[ci] Implement workflow_scripts: extract logic, rename workflows

[rjpower]

Move per-workflow logic into scripts/workflows/ (changes.py, github_actions.py, iris_monitor.py with status/wait/collect), replace peter-evans/create-pull-request and dorny/paths-filter, SHA-pin non-trusted actions, and rename all workflows to domain-type[-variant] with matching job ids. Audit goes from 38 to 0 failures. Branch protection swap is documented in .agents/projects/workflow_scripts/branch-protection-rollout.md and must be applied before merge.

Fixes #5067

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 497f08e3bc

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[yonromai]

Approved. I left one net-new comment on the Iris monitor state model; the existing review comments about the dupekit auto-PR branch flow and CoreWeave label sanitization still look relevant, so I did not repost them.

Validation notes: the new monitor script compiles, its help path runs under uv --package marin-iris, and all workflow/action YAML files load. actionlint only reported shellcheck/custom-runner warnings. The current Iris - Smoke - GCP check is failing from a pytest timeout in the live smoke test, with diagnostics uploaded.

_{Generated with Codex.}

[rjpower]

@claude pls rebase to main and resolve conflicts

[claude]

Claude finished @rjpower's task in 5m 57s —— View job

---

Rebase resolved locally — push blocked by GitHub App permissions

• Fetched origin/main and unshallowed (29 commits ahead of branch base, 8 branch commits)
• Ran git rebase origin/main — all 8 commits replayed
• Resolved both conflicts in .github/workflows/marin-canary-ferry-coreweave.yaml
• ./infra/pre-commit.py --all-files --fix → clean (ruff + black + pyrefly + license headers all pass)
• Smoke-checked scripts/workflows/iris_monitor.py (imports clean, --help works, all four subcommands exposed); YAML-loaded the five rewritten workflows
• ❌ Cannot push — see below

Conflicts (both in marin-canary-ferry-coreweave.yaml)

1. Port-forward to iris-ci controller step. main (a92b2a6) had grown an inline kubectl rollout status + port-forward + retry-loop + curl /health block. The branch already replaces all of that with a single call into scripts/workflows/iris_monitor.py port-forward, which (per iris_monitor.py:703-768) does the equivalent rollout-wait, spawns the forwarder, polls /health, and writes IRIS_CONTROLLER_URL / LOCAL_PORT / PF_PID to $GITHUB_ENV. → kept the branch version, dropped the inline block.

2. Submit canary ferry step. main added echo "Multi-host canary: ${CANARY_MULTI_HOST:-0}"; the branch's commit 6c9126f317 switched iris --controller-url="$IRIS_CONTROLLER_URL" to iris --config="$IRIS_CONFIG" (per-call tunnel rather than a long-lived port-forward URL). → kept both changes.

Resulting block (lines 109-145):

      - name: Port-forward to iris-ci controller
        run: |
          uv run python scripts/workflows/iris_monitor.py port-forward \
            --namespace "$IRIS_NAMESPACE" \
            --service iris-ci-controller-svc \
            --kubeconfig "$HOME/.kube/coreweave-iris"

      - name: Submit canary ferry
        id: submit
        shell: bash -l {0}
        run: |
          echo "Multi-host canary: ${CANARY_MULTI_HOST:-0}"
          JOB_ID=$(.venv/bin/iris --config="$IRIS_CONFIG" \
            job run --no-wait \
            ...

Why I can't push

The Claude Code GitHub App's installation token does not carry the workflows permission, so git push --force-with-lease is rejected by the GitHub API:

! [remote rejected]  workflow-scripts-impl -> workflow-scripts-impl
  (refusing to allow a GitHub App to create or update workflow
   `.github/workflows/marin-canary-ferry-coreweave.yaml` without `workflows` permission)

The wrapper git-push.sh available on the runner doesn't accept --force-with-lease (it allows only origin <ref> for security), so a non-fast-forward push isn't possible through it either. This is a Claude Code Action / App-permission limitation, not a repo-side branch protection — see the FAQ.

How to apply this rebase locally

The conflict resolution is mechanical; run this on your laptop:

git fetch origin
git checkout workflow-scripts-impl
git rebase origin/main
# Two conflicts in .github/workflows/marin-canary-ferry-coreweave.yaml.
# Conflict 1 (Port-forward step): keep the `iris_monitor.py port-forward` call,
#   drop the inline kubectl rollout/port-forward/curl block from main.
# Conflict 2 (Submit canary ferry step): keep BOTH the new
#   `echo "Multi-host canary: ${CANARY_MULTI_HOST:-0}"` line AND
#   the `iris --config="$IRIS_CONFIG"` invocation.
git add .github/workflows/marin-canary-ferry-coreweave.yaml
git rebase --continue
./infra/pre-commit.py --all-files --fix
git push --force-with-lease origin workflow-scripts-impl

• Branch: workflow-scripts-impl