From 834f1a03afd0eb2da05dec6fdc4abb06db923803 Mon Sep 17 00:00:00 2001
From: nicolethoen <nthoen@redhat.com>
Date: Mon, 27 Apr 2026 15:39:16 -0400
Subject: [PATCH 1/2] ci: PF team labels and gated Surge PR preview

Add org reusable workflow for issue labeling on open.

Gate pr-preview on check-team-membership; support /retest via
issue_comment; use reusable job PR number output.

Made-with: Cursor
---
 .github/workflows/label-pf-team-issue.yml |  9 +++++++++
 .github/workflows/pr-preview.yml          | 13 +++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/label-pf-team-issue.yml

diff --git a/.github/workflows/label-pf-team-issue.yml b/.github/workflows/label-pf-team-issue.yml
new file mode 100644
index 000000000..9019ee29b
--- /dev/null
+++ b/.github/workflows/label-pf-team-issue.yml
@@ -0,0 +1,9 @@
+name: Label PF Team issues
+on:
+  issues:
+    types:
+      - opened
+jobs:
+  label:
+    uses: patternfly/.github/.github/workflows/add-pf-team-label-workflow.yml@main
+    secrets: inherit
diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml
index 7854cc41d..acffb840a 100644
--- a/.github/workflows/pr-preview.yml
+++ b/.github/workflows/pr-preview.yml
@@ -1,14 +1,23 @@
 ### WARNING -- this file was generated by generate-workflows
 name: pr-preview
-on: pull_request_target
+on:
+  pull_request_target:
+  issue_comment:
+    types: [created]
 jobs:
+  check-permissions:
+    uses: patternfly/.github/.github/workflows/check-team-membership.yml@main
+    secrets: inherit
+
   build-upload:
     runs-on: ubuntu-latest
+    needs: check-permissions
+    if: needs.check-permissions.outputs.allowed == 'true'
     env:
       SURGE_LOGIN: ${{ secrets.SURGE_LOGIN }}
       SURGE_TOKEN: ${{ secrets.SURGE_TOKEN }}
       GH_PR_TOKEN: ${{ secrets.GH_PR_TOKEN }}
-      GH_PR_NUM: ${{ github.event.number }}
+      GH_PR_NUM: ${{ needs.check-permissions.outputs.pr-number }}
     steps:
       - uses: actions/checkout@v4
       # Yes, we really want to checkout the PR

From 56452a399f39ebd943a2e085c8e7f20f1cbbefae Mon Sep 17 00:00:00 2001
From: nicolethoen <nthoen@redhat.com>
Date: Mon, 27 Apr 2026 15:50:36 -0400
Subject: [PATCH 2/2] ci: fix npm cache hit condition in pr-preview

Use npm-cache step id so install skips when node_modules restored.

Made-with: Cursor
---
 .github/workflows/pr-preview.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml
index acffb840a..7069c2d02 100644
--- a/.github/workflows/pr-preview.yml
+++ b/.github/workflows/pr-preview.yml
@@ -43,7 +43,7 @@ jobs:
           path: '**/node_modules'
           key: ${{ runner.os }}-npm-14-${{ secrets.CACHE_VERSION }}-${{ hashFiles('package-lock.json') }}
       - run: npm install --frozen-lockfile
-        if: steps.yarn-cache.outputs.cache-hit != 'true'
+        if: steps.npm-cache.outputs.cache-hit != 'true'
       - run: npm run build
         name: Build virtual assistant
       - uses: actions/cache@v4