Setup condition for ∈ org or "ok-to-test" label before running Tekton based CI jobs

[afrittoli]

Expected Behavior

CI Jobs are only executed if a PR was submitted by someone who belongs to the org or if the "ok-to-test" label was added.

Actual Behavior

CI Jobs are executed regardless.

Additional Info

This avoids letting anyone from outside of the org running arbitrary code in CI checks, and it provides continuity with the functionality available from prow today.

[tekton-robot]

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closing this issue.

In response to [this](https://github.com/tektoncd/plumbing/issues/482#issuecomment-674455060): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. > >/close > >Send feedback to [tektoncd/plumbing](https://github.com/tektoncd/plumbing). Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[vdemeester]

/remove-lifecycle rotten /remove-lifecycle stale /reopen

[tekton-robot]

@vdemeester: Reopened this issue.

In response to [this](https://github.com/tektoncd/plumbing/issues/482#issuecomment-674750274): >/remove-lifecycle rotten >/remove-lifecycle stale >/reopen Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[afrittoli]

/lifecycle frozen

[afrittoli]

I added a new custom interceptor that adds the required info to the payloads of events, but it is not used yet for CI jobs.

[afrittoli]

Precondition for this: https://github.com/tektoncd/plumbing/pull/956

[lbernick]

@afrittoli this can probably be closed right?

[chitrangpatel]

ping @afrittoli is this complete?

[afrittoli]

I wrote https://github.com/tektoncd/plumbing/tree/main/tekton/ci/interceptors/add-team-members but it needs to be converted to the "new" format of cluster interceptor https://github.com/tektoncd/plumbing/tree/main/tekton/ci/cluster-interceptors.

What that interceptor does is add the list of team members to the extensions, but perhaps we could have more logic implemented in the custom interceptor, i.e. pass in the author and repo and list of labels, and return an authorised decision (true/false).