From a8c66dac001736cf1371c056b827702a035c49dd Mon Sep 17 00:00:00 2001
From: Anthony Islas <aislas@ucar.edu>
Date: Thu, 12 Dec 2024 17:28:47 -0700
Subject: [PATCH] Switch dispatch ref to utilize the base of the PR

This change makes usage of the dispatch on label paradigm possible
at the expense of slowing development by forcing the running in the
base of the pull request rather than the merge ref. Ultimately this
may be more desirable as it enables the workflows run by self-hosted
runners to only execute trusted code from the base ref.
---
 .github/workflows/ci.yml            | 38 +++++++++++++++--------------
 .github/workflows/entry_point.yml   |  5 ++--
 .github/workflows/test_workflow.yml | 23 +++++++++--------
 3 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7cf4c5e8bc..36d3dd54b1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -88,7 +88,7 @@ jobs:
 
     uses : ./.github/workflows/test_workflow.yml
     with :
-      # This should be the only hard-coded value, we don't use ${{ github.event.label.name }}
+      # This should be the only hard-coded value, we don't use ${{ inputs.test }}
       # to avoid 'all-tests' to be used in this workflow
       label    : compile-tests
 
@@ -119,20 +119,22 @@ jobs:
     name : Test ${{ matrix.testSet.name }} on ${{ matrix.testSet.host }}
 
 
-  # # In the event that 'all-tests' is used, this final job will be the one to remove
-  # # the label from the PR
-  # removeAllLabel :
-  #   if : ${{ !cancelled() && github.event.label.name == 'all-tests' }}
-  #   name : Remove 'all-tests' label
-  #   runs-on: ubuntu-latest
-  #   needs : [ buildtests ] # Put tests here to make this wait for the tests to complete
-  #   steps: 
-  #     - name : Remove '${{ github.event.label.name }}' label
-  #       env:
-  #         PR_NUMBER: ${{ github.event.number }}
-  #       run: |
-  #         curl \
-  #           -X DELETE \
-  #           -H "Accept: application/vnd.github.v3+json" \
-  #           -H 'Authorization: token ${{ github.token }}' \
-  #           https://api.github.com/repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels/${{ github.event.label.name }}
+  # In the event that 'all-tests' is used, this final job will be the one to remove
+  # the label from the PR
+  removeAllLabel :
+    if : ${{ !cancelled() && inputs.test == 'all-tests' }}
+    name : Remove 'all-tests' label
+    runs-on: ubuntu-latest
+    needs : [ buildtests ] # Put tests here to make this wait for the tests to complete
+    permissions:
+      pull-requests: write
+    steps: 
+      - name : Remove '${{ inputs.test }}' label
+        env:
+          PR_NUMBER: ${{ inputs.event_number }}
+        run: |
+          curl \
+            -X DELETE \
+            -H "Accept: application/vnd.github.v3+json" \
+            -H 'Authorization: token ${{ github.token }}' \
+            https://api.github.com/repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels/${{ inputs.test }}
diff --git a/.github/workflows/entry_point.yml b/.github/workflows/entry_point.yml
index cbec4f3bde..27c2c0891b 100644
--- a/.github/workflows/entry_point.yml
+++ b/.github/workflows/entry_point.yml
@@ -28,16 +28,15 @@ jobs:
     permissions:
       actions: write
     steps:
-      - name: Test
+      - name: Dispatch Regression Suite
         run : |
-          echo "Hello World!"
           curl  -L \
                 -X POST \
                 -H "Accept: application/vnd.github+json" \
                 -H "Authorization: Bearer ${{ github.token }}" \
                 -H "X-GitHub-Api-Version: 2022-11-28" \
                 https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/workflows/ci.yml/dispatches \
-                -d '{"ref":"${{ github.event_name == 'push' && github.ref_name || github.event.pull_request.head.ref }}","inputs":{"event_name":"${{ github.event_name }}", "event_number" : "${{ github.event.number }}", "test":"${{ github.event.label.name }}", "ref":"${{ github.ref }}"}}'
+                -d '{"ref":"${{ github.event_name == 'push' && github.ref_name || github.event.pull_request.base.ref }}","inputs":{"event_name":"${{ github.event_name }}", "event_number" : "${{ github.event.number }}", "test":"${{ github.event.label.name }}", "ref":"${{ github.ref }}"}}'
 
 
 
diff --git a/.github/workflows/test_workflow.yml b/.github/workflows/test_workflow.yml
index 3b576e99a8..358a3b3566 100644
--- a/.github/workflows/test_workflow.yml
+++ b/.github/workflows/test_workflow.yml
@@ -183,18 +183,17 @@ jobs:
             context:      '${{ inputs.host }}/${{ inputs.id }}',
             state:        '${{ job.status == 'success' && 'success' || 'failure' }}'
           })
-    # As noted in ci.yml, this will need to be moved to a separate workflow with pull_request_target
-    # and strictly controlled usage of the GH token
-    # - name : Remove '${{ inputs.label }}' label
-    #   if : ${{ !cancelled() && github.event.label.name == inputs.label }}
-    #   env:
-    #     PR_NUMBER: ${{ github.event.number }}
-    #   run: |
-    #     curl \
-    #       -X DELETE \
-    #       -H "Accept: application/vnd.github.v3+json" \
-    #       -H 'Authorization: token ${{ github.token }}' \
-    #       https://api.github.com/repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels/${{ inputs.label }}
+
+    - name : Remove '${{ inputs.label }}' label
+      if : ${{ !cancelled() && github.event.label.name == inputs.label }}
+      env:
+        PR_NUMBER: ${{ github.event.number }}
+      run: |
+        curl \
+          -X DELETE \
+          -H "Accept: application/vnd.github.v3+json" \
+          -H 'Authorization: token ${{ github.token }}' \
+          https://api.github.com/repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/labels/${{ inputs.label }}