From aa10cc0e4ab529042bc6c5ac0eee194e4b69999d Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Mon, 9 Mar 2026 18:46:35 -0400
Subject: [PATCH] cloud: automatically trigger custom image test when changing
 the `hcp` testing toolchain (#12654) (#12664)

* actions: pull in gotestsum when executing the cloud scenario
* cloud: add 'hcp' changed-file group and trigger cloud scenario when the files change
* slightly simplify expression

---------

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
---
 .github/workflows/build.yml | 21 +++++++++++----------
 .release/pipeline.hcl       | 29 +++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e210b430d4..da67c28018 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -398,6 +398,7 @@ jobs:
       needs.setup.outputs.workflow-trigger == 'schedule' ||
       ( needs.setup.outputs.workflow-trigger == 'pull_request' &&
         (
+          contains(fromJSON(needs.setup.outputs.changed-files).groups, 'hcp') ||
           contains(fromJSON(needs.setup.outputs.labels), 'hcp/build-image') ||
           contains(fromJSON(needs.setup.outputs.labels), 'hcp/test')
         )
@@ -474,16 +475,16 @@ jobs:
     # Test our custom HCP image if our image build was successful and we've
     # been configured with the correct label.
     if: |
-      needs.setup.outputs.is-ent-branch == 'true' &&
-      needs.setup.outputs.workflow-trigger == 'schedule' ||
-      ( needs.setup.outputs.workflow-trigger == 'pull_request' &&
-        needs.artifacts-ent.result == 'success' &&
-        needs.hcp-image.result == 'success' &&
-        contains(fromJSON(needs.setup.outputs.labels), 'hcp/test')
-      ) ||
-      ( needs.setup.outputs.workflow-trigger == 'schedule' &&
-        needs.artifacts-ent.result == 'success' &&
-        needs.hcp-image.result == 'success'
+      needs.setup.outputs.is-ent-branch == 'true' && (
+        ( needs.setup.outputs.workflow-trigger == 'pull_request' &&
+          needs.artifacts-ent.result == 'success' &&
+          needs.hcp-image.result == 'success' &&
+          ( contains(fromJSON(needs.setup.outputs.changed-files).groups, 'hcp') || contains(fromJSON(needs.setup.outputs.labels), 'hcp/test') )
+        ) || (
+          needs.setup.outputs.workflow-trigger == 'schedule' &&
+          needs.artifacts-ent.result == 'success' &&
+          needs.hcp-image.result == 'success'
+        )
       )
     needs:
       - setup
diff --git a/.release/pipeline.hcl b/.release/pipeline.hcl
index 2f58f30b5c..42ab4ba393 100644
--- a/.release/pipeline.hcl
+++ b/.release/pipeline.hcl
@@ -217,6 +217,35 @@ changed_files {
     }
   }
 
+  // The "hcp" group is for files that are unique to testing Vault in the
+  // HashiCorp Cloud Platform, i.e. HVD or Vault Cloud.
+  group "hcp" {
+    match {
+      file = [
+        joinpath(".github", "workflows", "build-hcp-image.yml"),
+        joinpath(".github", "workflows", "test-run-enos-scenario-cloud.yml"),
+        joinpath("enos", "enos-scenario-cloud-ent.hcl"),
+      ]
+    }
+
+    match {
+      base_dir = [
+        joinpath("enos", "modules", "cloud_docker_vault_cluster"),
+        joinpath("enos", "modules", "hcp"),
+        joinpath("tools", "pipeline", "internal", "pkg", "hcp"),
+      ]
+    }
+
+    match {
+      base_dir = [
+        joinpath("tools", "pipeline", "internal", "cmd"),
+      ]
+      contains = [
+        "hcp"
+      ]
+    }
+  }
+
   // The "pipeline" group matches directories where we house code and
   // configuration used in the CI/CD pipeline
   group "pipeline" {