ci(e2e): enable E2E to run on external forks throught the copy-pr-bot flow (#922)

Author: pimlock

.github/actions/pr-gate/action.yml

@@ -0,0 +1,56 @@
+name: PR Gate
+description: >
+  Resolve PR metadata for a `pull-request/<N>` push from copy-pr-bot and decide
+  whether the workflow should run. Sets `should-run=true` only when the pushed
+  SHA still matches the PR head SHA and the PR carries the required label. For
+  non-`push` events (e.g. `workflow_dispatch`), always sets `should-run=true`.
+
+inputs:
+  required_label:
+    description: PR label required to enable the run (e.g. "test:e2e").
+    required: true
+
+outputs:
+  should_run:
+    description: "true if the workflow should proceed, false otherwise"
+    value: ${{ steps.gate.outputs.should_run }}
+
+runs:
+  using: composite
+  steps:
+    - id: get_pr_info
+      if: github.event_name == 'push'
+      continue-on-error: true
+      uses: nv-gha-runners/get-pr-info@main
+
+    - id: gate
+      shell: bash
+      env:
+        EVENT_NAME: ${{ github.event_name }}
+        GITHUB_SHA_VALUE: ${{ github.sha }}
+        GET_PR_INFO_OUTCOME: ${{ steps.get_pr_info.outcome }}
+        PR_INFO: ${{ steps.get_pr_info.outputs.pr-info }}
+        REQUIRED_LABEL: ${{ inputs.required_label }}
+      run: |
+        if [ "$EVENT_NAME" != "push" ]; then
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+          exit 0
+        fi
+
+        if [ "$GET_PR_INFO_OUTCOME" != "success" ]; then
+          echo "should_run=false" >> "$GITHUB_OUTPUT"
+          exit 0
+        fi
+
+        head_sha="$(jq -r '.head.sha' <<< "$PR_INFO")"
+        has_label="$(jq -r --arg L "$REQUIRED_LABEL" '[.labels[].name] | index($L) != null' <<< "$PR_INFO")"
+
+        # Only trust copied pull-request/* pushes that still match the PR head
+        # SHA and carry the required label.
+        if [ "$head_sha" = "$GITHUB_SHA_VALUE" ] && [ "$has_label" = "true" ]; then
+          should_run=true
+        else
+          should_run=false
+        fi
+
+        echo "should_run=$should_run" >> "$GITHUB_OUTPUT"

.github/workflows/branch-e2e.yml

@@ -1,32 +1,59 @@
 name: Branch E2E Checks
 
 on:
-  pull_request:
-    types: [opened, synchronize, reopened, labeled]
+  push:
+    branches:
+      - "pull-request/[0-9]+"
+  workflow_dispatch: {}
 
-permissions:
-  contents: read
-  packages: write
+permissions: {}
 
 jobs:
+  pr_metadata:
+    name: Resolve PR metadata
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      should_run: ${{ steps.gate.outputs.should_run }}
+    steps:
+      - uses: actions/checkout@v4
+      - id: gate
+        uses: ./.github/actions/pr-gate
+        with:
+          required_label: test:e2e
+
   build-gateway:
-    if: contains(github.event.pull_request.labels.*.name, 'test:e2e')
+    needs: [pr_metadata]
+    if: needs.pr_metadata.outputs.should_run == 'true'
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/docker-build.yml
     with:
       component: gateway
       platform: linux/arm64
       runner: build-arm64
 
   build-cluster:
-    if: contains(github.event.pull_request.labels.*.name, 'test:e2e')
+    needs: [pr_metadata]
+    if: needs.pr_metadata.outputs.should_run == 'true'
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/docker-build.yml
     with:
       component: cluster
       platform: linux/arm64
       runner: build-arm64
 
   e2e:
-    needs: [build-gateway, build-cluster]
+    needs: [pr_metadata, build-gateway, build-cluster]
+    if: needs.pr_metadata.outputs.should_run == 'true'
+    permissions:
+      contents: read
+      packages: read
     uses: ./.github/workflows/e2e-test.yml
     with:
       image-tag: ${{ github.sha }}

.github/workflows/e2e-gate-check.yml

@@ -0,0 +1,101 @@
+name: E2E Gate Check
+
+# Reusable gate that enforces: when `required_label` is present on a PR,
+# `workflow_file` must have completed successfully for the PR head SHA.
+#
+# Callers wire their own triggers (`pull_request` + `workflow_run` for the
+# workflow this gate guards) and pass in the label and workflow filename.
+
+on:
+  workflow_call:
+    inputs:
+      required_label:
+        description: PR label that makes the gated workflow mandatory.
+        required: true
+        type: string
+      workflow_file:
+        description: Filename of the workflow whose run must have succeeded (e.g. "branch-e2e.yml").
+        required: true
+        type: string
+
+permissions: {}
+
+jobs:
+  check:
+    name: Enforce ${{ inputs.required_label }} runs when labeled
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: read
+    steps:
+      - name: Resolve PR context
+        id: pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          EVENT_NAME: ${{ github.event_name }}
+          PR_HEAD_SHA_FROM_EVENT: ${{ github.event.pull_request.head.sha }}
+          PR_LABELS_FROM_EVENT: ${{ toJSON(github.event.pull_request.labels.*.name) }}
+          WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [ "$EVENT_NAME" = "pull_request" ]; then
+            head_sha="$PR_HEAD_SHA_FROM_EVENT"
+            labels_json=$(jq -c . <<< "$PR_LABELS_FROM_EVENT")
+          else
+            head_sha="$WORKFLOW_RUN_HEAD_SHA"
+            pr=$(gh api "repos/$GH_REPO/commits/$head_sha/pulls" --jq '.[0] // empty')
+            if [ -z "$pr" ]; then
+              echo "No PR associated with $head_sha; gate is a no-op."
+              echo "skip=true" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+            labels_json=$(jq -c '[.labels[].name]' <<< "$pr")
+          fi
+          echo "head_sha=$head_sha" >> "$GITHUB_OUTPUT"
+          echo "labels_json=$labels_json" >> "$GITHUB_OUTPUT"
+
+      - name: Evaluate gate
+        if: steps.pr.outputs.skip != 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          HEAD_SHA: ${{ steps.pr.outputs.head_sha }}
+          LABELS_JSON: ${{ steps.pr.outputs.labels_json }}
+          REQUIRED_LABEL: ${{ inputs.required_label }}
+          WORKFLOW_FILE: ${{ inputs.workflow_file }}
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          has_label=$(jq -r --arg L "$REQUIRED_LABEL" 'any(.[]; . == $L)' <<< "$LABELS_JSON")
+          if [ "$has_label" != "true" ]; then
+            echo "::notice::$REQUIRED_LABEL not applied; gate passes."
+            exit 0
+          fi
+
+          runs=$(gh api "repos/$GH_REPO/actions/workflows/$WORKFLOW_FILE/runs?head_sha=$HEAD_SHA&event=push" --jq '.workflow_runs')
+          latest=$(jq -c 'sort_by(.created_at) | reverse | .[0] // empty' <<< "$runs")
+
+          if [ -z "$latest" ]; then
+            echo "::error::$REQUIRED_LABEL is applied but $WORKFLOW_FILE has not run for $HEAD_SHA. Wait for copy-pr-bot to mirror the PR, or re-run the gate once the workflow completes."
+            exit 1
+          fi
+
+          status=$(jq -r '.status' <<< "$latest")
+          conclusion=$(jq -r '.conclusion' <<< "$latest")
+
+          if [ "$conclusion" = "success" ]; then
+            echo "$WORKFLOW_FILE succeeded for $HEAD_SHA."
+            exit 0
+          fi
+
+          if [ "$status" != "completed" ]; then
+            echo "::error::$WORKFLOW_FILE is $status for $HEAD_SHA. This gate will re-evaluate on completion."
+            exit 1
+          fi
+
+          echo "::error::$WORKFLOW_FILE concluded as $conclusion for $HEAD_SHA."
+          exit 1

.github/workflows/e2e-gate.yml

@@ -0,0 +1,41 @@
+name: E2E Gate
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, labeled, unlabeled, ready_for_review]
+  workflow_run:
+    workflows: ["Branch E2E Checks", "GPU Test"]
+    types: [completed]
+
+permissions: {}
+
+jobs:
+  e2e:
+    name: E2E
+    # Run on every PR event; on workflow_run, only when the upstream was the
+    # matching gated workflow.
+    if: >-
+      github.event_name == 'pull_request' ||
+      github.event.workflow_run.name == 'Branch E2E Checks'
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: read
+    uses: ./.github/workflows/e2e-gate-check.yml
+    with:
+      required_label: test:e2e
+      workflow_file: branch-e2e.yml
+
+  gpu:
+    name: GPU E2E
+    if: >-
+      github.event_name == 'pull_request' ||
+      github.event.workflow_run.name == 'GPU Test'
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: read
+    uses: ./.github/workflows/e2e-gate-check.yml
+    with:
+      required_label: test:e2e-gpu
+      workflow_file: test-gpu.yml

.github/workflows/test-gpu.yml

@@ -7,71 +7,50 @@ on:
   workflow_dispatch: {}
   # Add `schedule:` here when we want nightly coverage from the same workflow.
 
-permissions:
-  contents: read
-  pull-requests: read
-  packages: write
+permissions: {}
 
 jobs:
   pr_metadata:
     name: Resolve PR metadata
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     outputs:
       should_run: ${{ steps.gate.outputs.should_run }}
     steps:
-      - id: get_pr_info
-        if: github.event_name == 'push'
-        continue-on-error: true
-        uses: nv-gha-runners/get-pr-info@main
-
+      - uses: actions/checkout@v4
       - id: gate
-        shell: bash
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-          GITHUB_SHA_VALUE: ${{ github.sha }}
-          GET_PR_INFO_OUTCOME: ${{ steps.get_pr_info.outcome }}
-          PR_INFO: ${{ steps.get_pr_info.outputs.pr-info }}
-        run: |
-          if [ "$EVENT_NAME" != "push" ]; then
-            echo "should_run=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          if [ "$GET_PR_INFO_OUTCOME" != "success" ]; then
-            echo "should_run=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          head_sha="$(jq -r '.head.sha' <<< "$PR_INFO")"
-          has_gpu_label="$(jq -r '[.labels[].name] | index("test:e2e-gpu") != null' <<< "$PR_INFO")"
-
-          # Only trust copied pull-request/* pushes that still match the PR head SHA
-          # and are explicitly labeled for GPU coverage.
-          if [ "$head_sha" = "$GITHUB_SHA_VALUE" ] && [ "$has_gpu_label" = "true" ]; then
-            should_run=true
-          else
-            should_run=false
-          fi
-
-          echo "should_run=$should_run" >> "$GITHUB_OUTPUT"
+        uses: ./.github/actions/pr-gate
+        with:
+          required_label: test:e2e-gpu
 
   build-gateway:
     needs: [pr_metadata]
     if: needs.pr_metadata.outputs.should_run == 'true'
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/docker-build.yml
     with:
       component: gateway
 
   build-cluster:
     needs: [pr_metadata]
     if: needs.pr_metadata.outputs.should_run == 'true'
+    permissions:
+      contents: read
+      packages: write
     uses: ./.github/workflows/docker-build.yml
     with:
       component: cluster
 
   e2e-gpu:
     needs: [pr_metadata, build-gateway, build-cluster]
     if: needs.pr_metadata.outputs.should_run == 'true'
+    permissions:
+      contents: read
+      packages: read
     uses: ./.github/workflows/e2e-gpu-test.yaml
     with:
       image-tag: ${{ github.sha }}