[PM-32200] ci: Add workflow to enforce PR labels

[vvolkgang]

🎟️ Tracking

PM-32200

📔 Objective

Add workflow that enforces PR labeling requirements, by failing a run when:

• PRs have banned labels (hold, needs-qa).
• PRs don't have one Change Type (t:*) label, unless ignore-for-release is used.

[claude]

Claude finished @vvolkgang's task in 2m 47s —— View job

---

Re-Review: SDLC / Enforce PR Labels

Scope: One new commit since last review -- ccb45db52 ("Revert sleep step"), which removes the sleep 15 workaround.

Assessment

The sleep removal is a good change. Instead of a racy sleep 15 that could still fail if the labeler runner was delayed, the workflow now relies on GitHub's event system:

1. On opened/reopened, the enforce check may initially fail (no t:* label yet).
2. The labeler workflow applies labels, which fires a labeled event.
3. The enforce workflow re-runs on labeled and passes.

This is cleaner and more reliable than the sleep approach. GitHub required status checks use the latest run result, so the final state is always correct.

Previously Noted (unchanged, low severity)

• The edited trigger type (line 6) causes unnecessary workflow runs since label state does not change when a PR title, body, or base branch is edited. This is harmless but wastes runner time.

Verdict

No issues found. The workflow is clean and correctly implements PR label enforcement. Approving.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.31%. Comparing base (e939b20) to head (ccb45db).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6530      +/-   ##
==========================================
- Coverage   86.35%   86.31%   -0.04%     
==========================================
  Files         789      790       +1     
  Lines       56424    56525     +101     
  Branches     8175     8175              
==========================================
+ Hits        48724    48791      +67     
- Misses       4853     4887      +34     
  Partials     2847     2847              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Checkmarx One – Scan Summary & Details – 013a86f8-e3e7-49f5-af52-fff8da144b30

Great job! No new security vulnerabilities introduced in this pull request

[claude]

nit: synchronize is misspelled — should be synchronize. Actually, looking again this is the correct GitHub Actions event name (synchronize, not synchronized). Disregard!

Wait — I re-read this: the value here is synchronize which is the correct GitHub event type. No issue here. Apologies for the noise.

[claude]

Question: The sleep 15 is a reasonable approach to give the labeler workflow time to apply labels, but it introduces a race condition — if the labeler takes longer than 15 seconds (e.g., due to runner queue delays or slow API calls), the enforce step could still run before labels are applied.

Have you considered an alternative approach, such as:

• Making this workflow depend on the labeler workflow completing (using workflow_run trigger)?
• Using a polling loop that checks for t:* labels with a timeout?

The sleep approach is pragmatic and will likely work most of the time, but it's worth calling out as a known trade-off.

[claude]

Note: The jq command here depends on jq being available on the runner. This is fine for ubuntu-24.04 (it's pre-installed), but worth noting as an implicit dependency. If the runner image ever changes, this could break silently.

Also, the toJSON() output is passed through an environment variable ($_PR_LABELS). For PRs with many labels or labels containing special characters, this should be safe since jq handles JSON parsing, but it's good that you're not trying to do string matching here.