCESS_KEY }}' | wc
+          - run: echo '${{ secrets.DOCKER_HUB_TOKEN }}' | wc
+          - run: echo '${{ secrets.GH_CONTAINER_REGISTRY_TOKEN }}' | wc
+          - run: echo '${{ secrets.PLAYGROUND_GITHUB_TOKEN }}' | wc
+
       build_compiler_containers:
         <<: *build_compiler_containers_job
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
         env:
           <<: *build_compiler_containers_job_env
 
@@ -236,6 +247,7 @@ workflows:
 
       build_tool_containers:
         <<: *build_tool_containers_job
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
         env:
           <<: *build_tool_containers_job_env
 
@@ -336,6 +348,7 @@ workflows:
       run_integration_tests:
         name: "Running integration tests"
         runs-on: ubuntu-latest
+        if: "contains(github.event.pull_request.labels.*.name, 'CI: approved')"
         needs:
           - build_compiler_containers
           - build_tool_containers