From 7b9fca4bd8f8fc0198724d50b2eedd0fd3922e41 Mon Sep 17 00:00:00 2001
From: Sam Crauwels <sam.crauwels@gmail.com>
Date: Mon, 13 Apr 2026 12:02:47 +0200
Subject: [PATCH 1/2] ci: gate PR workflows behind run label

---
 .github/workflows/check_ci_coverage.yml       |  4 +++-
 .github/workflows/consume_ci_run_label.yml    | 20 +++++++++++++++++++
 .github/workflows/kics.yml                    |  4 +++-
 .../test_elasticsearch_custom_certs.yml       |  4 +++-
 .../workflows/test_elasticsearch_modules.yml  |  4 +++-
 .../workflows/test_elasticsearch_upgrade.yml  |  4 +++-
 .github/workflows/test_full_stack.yml         |  6 ++++--
 .github/workflows/test_linting.yml            |  2 ++
 .github/workflows/test_plugins.yml            |  4 +++-
 .github/workflows/test_role_beats.yml         |  4 +++-
 .github/workflows/test_role_elasticsearch.yml |  4 +++-
 .github/workflows/test_role_kibana.yml        |  4 +++-
 .github/workflows/test_role_logstash.yml      |  4 +++-
 .github/workflows/test_role_repos.yml         |  4 +++-
 14 files changed, 59 insertions(+), 13 deletions(-)
 create mode 100644 .github/workflows/consume_ci_run_label.yml

diff --git a/.github/workflows/check_ci_coverage.yml b/.github/workflows/check_ci_coverage.yml
index c80e6ee6..715b5015 100644
--- a/.github/workflows/check_ci_coverage.yml
+++ b/.github/workflows/check_ci_coverage.yml
@@ -2,6 +2,7 @@
 name: Check CI coverage
 on:
   pull_request:
+    types: [labeled]
     paths:
       - 'molecule/**'
       - '.github/workflows/test_*.yml'
@@ -12,11 +13,12 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' && github.event.label.name != 'ci:run' && github.run_id || 'ci' }}
   cancel-in-progress: true
 
 jobs:
   check-ci-coverage:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
diff --git a/.github/workflows/consume_ci_run_label.yml b/.github/workflows/consume_ci_run_label.yml
new file mode 100644
index 00000000..d34c71ef
--- /dev/null
+++ b/.github/workflows/consume_ci_run_label.yml
@@ -0,0 +1,20 @@
+---
+name: Consume CI run label
+on:
+  pull_request:
+    types: [labeled]
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  consume:
+    if: ${{ github.event.label.name == 'ci:run' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Remove ci:run label
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: gh issue edit "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --remove-label "ci:run"
diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml
index 2c882ea2..a599deb2 100644
--- a/.github/workflows/kics.yml
+++ b/.github/workflows/kics.yml
@@ -13,6 +13,7 @@ on:
           - warning
           - debug
   pull_request:
+    types: [labeled]
   push:
     branches:
       - 'main'
@@ -25,11 +26,12 @@ permissions:
   security-events: write
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' && github.event.label.name != 'ci:run' && github.run_id || 'ci' }}
   cancel-in-progress: true
 
 jobs:
   kics:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     runs-on: ubuntu-latest
     timeout-minutes: 15
 
diff --git a/.github/workflows/test_elasticsearch_custom_certs.yml b/.github/workflows/test_elasticsearch_custom_certs.yml
index 30c9f729..f5a9ef29 100644
--- a/.github/workflows/test_elasticsearch_custom_certs.yml
+++ b/.github/workflows/test_elasticsearch_custom_certs.yml
@@ -13,6 +13,7 @@ on:
           - warning
           - debug
   pull_request:
+    types: [labeled]
     paths:
       - 'roles/elasticsearch/**'
       - 'roles/elasticstack/**'
@@ -27,11 +28,12 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' && github.event.label.name != 'ci:run' && github.run_id || 'ci' }}
   cancel-in-progress: true
 
 jobs:
   lint_elasticsearch:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     uses: ./.github/workflows/test_linting.yml
     with:
       rolename: elasticsearch
diff --git a/.github/workflows/test_elasticsearch_modules.yml b/.github/workflows/test_elasticsearch_modules.yml
index bc844792..f62fce0e 100644
--- a/.github/workflows/test_elasticsearch_modules.yml
+++ b/.github/workflows/test_elasticsearch_modules.yml
@@ -13,6 +13,7 @@ on:
           - warning
           - debug
   pull_request:
+    types: [labeled]
     paths:
       - 'roles/elasticsearch/**'
       - 'roles/elasticstack/**'
@@ -27,11 +28,12 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' && github.event.label.name != 'ci:run' && github.run_id || 'ci' }}
   cancel-in-progress: true
 
 jobs:
   lint_elasticsearch:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     uses: ./.github/workflows/test_linting.yml
     with:
       rolename: elasticsearch
diff --git a/.github/workflows/test_elasticsearch_upgrade.yml b/.github/workflows/test_elasticsearch_upgrade.yml
index 8d4679ba..2b6a17ef 100644
--- a/.github/workflows/test_elasticsearch_upgrade.yml
+++ b/.github/workflows/test_elasticsearch_upgrade.yml
@@ -13,6 +13,7 @@ on:
           - warning
           - debug
   pull_request:
+    types: [labeled]
     paths:
       - 'roles/elasticsearch/**'
       - 'roles/elasticstack/**'
@@ -26,11 +27,12 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' && github.event.label.name != 'ci:run' && github.run_id || 'ci' }}
   cancel-in-progress: true
 
 jobs:
   lint_elasticsearch:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     uses: ./.github/workflows/test_linting.yml
     with:
       rolename: elasticsearch
diff --git a/.github/workflows/test_full_stack.yml b/.github/workflows/test_full_stack.yml
index f64d1d5b..c569c6ba 100644
--- a/.github/workflows/test_full_stack.yml
+++ b/.github/workflows/test_full_stack.yml
@@ -17,6 +17,7 @@ on:
         required: false
         type: string
   pull_request:
+    types: [labeled]
   merge_group:
   schedule:
     - cron: "0 4 * * 2,4,6"  # Tue/Thu/Sat — 48 jobs, alternate with ES/logstash
@@ -25,11 +26,12 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' && github.event.label.name != 'ci:run' && github.run_id || 'ci' }}
   cancel-in-progress: true
 
 jobs:
   changes:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     runs-on: ubuntu-latest
     outputs:
       should_test: ${{ steps.filter.outputs.should_test }}
@@ -196,7 +198,7 @@ jobs:
   full_stack_gate:
     runs-on: ubuntu-latest
     needs: [changes, lint_full, molecule_full_stack_every_os]
-    if: always()
+    if: ${{ always() && (github.event_name != 'pull_request' || github.event.label.name == 'ci:run') }}
     steps:
       - name: Check results
         run: |
diff --git a/.github/workflows/test_linting.yml b/.github/workflows/test_linting.yml
index 766e16eb..b3637bd7 100644
--- a/.github/workflows/test_linting.yml
+++ b/.github/workflows/test_linting.yml
@@ -18,6 +18,7 @@ on:
         required: true
         type: string
   pull_request:
+    types: [labeled]
     branches:
       - '*'
 
@@ -26,6 +27,7 @@ permissions:
 
 jobs:
   lint:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     runs-on: self-hosted
     timeout-minutes: 10
     steps:
diff --git a/.github/workflows/test_plugins.yml b/.github/workflows/test_plugins.yml
index 965bf955..ae1a8ef4 100644
--- a/.github/workflows/test_plugins.yml
+++ b/.github/workflows/test_plugins.yml
@@ -13,6 +13,7 @@ on:
           - warning
           - debug
   pull_request:
+    types: [labeled]
     branches:
       - 'feature/**'
       - 'fix/**'
@@ -28,11 +29,12 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' && github.event.label.name != 'ci:run' && github.run_id || 'ci' }}
   cancel-in-progress: true
 
 jobs:
   pycodestyle:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     runs-on: self-hosted
     timeout-minutes: 15
     steps:
diff --git a/.github/workflows/test_role_beats.yml b/.github/workflows/test_role_beats.yml
index 0c09230b..ef6d2313 100644
--- a/.github/workflows/test_role_beats.yml
+++ b/.github/workflows/test_role_beats.yml
@@ -13,6 +13,7 @@ on:
           - warning
           - debug
   pull_request:
+    types: [labeled]
     paths:
       - 'roles/beats/**'
       - 'roles/elasticstack/**'
@@ -27,11 +28,12 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' && github.event.label.name != 'ci:run' && github.run_id || 'ci' }}
   cancel-in-progress: true
 
 jobs:
   lint_beats:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     uses: ./.github/workflows/test_linting.yml
     with:
       rolename: beats
diff --git a/.github/workflows/test_role_elasticsearch.yml b/.github/workflows/test_role_elasticsearch.yml
index 48b2e087..281aa54b 100644
--- a/.github/workflows/test_role_elasticsearch.yml
+++ b/.github/workflows/test_role_elasticsearch.yml
@@ -13,6 +13,7 @@ on:
           - warning
           - debug
   pull_request:
+    types: [labeled]
     paths:
       - 'roles/elasticsearch/**'
       - 'roles/elasticstack/**'
@@ -27,11 +28,12 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' && github.event.label.name != 'ci:run' && github.run_id || 'ci' }}
   cancel-in-progress: true
 
 jobs:
   lint_elasticsearch:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     uses: ./.github/workflows/test_linting.yml
     with:
       rolename: elasticsearch
diff --git a/.github/workflows/test_role_kibana.yml b/.github/workflows/test_role_kibana.yml
index bd064b85..235781e9 100644
--- a/.github/workflows/test_role_kibana.yml
+++ b/.github/workflows/test_role_kibana.yml
@@ -13,6 +13,7 @@ on:
           - warning
           - debug
   pull_request:
+    types: [labeled]
     paths:
       - 'roles/kibana/**'
       - 'roles/elasticstack/**'
@@ -27,11 +28,12 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' && github.event.label.name != 'ci:run' && github.run_id || 'ci' }}
   cancel-in-progress: true
 
 jobs:
   lint_kibana:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     uses: ./.github/workflows/test_linting.yml
     with:
       rolename: kibana
diff --git a/.github/workflows/test_role_logstash.yml b/.github/workflows/test_role_logstash.yml
index bf6c31ef..4b779817 100644
--- a/.github/workflows/test_role_logstash.yml
+++ b/.github/workflows/test_role_logstash.yml
@@ -13,6 +13,7 @@ on:
           - warning
           - debug
   pull_request:
+    types: [labeled]
     paths:
       - 'roles/logstash/**'
       - 'roles/elasticstack/**'
@@ -27,11 +28,12 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' && github.event.label.name != 'ci:run' && github.run_id || 'ci' }}
   cancel-in-progress: true
 
 jobs:
   lint_logstash:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     uses: ./.github/workflows/test_linting.yml
     with:
       rolename: logstash
diff --git a/.github/workflows/test_role_repos.yml b/.github/workflows/test_role_repos.yml
index cf0c3a47..93d85ec7 100644
--- a/.github/workflows/test_role_repos.yml
+++ b/.github/workflows/test_role_repos.yml
@@ -13,6 +13,7 @@ on:
           - warning
           - debug
   pull_request:
+    types: [labeled]
     paths:
       - 'roles/repos/**'
       - 'roles/elasticstack/**'
@@ -27,11 +28,12 @@ permissions:
   contents: read
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'pull_request' && github.event.label.name != 'ci:run' && github.run_id || 'ci' }}
   cancel-in-progress: true
 
 jobs:
   lint_repos:
+    if: ${{ github.event_name != 'pull_request' || github.event.label.name == 'ci:run' }}
     uses: ./.github/workflows/test_linting.yml
     with:
       rolename: repos

From 66917af3bd7fe23b015a8ec9d9bc75bca4b6513b Mon Sep 17 00:00:00 2001
From: Sam Crauwels <sam.crauwels@gmail.com>
Date: Mon, 13 Apr 2026 13:07:57 +0200
Subject: [PATCH 2/2] ci: allow label consumer on fork PRs

---
 .github/workflows/consume_ci_run_label.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/consume_ci_run_label.yml b/.github/workflows/consume_ci_run_label.yml
index d34c71ef..8c407c3d 100644
--- a/.github/workflows/consume_ci_run_label.yml
+++ b/.github/workflows/consume_ci_run_label.yml
@@ -1,7 +1,7 @@
 ---
 name: Consume CI run label
 on:
-  pull_request:
+  pull_request_target:
     types: [labeled]
 
 permissions: