Add external plugin quality gates and maintainer override flow (#1860)

* Add external plugin quality gates and override flow Introduce a dedicated reusable quality-gates workflow for external plugin submissions and wire intake/rerun orchestration to consume its results. Add quality-aware intake state handling, including a submitter-fix blocker state and richer intake comments. Also add a maintainer /mark-ready-for-review command workflow for explicit overrides, update related approval-label handling, and document the new external plugin review flow in CONTRIBUTING and AGENTS guidance. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix: use specific auth/network patterns in classifySmokeFailure Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> * refactor: hoist INFRA_ERROR_PATTERNS to module level, fix timeout regex Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> * fix: install Copilot CLI in external-plugin-quality-gates workflow Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
2026-05-28 17:41:45 +00:00 · 2026-05-28 15:50:13 +10:00
parent f98dcc1c1f
commit 47701d25f4
10 changed files with 933 additions and 49 deletions
@@ -13,14 +13,40 @@ permissions:
  issues: write

 jobs:
-  validate-submission:
+  evaluate-submission:
    runs-on: ubuntu-latest
    if: >-
      contains(github.event.issue.labels.*.name, 'external-plugin') ||
      contains(github.event.issue.body, '<!-- external-plugin-submission -->')
+    outputs:
+      evaluation: ${{ steps.evaluation.outputs.result }}
+      should-sync: ${{ steps.guard.outputs.should-sync }}
+      issue-state: ${{ steps.guard.outputs.issue-state }}
+      issue-action: ${{ steps.guard.outputs.issue-action }}
+      issue-labels: ${{ steps.guard.outputs.issue-labels }}
+      plugin-json: ${{ steps.evaluation.outputs.plugin-json }}
+      valid: ${{ steps.evaluation.outputs.valid }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          ref: staged
+
+      - name: Evaluate issue guard rails
+        id: guard
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
+        with:
+          script: |
+            const issueState = context.payload.issue.state;
+            const action = context.payload.action;
+            const labels = (context.payload.issue.labels || []).map((label) => label.name);
+            const isApproved = labels.includes('approved');
+            const isClosedWithoutReopen = issueState === 'closed' && action !== 'reopened';
+
+            core.setOutput('issue-state', issueState);
+            core.setOutput('issue-action', action);
+            core.setOutput('issue-labels', JSON.stringify(labels));
+            core.setOutput('should-sync', (!isApproved && !isClosedWithoutReopen) ? 'true' : 'false');

      - name: Evaluate submission
        id: evaluation
@@ -34,46 +60,101 @@ jobs:
            echo 'EOF'
          } >> "$GITHUB_OUTPUT"

-      - name: Sync labels and comment
+          valid=$(node -e "const data = JSON.parse(process.argv[1]); process.stdout.write(data.valid ? 'true' : 'false');" "$result")
+          plugin=$(node -e "const data = JSON.parse(process.argv[1]); process.stdout.write(JSON.stringify(data.plugin || {}));" "$result")
+          echo "valid=$valid" >> "$GITHUB_OUTPUT"
+          {
+            echo 'plugin-json<<EOF'
+            echo "$plugin"
+            echo 'EOF'
+          } >> "$GITHUB_OUTPUT"
+
+  quality-gates:
+    needs: evaluate-submission
+    if: >-
+      needs.evaluate-submission.outputs.should-sync == 'true' &&
+      needs.evaluate-submission.outputs.valid == 'true'
+    uses: ./.github/workflows/external-plugin-quality-gates.yml
+    with:
+      plugin-json: ${{ needs.evaluate-submission.outputs.plugin-json }}
+
+  sync-state:
+    runs-on: ubuntu-latest
+    needs: [evaluate-submission, quality-gates]
+    if: always() && needs.evaluate-submission.outputs.should-sync == 'true'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          ref: staged
+
+      - name: Merge evaluation and sync labels/comments
        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
        env:
-          RESULT_JSON: ${{ steps.evaluation.outputs.result }}
+          BASE_RESULT_JSON: ${{ needs.evaluate-submission.outputs.evaluation }}
+          BASE_VALID: ${{ needs.evaluate-submission.outputs.valid }}
+          QUALITY_RESULT_JSON: ${{ needs.quality-gates.outputs.quality-result }}
+          QUALITY_JOB_RESULT: ${{ needs.quality-gates.result }}
+          ISSUE_STATE: ${{ needs.evaluate-submission.outputs.issue-state }}
+          ISSUE_LABELS: ${{ needs.evaluate-submission.outputs.issue-labels }}
        with:
          script: |
            const path = require('path');
            const { pathToFileURL } = require('url');

+            const intake = await import(pathToFileURL(path.join(process.env.GITHUB_WORKSPACE, 'eng', 'external-plugin-intake.mjs')).href);
            const intakeState = await import(pathToFileURL(path.join(process.env.GITHUB_WORKSPACE, 'eng', 'external-plugin-intake-state.mjs')).href);

-            const result = JSON.parse(process.env.RESULT_JSON);
-            const issueNumber = context.issue.number;
-            const issueState = context.payload.issue.state;
-            const action = context.payload.action;
-            const existingLabelNames = (context.payload.issue.labels || []).map((label) => label.name);
+            const baseResult = JSON.parse(process.env.BASE_RESULT_JSON);
+            let finalResult = baseResult;

-            if (existingLabelNames.includes('approved')) {
-              core.info('Issue is already approved; skipping intake synchronization.');
-              return;
-            }
+            if (process.env.BASE_VALID === 'true') {
+              let qualityResult;
+              if (process.env.QUALITY_JOB_RESULT === 'failure' || process.env.QUALITY_JOB_RESULT === 'cancelled') {
+                qualityResult = {
+                  overall_status: 'infra_error',
+                  skill_validator_status: 'infra_error',
+                  smoke_status: 'infra_error',
+                  failure_class: 'infra',
+                  summary: 'Quality-gate workflow failed unexpectedly. Re-run intake to retry.',
+                };
+              } else if (process.env.QUALITY_RESULT_JSON) {
+                qualityResult = JSON.parse(process.env.QUALITY_RESULT_JSON);
+              } else {
+                qualityResult = {
+                  overall_status: 'infra_error',
+                  skill_validator_status: 'infra_error',
+                  smoke_status: 'infra_error',
+                  failure_class: 'infra',
+                  summary: 'Quality-gate workflow did not return results. Re-run intake to retry.',
+                };
+              }

-            if (issueState === 'closed' && action !== 'reopened') {
-              core.info('Issue is closed; waiting for reopen before rerunning intake synchronization.');
-              return;
+              finalResult = intake.applyQualityGateResult(baseResult, qualityResult);
            }

            await intakeState.applyExternalPluginIntakeEvaluation({
              github,
              owner: context.repo.owner,
              repo: context.repo.repo,
-              issueNumber,
-              evaluation: result
+              issueNumber: context.issue.number,
+              evaluation: finalResult
            });

-            if (!result.valid && issueState === 'open') {
+            const issueState = process.env.ISSUE_STATE;
+            const labels = new Set(JSON.parse(process.env.ISSUE_LABELS || '[]'));
+            if (finalResult.intakeState === 'rejected' && issueState === 'open') {
              await github.rest.issues.update({
                owner: context.repo.owner,
                repo: context.repo.repo,
-                issue_number: issueNumber,
+                issue_number: context.issue.number,
                state: 'closed'
              });
+            } else if (finalResult.intakeState !== 'rejected' && issueState === 'closed' && labels.has('rejected')) {
+              await github.rest.issues.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                state: 'open'
+              });
            }