[ MATTER-6188 MATTER-5457 ] : Split workflows to access PRs from forks

[sarthak shaha (Sarthak-Shaha)]

Issue Link:
MATTER-6188
MATTER-5457

Description of Problem/Feature:
Fork PRs do not have access to repository secrets, which causes the Jenkins sanity workflow to fail for external contributors.

Description of Fix/Solution:
Split dev-apps-builder and sqa-sanity-tests into separate independent workflows.

sqa-sanity-tests now uses a workflow_run trigger instead of workflow_call. Workflows triggered by workflow_run always run on the base repository's default branch and have full access to repository secrets, regardless of whether the triggering build originated from a fork.

Changes:

dev-apps-builder.yaml

• Removed wait-for-test-results and build-sqa-apps jobs; these are now owned by sqa-sanity-tests.yaml
• Added cache-tools to delete-cache needs so needs.cache-tools.outputs.cache-key resolves correctly

sqa-sanity-tests.yaml

• Trigger changed from workflow_call to workflow_run on Build Dev apps
• Added if: github.event.workflow_run.conclusion == 'success' to skip failed builds
• Fixed head SHA resolution to use context.payload.workflow_run.head_sha (previously fell back to default branch SHA for non-PR events)
• cache-tools, build-sqa-apps, delete-cache jobs moved here, conditioned on github.event.workflow_run.head_branch (not github.ref_name, which is always the default branch in workflow_run context)
• Added github.event.workflow_run.head_repository.full_name == github.repository guard to cache-tools, build-sqa-apps, and delete-cache to prevent fork PRs with a branch named main or release_* from executing privileged jobs
• cache-tools checkout uses ref: github.event.workflow_run.head_sha to build from the triggering commit, not the default branch
• build-sqa-apps passes head-sha and head-branch through the reusable workflow chain so source code is built from the triggering commit on non-default branches (e.g. release_*)
• Fixed deleteCacheById → deleteActionsCacheByKey (cache key is a string, not a numeric ID)
• Added always() to delete-cache so cache is cleaned even if build-sqa-apps fails

sqa-apps-builder.yaml, platform-builder.yaml, builder.yaml

• Added optional head-sha and head-branch inputs, threaded through the full call chain
• builder.yaml checkout uses ref: inputs.head-sha || github.sha
• builder.yaml asset creation condition uses inputs.head-branch || github.ref_name instead of github.ref_name alone

jenkins_integration/github/github_workflow.py

• _matches_pr_workflow: GitHub returns an empty pull_requests array for fork PRs; added fallback to match by head_sha instead
• _get_pr_latest_sha: now returns (commit_sha, head_branch) so the SHA is available for the fallback match

Testing Done:
Test PR #566
#569

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 43298ec578

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "Codex (@codex) review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".

[sarthak shaha (Sarthak-Shaha)]

Codex (@codex) review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: df805a4628

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "Codex (@codex) review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".

[sarthak shaha (Sarthak-Shaha)]

Codex (@codex) review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Swish!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "Codex (@codex) review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".

[Junior Martinez (jmartinez-silabs)]

I don't know enough about the the Ci action flow at the moment to make an educated suggestion.

But head-sha: ${{ inputs.head-sha }} and head-branch: ${{ inputs.head-branch }}
Apply to the whole build flow. Is there not a common place we could set this rather than having 2 extra input in each job workflow?