Skip to content

[13.4-stable] Separate Eden CI into untrusted Gate and trusted Runner workflows#5052

Merged
eriknordmark merged 1 commit intolf-edge:13.4-stablefrom
OhmSpectator:backport/13.4-stable/feature/docker-login-for-tests
Jul 7, 2025
Merged

[13.4-stable] Separate Eden CI into untrusted Gate and trusted Runner workflows#5052
eriknordmark merged 1 commit intolf-edge:13.4-stablefrom
OhmSpectator:backport/13.4-stable/feature/docker-login-for-tests

Conversation

@OhmSpectator
Copy link
Copy Markdown
Member

@OhmSpectator OhmSpectator commented Jul 7, 2025

Description

Backport of #5048

PR dependencies

None.

How to test and validate this PR

Don't need to be tested internally.

Changelog notes

No user-facing changes.

Checklist

  • I've provided a proper description
  • I've added the proper documentation
  • I've tested my PR on amd64 device
  • I've tested my PR on arm64 device
  • I've written the test verification instructions
  • I've set the proper labels to this PR
  • I've added a reference link to the original PR
  • PR's title follows the template
  • I've checked the boxes above, or I've provided a good reason why I didn't
    check them.

@OhmSpectator
.github: Separate Eden CI into untrusted gate and trusted runner work…
c5a788d 
…flows.

Separate Eden test execution into two cooperating GitHub workflows: an
untrusted "PR Gate," triggered by PR approvals and build completions,
and a trusted "Eden Runner," triggered by the successful completion of
the gate. This change enables secure access to Docker Hub secrets and
streamlines test execution when PRs from forks are approved before the
build is ready.

Previously, Eden tests ran within a single workflow triggered by
`pull_request_review` events, which, when originating from forks, lacked
access to repository secrets. As a result, the workflow couldn't log in
to Docker Hub, causing test failures. The updated setup addresses this
by splitting the logic:

1. The "PR Gate" workflow (untrusted) triggers on two events:

- Submission of a PR review (specifically approval).
- Completion of the PR build workflow.

It always checks two conditions:

- The PR is approved.
- The necessary build artifact ("eve (amd64, kvm, generic)") exists and
  succeeded.

Once both conditions are met, the PR Gate workflow creates a
`run-context.json` file containing relevant information (PR number, SHA,
original run ID, architecture details, etc.) and uploads it as an
artifact named "run-context". If conditions aren't met, it uploads a
sentinel string ("exit") to indicate tests shouldn't proceed.

2. The "Eden Runner" workflow (trusted) triggers upon the successful
completion of the "PR Gate" workflow using the `workflow_run` event,
thus gaining access to repository secrets. It downloads the
"run-context" artifact and verifies its content. If valid (i.e., doesn't
contain "exit"), it triggers the actual Eden test execution via the
reusable workflow lf-edge/eden/.github/workflows/test.yml.

Due to GitHub limitations, workflows triggered by `workflow_run` don't
automatically appear in the PR's check status list. To maintain
transparency, explicit manual status updates are performed at different
stages:

- Initially setting a "pending" status when tests start.
- Finalizing with "success," "failure," or "error" after completion.

Additionally, each Eden job result is surfaced individually to maintain
detailed test visibility within the PR.

Finally, this update eliminates a common bottleneck: Eden tests
previously required manual re-runs if PR approval occurred before the
build was ready. Now, the PR Gate automatically reevaluates whenever the
PR build finishes, enabling automated testing and quicker feedback
loops.

The obsolete monolithic workflow (eden.yml) has been removed to reflect
these structural improvements clearly.

Signed-off-by: Nikolay Martyanov <nikolay@zededa.com>
(cherry picked from commit 9c17dd5)
eriknordmark
eriknordmark approved these changes Jul 7, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@eriknordmark eriknordmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@eriknordmark eriknordmark merged commit acadac7 into lf-edge:13.4-stable Jul 7, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eriknordmark eriknordmark eriknordmark approved these changes

@deitch deitch Awaiting requested review from deitch deitch is a code owner

@yash-zededa yash-zededa Awaiting requested review from yash-zededa yash-zededa is a code owner

+1 more reviewer

@uncleDecart uncleDecart uncleDecart approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@OhmSpectator @eriknordmark @uncleDecart