Dbp-1067-optional-rollout-prevention

.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml

@@ -16,6 +16,47 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  check_merge_clearance:
+    name: "Check merge clearance"
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    outputs:
+      merge_clearance: ${{ steps.determine_merge_clearance.outputs.merge_clearance }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Get PR number
+        id: get_pr_number
+        run: |
+          PR_NUMBER=$(gh pr list --state open --head ${{ github.ref_name }} --json number --jq '.[0].number')
+          if [ -z "$PR_NUMBER" ]; then
+            echo "No existing PR found for ${{ github.ref_name }} "
+          else
+            echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
+          fi
+
+      - name: Get PR labels
+        id: get_pr_labels
+        if: ${{ env.PR_NUMBER != ''  }}
+        run: |
+          PR_LABELS=$(gh pr view ${{ env.PR_NUMBER }} --json labels --jq '.labels | map(.name) | join(",")')
+          echo "PR_LABELS=$PR_LABELS" >> $GITHUB_ENV
+
+      - name: Determine merge clearance
+        id: determine_merge_clearance
+        run: |
+          if [ -z "$env.PR_NUMBER" ] || [[ ${{ ! contains(env.PR_LABELS, 'prevent_auto_deployment') }} == true ]]; then
+            echo "merge_clearance=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "merge_clearance=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: test output
+        run: |
+          echo "test output: " ${{ steps.determine_merge_clearance.outputs.merge_clearance }}
+
   codeql_analyze:
     name: "CodeQL"
     if: ${{ github.event_name == 'push' }}
@@ -26,8 +67,10 @@ jobs:
       security-events: write
 
   build_image_on_push:
+    needs:
+      - check_merge_clearance
     name: "Publish image and scan with trivy"
-    if: ${{ github.event_name == 'push' }}
+    if: ${{ github.event_name == 'push' && needs.check_merge_clearance.outputs.merge_clearance == 'true' }}
     permissions:
       packages: write
       security-events: write
@@ -50,7 +93,9 @@ jobs:
       contents: read
 
   select_helm_version_generation_and_image_tag_generation:
-    if: ${{ github.event_name == 'push'}}
+    needs:
+      - check_merge_clearance
+    if: ${{ github.event_name == 'push' && needs.check_merge_clearance.outputs.merge_clearance == 'true' }}
     runs-on: ubuntu-latest
     outputs: 
       SELECT_HELM_VERION_GENERATION: ${{ steps.select_generation.outputs.SELECT_HELM_VERION_GENERATION }}