Run claimed PRs CI as a maintainer so it they access secrets (#1984)

## Summary

- dispatch `ci.yml` after an external contributor PR is claimed so the
mirrored internal PR can run secret-backed CI without per-maintainer
tokens
- add a PR-context loader to `ci.yml` so dispatched runs can recover
labels, PR number, and internal-head gating from the GitHub API
- keep the existing mirror/refresh flow intact while returning the owned
PR number from the claim finalization step

## Why

GitHub attributes PR authorship to the credential that creates the PR.
Because we cannot store maintainer PATs in repo secrets, the claim
workflow cannot safely recreate mirrored PRs as the approving
maintainer. The viable low-churn path is to keep the mirrored PR
bot-created, then trigger trusted CI on the mirrored branch via
`workflow_dispatch`, which can be started from `GITHUB_TOKEN` and still
runs with repository secrets.

## Impact

- claimed PRs get a trusted `ci.yml` run on their head SHA after claim
succeeds
- the CI workflow now works for both `pull_request` and dispatched
claimed-PR runs
- e2e jobs still stay gated to internal-head PRs, but that decision is
now derived from loaded PR context rather than only the event payload

## Validation

- `pnpm exec prettier --check .github/workflows/ci.yml
.github/workflows/external-contributor-pr.yml`
- `git diff --check -- .github/workflows/ci.yml
.github/workflows/external-contributor-pr.yml`

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Run trusted CI for claimed external PRs by dispatching `ci.yml` on the
mirrored branch. This keeps the mirror flow intact and enables
secret-backed CI without maintainer tokens.

- **New Features**
- `external-contributor-pr.yml` dispatches `ci.yml` after a successful
claim using the mirrored branch ref, passing the owned PR number;
exposes `claimed` and `owned-pr-number` outputs and sets `actions:
write`.
- `ci.yml` adds `workflow_dispatch` with a `pull_request_number` input
and a `load-pr-context` job to read labels, PR number, and
internal-head; this context drives eval selection, e2e gating, and
summary comments; adds `pull-requests: read`.

<sup>Written for commit 0b38370.
Summary will update on new commits. <a
href="https://cubic.dev/pr/browserbase/stagehand/pull/1984">Review in
cubic</a></sup>

<!-- End of auto-generated description by cubic. -->

---------

Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>

Author: pirate

.github/workflows/ci.yml

@@ -9,10 +9,17 @@ on:
       - unlabeled
     paths-ignore:
       - "packages/docs/**"
+  workflow_dispatch:
+    inputs:
+      pull_request_number:
+        description: Internal mirrored pull request number
+        required: true
+        type: string
 
 permissions:
   contents: read
   actions: write
+  pull-requests: read
 
 env:
   BROWSERBASE_FLOW_LOGS: "1"
@@ -107,8 +114,60 @@ jobs:
               - 'examples/**'
               - '!packages/**/*.md'
 
+  load-pr-context:
+    runs-on: ubuntu-latest
+    outputs:
+      pull_request_number: ${{ steps.load.outputs.pull_request_number }}
+      is_internal_head: ${{ steps.load.outputs.is_internal_head }}
+      skip_evals: ${{ steps.load.outputs.skip_evals }}
+      skip_regression_evals: ${{ steps.load.outputs.skip_regression_evals }}
+      label_combination: ${{ steps.load.outputs.label_combination }}
+      label_extract: ${{ steps.load.outputs.label_extract }}
+      label_act: ${{ steps.load.outputs.label_act }}
+      label_observe: ${{ steps.load.outputs.label_observe }}
+      label_targeted_extract: ${{ steps.load.outputs.label_targeted_extract }}
+      label_agent: ${{ steps.load.outputs.label_agent }}
+    steps:
+      - id: load
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const repoFullName = `${context.repo.owner}/${context.repo.repo}`;
+            let pr = context.payload.pull_request;
+
+            if (!pr) {
+              const prNumber = Number('${{ github.event.inputs.pull_request_number }}');
+              if (!prNumber) {
+                throw new Error('workflow_dispatch requires pull_request_number input');
+              }
+
+              const { data } = await github.rest.pulls.get({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: prNumber,
+              });
+              pr = data;
+            }
+
+            const labelNames = (pr.labels || [])
+              .map((label) => typeof label === 'string' ? label : label.name)
+              .filter(Boolean);
+            const hasLabel = (name) => labelNames.includes(name);
+
+            core.setOutput('pull_request_number', String(pr.number));
+            core.setOutput('is_internal_head', pr.head.repo?.full_name === repoFullName ? 'true' : 'false');
+            core.setOutput('skip_evals', hasLabel('skip-evals') ? 'true' : 'false');
+            core.setOutput('skip_regression_evals', hasLabel('skip-regression-evals') ? 'true' : 'false');
+            core.setOutput('label_combination', hasLabel('combination') ? 'true' : 'false');
+            core.setOutput('label_extract', hasLabel('extract') ? 'true' : 'false');
+            core.setOutput('label_act', hasLabel('act') ? 'true' : 'false');
+            core.setOutput('label_observe', hasLabel('observe') ? 'true' : 'false');
+            core.setOutput('label_targeted_extract', hasLabel('targeted-extract') ? 'true' : 'false');
+            core.setOutput('label_agent', hasLabel('agent') ? 'true' : 'false');
+
   determine-evals:
-    needs: [determine-changes]
+    needs: [determine-changes, load-pr-context]
     runs-on: ubuntu-latest
     outputs:
       skip-all-evals: ${{ steps.check-labels.outputs.skip-all-evals }}
@@ -137,7 +196,7 @@ jobs:
           }
 
           # Check if skip-evals label is present
-          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'skip-evals') }}" == "true" ]]; then
+          if [[ "${{ needs.load-pr-context.outputs.skip_evals }}" == "true" ]]; then
             echo "skip-evals label found - skipping all evals"
             echo "skip-all-evals=true" >> $GITHUB_OUTPUT
             emit_categories
@@ -153,7 +212,7 @@ jobs:
           fi
 
           # Check for skip-regression-evals label
-          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'skip-regression-evals') }}" == "true" ]]; then
+          if [[ "${{ needs.load-pr-context.outputs.skip_regression_evals }}" == "true" ]]; then
             echo "skip-regression-evals label found - regression evals will be skipped"
           else
             echo "Regression evals will run by default"
@@ -162,22 +221,22 @@ jobs:
 
           # Check for specific labels
           echo "skip-all-evals=false" >> $GITHUB_OUTPUT
-          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'combination') }}" == "true" ]]; then
+          if [[ "${{ needs.load-pr-context.outputs.label_combination }}" == "true" ]]; then
             add_category "combination"
           fi
-          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'extract') }}" == "true" ]]; then
+          if [[ "${{ needs.load-pr-context.outputs.label_extract }}" == "true" ]]; then
             add_category "extract"
           fi
-          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'act') }}" == "true" ]]; then
+          if [[ "${{ needs.load-pr-context.outputs.label_act }}" == "true" ]]; then
             add_category "act"
           fi
-          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'observe') }}" == "true" ]]; then
+          if [[ "${{ needs.load-pr-context.outputs.label_observe }}" == "true" ]]; then
             add_category "observe"
           fi
-          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'targeted-extract') }}" == "true" ]]; then
+          if [[ "${{ needs.load-pr-context.outputs.label_targeted_extract }}" == "true" ]]; then
             add_category "targeted_extract"
           fi
-          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'agent') }}" == "true" ]]; then
+          if [[ "${{ needs.load-pr-context.outputs.label_agent }}" == "true" ]]; then
             add_category "agent"
           fi
           emit_categories
@@ -510,12 +569,12 @@ jobs:
 
   run-e2e-local-tests:
     name: e2e/local/${{ matrix.test.name }}
-    needs: [run-build, discover-e2e-tests]
+    needs: [run-build, discover-e2e-tests, load-pr-context]
     runs-on: ubuntu-latest
     timeout-minutes: 50
     if: >
       needs.discover-e2e-tests.outputs.has-e2e-tests == 'true' &&
-      github.event.pull_request.head.repo.full_name == github.repository
+      needs.load-pr-context.outputs.is_internal_head == 'true'
     env:
       OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
       ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -570,12 +629,12 @@ jobs:
 
   run-e2e-bb-tests:
     name: e2e/bb/${{ matrix.test.name }}
-    needs: [run-build, discover-e2e-tests]
+    needs: [run-build, discover-e2e-tests, load-pr-context]
     runs-on: ubuntu-latest
     timeout-minutes: 50
     if: >
       needs.discover-e2e-tests.outputs.has-e2e-tests == 'true' &&
-      github.event.pull_request.head.repo.full_name == github.repository
+      needs.load-pr-context.outputs.is_internal_head == 'true'
     env:
       OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
       ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
@@ -732,6 +791,7 @@ jobs:
       - run-e2e-bb-tests
       - run-evals
       - server-integration-tests
+      - load-pr-context
     # if: always()
     if: false
     steps:
@@ -844,7 +904,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           RUN_ID: ${{ github.run_id }}
-          PULL_NUMBER: ${{ github.event.pull_request.number }}
+          PULL_NUMBER: ${{ needs.load-pr-context.outputs.pull_request_number }}
           TESTS_FAILED: ${{ steps.coverage-status.outputs.tests_failed }}
           TOTAL_COVERAGE: ${{ steps.coverage-status.outputs.total_coverage }}
         run: |

.github/workflows/external-contributor-pr.yml

@@ -14,7 +14,7 @@ on:
       - completed
 
 permissions:
-  actions: read
+  actions: write
   contents: write
   pull-requests: write
   issues: write
@@ -297,7 +297,7 @@ env:
             issue_number: prNumber,
             body: `The latest approval by @${claimer} could not refresh the mirrored PR automatically (${refreshReason || 'unknown reason'}). The external PR stays open, and the mirrored PR should be updated manually before work continues.`,
           });
-          return;
+          return { claimed: false, ownedPrNumber: existingNumber || '' };
         }
 
         let ownedPr;
@@ -358,6 +358,8 @@ env:
         if (externalPr.state !== 'closed') {
           await github.rest.pulls.update({ owner: context.repo.owner, repo: context.repo.repo, pull_number: prNumber, state: 'closed' });
         }
+
+        return { claimed: true, ownedPrNumber: String(ownedPr.number) };
       }
 
       async function syncOwnedPr({ github, context }) {
@@ -562,13 +564,14 @@ jobs:
           refresh_reason="rebase-conflict"
 
       - name: Finalize approved claim
+        id: finalize-claim
         if: always() && steps.prepare-claim.outputs.should-claim == 'true'
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             const lib = eval(process.env.ECPR_LIB);
-            await lib.finalizeClaim({
+            const result = await lib.finalizeClaim({
               github,
               context,
               input: {
@@ -584,6 +587,24 @@ jobs:
                 refreshReason: ${{ toJson(steps.refresh-branch.outputs.reason) }},
               },
             });
+            core.setOutput('claimed', result?.claimed ? 'true' : 'false');
+            core.setOutput('owned-pr-number', result?.ownedPrNumber || '');
+
+      - name: Trigger claimed PR CI
+        if: steps.finalize-claim.outputs.claimed == 'true'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'ci.yml',
+              ref: ${{ toJson(steps.prepare-claim.outputs.branch) }},
+              inputs: {
+                pull_request_number: ${{ toJson(steps.finalize-claim.outputs.owned-pr-number) }},
+              },
+            });
 
   sync-owned-pr:
     if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'closed' || github.event.action == 'reopened')