ci: Implement ok-to-test-tdx label

[sprt]

Acceptance criteria:

• Make it so that setting the ok-to-test-tdx label only triggers the following test: kata-containers-ci-on-push / run-kata-coco-tests / run-k8s-tests-on-tdx

You will most likely want to test things in a separate repo that you own: workflows using the pull_request_target don't take into account YAML changes in PRs.

[chris-krenz]

I'm still in the process of testing this on my fork, but here's how it's currently implemented.

A new workflow tdx-tests-only.yaml

name: Trigger run-k8s-tests-on-tdx Only
on:
  workflow_dispatch: 
  pull_request_target:
    branches:
      - 'main'
      - 'stable-*'
    types:
      - opened
      - synchronize
      - reopened
      - labeled

jobs:
  trigger-tdx-tests:
    if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test-tdx') }}
    uses: ./.github/workflows/run-kata-coco-tests.yaml
    with:
      run_only_tdx_tests: true  # Modified run-kata-coco-tests.yaml to run only run-k8s-tests-on-tdx if invoked with this input
    secrets: inherit

This passes in the run_only_tdx_tests var to the run-kata-coco-tests.yaml workflow. For any job, except the target job, if that var is set, the job will not run.

if: ${{ !inputs.run_only_tdx_tests }}

Does that make sense?

[chris-krenz]

I changed to pull_request from pull_request_target and tested on my fork (just with an echo command).

Next I'll create a PR upstream and document this feature both here and in that PR.

[sprt]

Just the dump info in the form of a PR - then we move on.

[chris-krenz]

Create draft PR. Will update with more explanation/documentation.

kata-containers/kata-containers#10618