ci(INFRA-3631): dispatch Namespace shadow CI via workflow_dispatch

bsgrigorov · cursoragent · bsgrigorov · commit c9f88bf807c5 · 2026-05-15T09:10:32.000-07:00
Replace workflow_call with gh workflow run so shadow jobs stay out of PR
checks (ALLGREEN). Add optional pr_number/head_sha inputs and run-name for
correlation. Skip ship-js-bundle-size-check on Namespace shadow to avoid
duplicate pushes to mobile_bundlesize_stats.

Secrets: wire ACTIONS_WRITE_TOKEN for dispatch; intended token is a
fine-grained PAT on this repo with Actions: Read and write (plus Metadata:
Read).

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/.github/workflows/ci-namespace-shadow.yml b/.github/workflows/ci-namespace-shadow.yml
@@ -1,5 +1,25 @@
 name: CI (Namespace shadow)
 
+# Fire-and-forget dispatcher for the Namespace shadow benchmark (INFRA-3631).
+#
+# This workflow does NOT use `workflow_call`. Instead, it dispatches `ci.yml`
+# as a separate `workflow_dispatch` run with `runner_provider=namespace`.
+#
+# Why a dispatch instead of a call:
+#   - `workflow_call` nests the called workflow's jobs into THIS workflow's
+#     check suite on the PR. With the repo's merge queue ALLGREEN policy,
+#     any shadow flake would block merges.
+#   - `workflow_dispatch` runs live in the Actions tab only -- invisible to
+#     PR checks. The shadow can fail freely; it never blocks the queue,
+#     never duplicates commit statuses, never posts PR comments.
+#
+# Correlation back to the originating PR:
+#   - The dispatched run's display name is set via `run-name` in ci.yml to
+#     `ci [shadow PR #<num> @ <sha>]`, so it's identifiable in the Actions
+#     tab at a glance.
+#   - The dispatcher job posts a GitHub Actions step summary linking the PR
+#     to the dispatched shadow run URL, reachable from the PR Checks tab.
+
 on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
@@ -17,17 +37,78 @@ concurrency:
   group: ns-shadow-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
-  shadow-ci:
-    name: '[shadow] CI'
-    permissions:
-      actions: read
-      contents: read
-      id-token: write
-      issues: write
-      pull-requests: write
-      statuses: write
-    uses: ./.github/workflows/ci.yml
-    with:
-      runner_provider: namespace
-    secrets: inherit
+  dispatch-shadow:
+    name: '[shadow] Dispatch'
+    runs-on: ubuntu-latest
+    # Skip dispatch for fork PRs: ACTIONS_WRITE_TOKEN is not exposed to forks,
+    # and we don't want untrusted PRs consuming Namespace capacity.
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+    steps:
+      - name: Dispatch ci.yml on Namespace
+        id: dispatch
+        env:
+          GH_TOKEN: ${{ secrets.ACTIONS_WRITE_TOKEN }}
+          REPO: ${{ github.repository }}
+          REF: ${{ github.head_ref || github.ref_name }}
+          PR_NUMBER: ${{ github.event.pull_request.number || '' }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
+        run: |
+          set -euo pipefail
+          echo "Dispatching ci.yml on ref='${REF}' (PR='${PR_NUMBER:-none}', sha='${HEAD_SHA}')"
+          gh workflow run ci.yml \
+            --repo "$REPO" \
+            --ref "$REF" \
+            -f runner_provider=namespace \
+            -f pr_number="$PR_NUMBER" \
+            -f head_sha="$HEAD_SHA"
+
+          # gh workflow run returns immediately with no run ID. Find the run
+          # we just created so we can link to it from the step summary.
+          # Best-effort: poll briefly for a queued/in_progress dispatch on this ref.
+          RUN_URL=""
+          for _ in $(seq 1 10); do
+            RUN_URL=$(gh run list \
+              --repo "$REPO" \
+              --workflow ci.yml \
+              --event workflow_dispatch \
+              --branch "$REF" \
+              --limit 1 \
+              --json url,createdAt \
+              --jq '.[0].url' 2>/dev/null || true)
+            if [ -n "$RUN_URL" ] && [ "$RUN_URL" != "null" ]; then
+              break
+            fi
+            sleep 2
+          done
+          echo "run_url=${RUN_URL}" >> "$GITHUB_OUTPUT"
+
+      - name: Step summary
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number || '' }}
+          PR_URL: ${{ github.event.pull_request.html_url || '' }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
+          REF: ${{ github.head_ref || github.ref_name }}
+          RUN_URL: ${{ steps.dispatch.outputs.run_url }}
+        run: |
+          {
+            echo "## Namespace shadow CI dispatched"
+            echo
+            echo "| Field | Value |"
+            echo "|---|---|"
+            if [ -n "$PR_NUMBER" ]; then
+              echo "| PR | [#${PR_NUMBER}](${PR_URL}) |"
+            fi
+            echo "| Ref | \`${REF}\` |"
+            echo "| Head SHA | \`${HEAD_SHA}\` |"
+            if [ -n "${RUN_URL}" ]; then
+              echo "| Shadow run | ${RUN_URL} |"
+            else
+              echo "| Shadow run | (not yet visible — check the Actions tab) |"
+            fi
+            echo
+            echo "_Shadow CI runs **fire-and-forget**: it does not appear in this PR's checks and never blocks the merge queue. Benchmark data is collected by \`scripts/namespace-benchmark.sh\`._"
+          } >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: ci
 
+run-name: >-
+  ${{ inputs.pr_number && format('ci [shadow PR #{0} @ {1}]', inputs.pr_number, inputs.head_sha) || '' }}
+
 on:
   push:
     branches: [main]
@@ -19,6 +22,14 @@ on:
         type: string
         required: false
         default: current
+      pr_number:
+        description: "PR number (shadow correlation, optional)"
+        type: string
+        required: false
+      head_sha:
+        description: "PR head SHA (shadow correlation, optional)"
+        type: string
+        required: false
   workflow_dispatch:
     inputs:
       runner_provider:
@@ -29,6 +40,14 @@ on:
           - current
           - namespace
         default: current
+      pr_number:
+        description: "PR number (shadow correlation, optional)"
+        required: false
+        type: string
+      head_sha:
+        description: "PR head SHA (shadow correlation, optional)"
+        required: false
+        type: string
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && github.sha || github.ref }}
@@ -516,7 +535,9 @@ jobs:
     name: Ship JS bundle size check
     runs-on: ${{ inputs.runner_provider == 'namespace' && 'namespace-profile-metamask-ci-linux' || 'ubuntu-latest' }}
     needs: [js-bundle-size-check]
-    if: ${{ github.ref == 'refs/heads/main' }}
+    # Skip on Namespace shadow runs: hourly cron against main would otherwise
+    # push duplicate entries to the external mobile_bundlesize_stats repo.
+    if: ${{ github.ref == 'refs/heads/main' && inputs.runner_provider != 'namespace' }}
     steps:
       - uses: namespacelabs/nscloud-checkout-action@938f5d2d403d6224d9a0c0dc559b1dae09c2ede4 # v8.1.1
         if: ${{ inputs.runner_provider == 'namespace' }}
