fix(INFRA-3631): add job-level permissions to shadow CI caller

[alucardzom]

Description

This PR finishes INFRA-3631 Namespace shadow CI work in two parts:

1. workflow_call permission cap (startup fix)
With workflow_call, the caller job’s permissions cap the callee. The shadow-ci caller job in ci.yml now declares the permissions downstream jobs need (id-token, statuses, issues, pull-requests, etc.) so shadow runs do not hit startup_failure (see TEC-54198 / prior validation runs in this thread).

2. Token Exchange for shadow dispatch (latest)
The ci-namespace-shadow.yml dispatcher no longer uses a dedicated GitHub App (create-github-app-token). It follows the same pattern as triage-forwarder.yml: OIDC (id-token: write, audience api://token-exchange-service) → POST $TOKEN_EXCHANGE_URL/api/exchange/token with targetRepo = this repo and scoped requested_permissions (metadata/contents read, actions write).

• TES policy (binds minted tokens to this workflow file via GitHub OIDC claim workflow_ref, not job_workflow_ref): deploy token-exchange-service#77 before relying on exchange in production.
• Fork PRs: the dispatcher job is skipped when pull_request.head.repo != github.repository, so OIDC exchange never runs for untrusted forks.
• Duplicate side effects: ci.yml gates status/comment/bundle steps when runner_provider=namespace so shadow runs stay read-mostly at the GitHub API layer.

Changelog

CHANGELOG entry: null

Related issues

Fixes: INFRA-3631

Related: TEC-54198 (TechOps — workflow_call permission inheritance)

Token exchange policy PR: consensys-vertical-apps/token-exchange-service#77

Manual testing steps

Feature: Namespace shadow CI dispatcher

  Scenario: Shadow workflow uses token exchange after TES deploy
    Given TOKEN_EXCHANGE_URL is set and TES policy from PR #77 is deployed
    When a non-fork pull_request triggers ci-namespace-shadow.yml
    Then the dispatch job exchanges OIDC for a token and successfully workflow_dispatch'es ci.yml with runner_provider=namespace

  Scenario: Fork PR does not call token exchange
    Given a pull request from a fork head repository
    When ci-namespace-shadow.yml runs
    Then the dispatch job is skipped and no exchange request is made

Screenshots/Recordings

N/A (CI / GitHub Actions only.)

Before

N/A

After

N/A

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines).

Performance checks (if applicable)

• I've tested on Android
• I've tested with a power user scenario
• I've instrumented key operations with Sentry traces for production performance metrics

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Changes GitHub Actions authentication and dispatch flow for shadow CI and conditions out status/comment/publishing steps when running on namespace, which could affect CI observability or external integrations if misconfigured.

Overview
Reworks the Namespace shadow CI workflow to be fire-and-forget by dispatching ci.yml via workflow_dispatch instead of calling it directly, so shadow flakes don’t appear as PR checks or block the merge queue.

Adds OIDC-based Token Exchange Service authentication (scoped actions: write token) for the dispatcher, skips the dispatcher entirely for fork PRs, and posts a step summary linking the originating PR to the dispatched run.

Updates ci.yml to accept optional pr_number/head_sha inputs (used for run-name correlation) and to disable side-effecting behavior on runner_provider=namespace (e.g., commit status publishing, bundle-size shipping, PR comments, fixture-validation reporting) to avoid duplicate statuses/comments and external pushes.

^{Reviewed by Cursor Bugbot for commit e65e564. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c9f88bf. Configure here.}

[Copilot]

Pull request overview

This PR adjusts the Namespace “shadow CI” integration so it can trigger the main ci.yml pipeline without blocking PR checks, and adds correlation inputs/guards to prevent shadow runs from producing duplicate side effects (commit statuses, PR comments, external repo writes).

Changes:

• Adds run-name plus pr_number / head_sha inputs to ci.yml for better identification/correlation of shadow-dispatched runs.
• Gates several side-effecting steps/jobs in ci.yml to skip when runner_provider == 'namespace'.
• Reworks ci-namespace-shadow.yml from a workflow_call-based caller to a “fire-and-forget” dispatcher that uses OIDC token exchange + gh workflow run to start ci.yml.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/ci.yml	Adds shadow correlation inputs/run-name and skips side-effecting steps on Namespace runs.
.github/workflows/ci-namespace-shadow.yml	Replaces workflow_call with an OIDC-authenticated dispatcher that triggers ci.yml via workflow_dispatch.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Cal-L]

LGTM

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 95%

click to see 🤖 AI reasoning details

E2E Test Selection:
The two changed files are purely CI/infrastructure workflow files with no impact on application code, E2E test logic, or test infrastructure:

1. ci-namespace-shadow.yml: Refactored from workflow_call (which nested shadow jobs into PR check suite, risking merge queue blocks on flakes) to a workflow_dispatch fire-and-forget pattern using OIDC token exchange. This is a CI orchestration improvement that prevents shadow CI flakes from blocking merges.

2. ci.yml: Added pr_number/head_sha inputs for shadow run correlation, a run-name for identification, and inputs.runner_provider != 'namespace' guards on steps that would cause duplicate side effects (commit status posting, bundle size stats, PR comments, fixture results reporting) when running as a Namespace shadow.

Neither file touches:

• Any application source code
• E2E test files or test infrastructure (tests/ directory)
• Test page objects, fixtures, or helpers
• Any component, controller, or service
• Performance-sensitive code paths

The changes are purely about CI runner orchestration and preventing duplicate side effects in shadow runs. No E2E tests need to run to validate these changes, and no performance tests are warranted.

Performance Test Selection:
No application code, rendering logic, data loading, or performance-sensitive paths were modified. These are purely CI workflow orchestration changes with no impact on app performance.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud