ci: add CI gate workflow (#19912)

Closes #19909.

## Summary

Switches CI from individual per-workflow required checks to a single `CI
Gate / ci-gate` aggregator. This is required for clean handling of merge
queues and PRs simultaneously — without a gate, there's no single check
to require on `merge_group` events, and managing required checks means
touching GitHub settings rather than code.

The gate currently requires exactly the same jobs that were previously
required, so this is a one-to-one transition:

- `Lint / lint`
- `All tests / tests-mac-linux (ubuntu-24.04, macos-15, windows-2025)`
- `All tests (with -race) / ...`
- `Test Hive / test-hive (...)`
- `Consensus spec / ...`
- `Check large files / check`
- `Benchmarks / benchmarks`
- `Kurtosis Assertoor GitHub Action / assertoor_{regular,pectra}_test`
- `Manifest Check / ManifestCheck`
- `Reproducible build / reproducible-build (...)`
- `QA - RPC Integration Tests (Gnosis) / gnosis-rpc-integ-tests`
- `QA - RPC Integration Tests Remote / mainnet-rpc-integ-tests-remote`

Each called workflow gains `workflow_call:` and loses its
`pull_request:` trigger — the gate owns PR and merge-queue coverage.
Standalone `push`, `schedule`, and `workflow_dispatch` triggers are
preserved.

## Running different jobs on PR vs merge queue

Because the gate triggers on both `pull_request` and `merge_group`, it's
now straightforward to run a lighter suite on PRs and the full suite
only when merging:

```yaml
# ci-gate.yml
expensive-job:
  if: github.event_name == 'merge_group'
  uses: ./.github/workflows/expensive.yml
  secrets: inherit
```

The aggregator ignores skipped jobs, so jobs conditional on event type
don't block the gate in the other context. This is a follow-up
opportunity — for now all jobs run on both.

## How to merge

1. In branch protection for `main`, remove all individual required
checks and add `CI Gate / ci-gate`
2. Merge this PR — the gate is now in effect for all subsequent PRs and
merge queue entries

## Other changes

- Deletes stub workflows `ci.yml`, `test-win-downloader.yml`,
`check.yml`
- Fixes `event_name`-dependent conditions in `test-hive.yml` and
`test-kurtosis-assertoor.yml`
- Upgrades `check-large-files.yml` checkout v4→v6
- Adds `workflow_dispatch` to `test-bench.yml` and
`test-integration-caplin.yml`
- Removes redundant daily schedule from `test-all-erigon.yml`
- Documents `workflow_call` vs inline guidance in `.github/README.md`

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: anacrolix <988750+anacrolix@users.noreply.github.com>

Author: anacrolix

.github/README.md

@@ -40,6 +40,30 @@ Without `ready_for_review`, converting a draft PR to ready-for-review fires an e
 the workflow doesn't subscribe to, so the job never runs — the PR appears to have
 skipped CI until the next push.
 
+### CI gate and workflow_call
+
+All PR and merge-queue checks run through `.github/workflows/ci-gate.yml`. It calls
+each sub-workflow via `uses:` (reusable workflow call) rather than inlining the job
+definitions. This avoids duplicating job definitions that also appear in standalone
+`push`/`schedule` runs.
+
+Use `workflow_call:` on a workflow (and call it from ci-gate) when the workflow has
+other triggers besides PRs — `push` to `main`, `schedule`, etc. — so there is one
+source of truth for the job definition.
+
+Only inline job definitions directly into ci-gate if the workflow is exclusively
+PR-gated with no other triggers, since there is then no duplication concern.
+
+Workflows called by ci-gate must not have `pull_request:` triggers — ci-gate owns
+PR coverage and a `pull_request:` trigger would cause every job to run twice.
+
+ci-gate has a workflow-level `concurrency:` group that cancels the entire previous
+run (all sub-workflow jobs) when a new PR push or merge_group event arrives. Sub-
+workflows called via `workflow_call` must **not** define their own job-level
+`concurrency:` for this purpose — `github.workflow` and `github.job` resolve to
+the caller's values (or empty) in a `workflow_call` context, which causes collisions
+that cancel sibling jobs within the same run.
+
 ### Required checks and path filters
 
 Required checks must always report a status or they block the PR indefinitely.

.github/workflows/check-large-files.yml

@@ -1,6 +1,8 @@
 name: Check large files
 
-on: pull_request
+on:
+  workflow_dispatch:
+  workflow_call:
 
 defaults:
   run:
@@ -10,7 +12,7 @@ jobs:
   check:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           filter: blob:none

.github/workflows/check.yml

@@ -0,0 +1,109 @@
+name: CI Gate
+
+on:
+  pull_request:
+    branches:
+      - main
+      - 'release/**'
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+  push:
+    branches:
+      - main
+      - 'release/**'
+  merge_group:
+  workflow_dispatch:
+
+concurrency:
+  # For PRs: one run per branch; new push cancels the old run.
+  # For push/merge_group/workflow_dispatch: unique per run so runs never cancel each other.
+  group: >-
+    ${{
+      github.event_name == 'pull_request' &&
+      format('{0}-{1}', github.workflow, github.head_ref) ||
+      format('{0}-{1}', github.workflow, github.run_id)
+    }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    if: github.event_name == 'pull_request'
+    uses: ./.github/workflows/lint.yml
+    secrets: inherit
+
+  tests:
+    uses: ./.github/workflows/test-all-erigon.yml
+    secrets: inherit
+
+  race-tests:
+    uses: ./.github/workflows/test-all-erigon-race.yml
+    secrets: inherit
+
+  hive:
+    uses: ./.github/workflows/test-hive.yml
+    secrets: inherit
+
+  caplin:
+    uses: ./.github/workflows/test-integration-caplin.yml
+    secrets: inherit
+
+  # Only meaningful for PRs: needs github.event.pull_request.base.sha.
+  large-files:
+    if: github.event_name == 'pull_request'
+    uses: ./.github/workflows/check-large-files.yml
+    secrets: inherit
+
+  bench:
+    uses: ./.github/workflows/test-bench.yml
+    secrets: inherit
+
+  kurtosis:
+    uses: ./.github/workflows/test-kurtosis-assertoor.yml
+    secrets: inherit
+
+  manifest:
+    uses: ./.github/workflows/manifest.yml
+    secrets: inherit
+
+  repro:
+    uses: ./.github/workflows/reproducible-build.yml
+    secrets: inherit
+
+  qa-rpc-gnosis:
+    uses: ./.github/workflows/qa-rpc-integration-tests-gnosis.yml
+    secrets: inherit
+
+  qa-rpc-remote:
+    uses: ./.github/workflows/qa-rpc-integration-tests-remote.yml
+    secrets: inherit
+
+  ci-gate:
+    if: always()
+    needs:
+      - lint
+      - tests
+      - race-tests
+      - hive
+      - caplin
+      - large-files
+      - bench
+      - kurtosis
+      - manifest
+      - repro
+      - qa-rpc-gnosis
+      - qa-rpc-remote
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check all required jobs
+        run: |
+          echo '${{ toJSON(needs) }}' > needs.json
+          failed=$(jq -r 'to_entries[] | select(.value.result == "failure" or .value.result == "cancelled") | .key' needs.json)
+          if [ -n "$failed" ]; then
+            echo "The following jobs failed or were cancelled:"
+            echo "$failed"
+            exit 1
+          fi
+          echo "All required jobs passed or were skipped."

.github/workflows/ci-gate.yml

@@ -1,12 +1,7 @@
 name: Lint
 on:
   workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-      - 'release/**'
-      - performance
-      - performance-stable
+  workflow_call:
 
 defaults:
   run:
@@ -15,9 +10,6 @@ defaults:
 jobs:
   lint:
     runs-on: ubuntu-latest
-    concurrency:
-      group: ${{ format('{0}-{1}', github.workflow, github.ref) }}
-      cancel-in-progress: true
 
     steps:
       - name: Checkout custom actions

.github/workflows/ci.yml

@@ -6,18 +6,8 @@ on:
       - 'release/**'
     paths:
       - 'go.mod'
-  pull_request:
-    branches:
-      - main
-      - 'release/**'
-    paths:
-      - 'go.mod'
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
   workflow_dispatch:
+  workflow_call:
 
 jobs:
   ManifestCheck:

.github/workflows/lint.yml

@@ -2,31 +2,15 @@ name: QA - RPC Integration Tests (Gnosis)
 
 on:
   workflow_dispatch:     # Run manually
+  workflow_call:
   push:
     branches:
       - main
       - 'release/3.*'
-  pull_request:
-    branches:
-      - main
-      - 'release/3.*'
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
 
 
 jobs:
   gnosis-rpc-integ-tests:
-    concurrency:
-      group: >-
-        ${{
-          (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && 
-          format('{0}-{1}', github.workflow, github.run_id) ||
-          format('{0}-{1}', github.workflow, github.ref)
-        }}
-      cancel-in-progress: true
     runs-on: [ self-hosted, qa, Gnosis, rpc-integration ]
     env:
       ERIGON_TESTBED_AREA: /opt/erigon-testbed
@@ -135,7 +119,7 @@ jobs:
         if: always() && steps.test_step.outputs.test_executed == 'true'
         uses: actions/upload-artifact@v6
         with:
-          name: test-results
+          name: test-results-gnosis
           path: ${{ env.TEST_RESULT_DIR }}
 
       - name: Save test results

.github/workflows/manifest.yml

@@ -2,31 +2,15 @@ name: QA - RPC Integration Tests Remote
 
 on:
   workflow_dispatch:     # Run manually
+  workflow_call:
   push:
     branches:
       - main
       - 'release/3.*'
-  pull_request:
-    branches:
-      - main
-      - 'release/3.*'
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
 
 
 jobs:
   mainnet-rpc-integ-tests-remote:
-    concurrency:
-      group: >-
-        ${{
-          (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && 
-          format('{0}-{1}', github.workflow, github.run_id) ||
-          format('{0}-{1}', github.workflow, github.ref)
-        }}
-      cancel-in-progress: true
     runs-on: [ self-hosted, qa, Ethereum, rpc-integration-commitment ]
     env:
       ERIGON_TESTBED_AREA: /opt/erigon-testbed
@@ -235,7 +219,7 @@ jobs:
         if: always() && steps.test_step.outputs.test_executed == 'true'
         uses: actions/upload-artifact@v6
         with:
-          name: test-results
+          name: test-results-remote-mainnet
           path: |
             ${{ env.TEST_RESULT_DIR }}
             ${{ github.workspace }}/build/bin/rpcdaemon.log 

.github/workflows/qa-rpc-integration-tests-gnosis.yml

@@ -1,16 +1,8 @@
 name: Reproducible build
 
 on:
-  pull_request:
-    branches:
-      - main
-      - 'release/**'
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
   workflow_dispatch:
+  workflow_call:
 
 defaults:
   run:
@@ -25,9 +17,6 @@ jobs:
           - macos-15
           - windows-2025
     runs-on: ${{ matrix.os }}
-    concurrency:
-      group: ${{ github.workflow }}-${{ matrix.os }}-${{ github.ref }}
-      cancel-in-progress: true
 
     steps:
       - uses: actions/checkout@v6