fix(ci): fix rerun workflows for fork PRs (#13512)

Author: petebacondarwin

.github/workflows/README.md

@@ -106,9 +106,19 @@ See below for a summary of this repo's Actions
   - Runs the E2E tests for C3.
   - Cloudflare API credentials are only passed on Version Packages PRs (`changeset-release/main`), in the merge queue, or when the `run-remote-tests` label is applied. Other PRs run the E2E suite without remote tests.
 
+### Rerun Code Owners (rerun-codeowners.yml + rerun-codeowners-privileged.yml)
+
+- Triggers
+  - A review is submitted or dismissed on a PR.
+- Actions
+  - Re-runs the "Run Codeowners Plus" check so it re-evaluates approval status after the review change.
+  - Uses the `workflow_run` pattern: the trigger workflow exists solely to fire a `workflow_run` event; the privileged companion workflow (which has full permissions) reads the PR head SHA from `github.event.workflow_run.head_sha` and performs the re-run. This is necessary because `pull_request_review` gives a read-only token for fork PRs and has no `_target` variant.
+
 ### Rerun Remote Tests (rerun-remote-tests.yml)
 
 - Triggers
-  - The `run-remote-tests` label is added to a PR.
+  - The `run-remote-tests` or `run-c3-frameworks-tests` label is added to or removed from a PR.
 - Actions
-  - Re-runs the Wrangler, Vite, and C3 E2E workflows for the PR so they pick up the label and pass API credentials to the test steps.
+  - Re-runs the E2E workflows for the PR so they pick up the label change and pass (or withhold) API credentials to the test steps.
+  - `run-remote-tests` re-runs Wrangler, Vite, and C3 E2E workflows; `run-c3-frameworks-tests` re-runs only C3 E2E.
+  - Uses `pull_request_target` to get a privileged token even for fork PRs (safe because no untrusted code is checked out).

.github/workflows/codeowners.yml

@@ -1,7 +1,7 @@
 name: "Code Owners"
 
 # Re-evaluate when PRs are opened/updated.
-# When reviews are submitted/dismissed, the separate rerun_codeowners.yml workflow
+# When reviews are submitted/dismissed, the separate rerun-codeowners.yml workflow
 # re-runs this check (rather than creating a second check context).
 # Using pull_request_target (not pull_request) so the workflow has access to secrets
 # for fork PRs. This is safe because:

.github/workflows/rerun-codeowners-privileged.yml

@@ -0,0 +1,67 @@
+name: "Rerun Code Owners (Privileged)"
+
+# Privileged companion to rerun-codeowners.yml.
+#
+# Runs after the "Rerun Code Owners" trigger workflow completes. The
+# workflow_run event always executes from the default branch with full
+# permissions — this is what allows us to call the Actions API even when the
+# original event (pull_request_review) came from a fork PR, where the
+# GITHUB_TOKEN would otherwise be read-only.
+#
+# The PR head SHA is read from github.event.workflow_run.head_sha — this is
+# GitHub-provided metadata and cannot be manipulated by fork code (unlike
+# the previous artifact-based approach).
+#
+# Strategy: CHECK-NAME LOOKUP
+# ----------------------------
+# The codeowners.yml workflow uses pull_request_target, which means its
+# workflow runs are indexed by the BASE branch SHA (e.g. main), NOT the PR
+# head SHA. So we cannot find the run via:
+#
+#   GET /actions/workflows/codeowners.yml/runs?head_sha=<PR_HEAD>
+#
+# That query returns nothing because the run's head_sha is main's HEAD.
+#
+# However, the codeowners-plus action creates its CHECK RUN on the PR head
+# commit (so the status appears on the PR). The check-runs API lets us look
+# up by check name + commit SHA:
+#
+#   GET /commits/<PR_HEAD>/check-runs?check_name=Run+Codeowners+Plus
+#
+# From the check run's details_url we extract the Actions job ID, then
+# re-run that specific job.
+on:
+  workflow_run:
+    workflows: ["Rerun Code Owners"]
+    types: [completed]
+
+permissions: {}
+
+jobs:
+  rerun-codeowners:
+    name: "Rerun Codeowners Plus"
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success'
+    permissions:
+      actions: write
+      checks: read
+    steps:
+      - name: Re-run Codeowners check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+          REPO: ${{ github.repository }}
+        run: |
+          # Find the "Run Codeowners Plus" check run on the PR head commit
+          # and extract the Actions job ID from the check run's details URL
+          # (the last path segment before any query string).
+          job_id=$(gh api "repos/${REPO}/commits/${HEAD_SHA}/check-runs?check_name=Run+Codeowners+Plus" \
+            --jq '(.check_runs[0].details_url // "") | split("/") | last | split("?") | first' || true)
+
+          if [ -n "$job_id" ]; then
+            gh api "repos/${REPO}/actions/jobs/${job_id}/rerun" --method POST \
+              || echo "::warning::Job ${job_id} may already be running"
+            echo "Re-triggered 'Run Codeowners Plus' (job ${job_id})"
+          else
+            echo "::warning::Check 'Run Codeowners Plus' not found for SHA ${HEAD_SHA}"
+          fi

.github/workflows/rerun-codeowners.yml

@@ -0,0 +1,33 @@
+name: "Rerun Code Owners"
+
+# Trigger: a review is submitted or dismissed on a pull request.
+#
+# Goal: re-run the "Run Codeowners Plus" check from the main codeowners.yml
+# workflow (which is triggered by pull_request_target) so it re-evaluates
+# approval status after the review change.
+#
+# Why a two-workflow design?
+# -------------------------
+# For fork PRs, pull_request_review gives a read-only GITHUB_TOKEN and no
+# access to secrets. Unlike labeled/unlabeled events there is no
+# pull_request_review variant of pull_request_target, so we cannot get a
+# privileged token in a single workflow. Instead this workflow simply needs
+# to *exist and succeed* — the companion workflow
+# (rerun-codeowners-privileged.yml) is triggered by the workflow_run event
+# when THIS workflow completes. workflow_run always runs from the default
+# branch with full permissions, and it reads the PR head SHA directly from
+# github.event.workflow_run.head_sha (GitHub-provided metadata, not
+# controllable by fork code).
+on:
+  pull_request_review:
+    types: [submitted, dismissed]
+
+permissions: {}
+
+jobs:
+  trigger:
+    name: "Trigger Privileged Rerun"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Log trigger
+        run: echo "Review event on ${{ github.event.pull_request.html_url }} — privileged rerun will follow."

.github/workflows/rerun-remote-tests.yml

@@ -1,20 +1,28 @@
 name: "Rerun Remote Tests"
 
-# When the "run-remote-tests" label is added to or removed from a PR, re-run
-# the E2E workflows so they pick up the label change and pass (or withhold) the
-# Cloudflare API token to the test steps.  This avoids adding "labeled" as a
-# trigger type to every E2E workflow (which would cause wasteful re-runs on
-# unrelated label changes).
+# Trigger: the "run-remote-tests" or "run-c3-frameworks-tests" label is added
+# to or removed from a pull request.
+#
+# Goal: re-run the E2E workflows (e2e-wrangler.yml, e2e-vite.yml, c3-e2e.yml)
+# so they pick up the label change and either pass or withhold the Cloudflare
+# API token to the test steps. This avoids adding "labeled" as a trigger type
+# to every E2E workflow (which would cause wasteful re-runs on unrelated label
+# changes).
+#
+# Using pull_request_target (not pull_request) so the workflow has access to a
+# privileged GITHUB_TOKEN even for fork PRs. This is safe because the workflow
+# runs code from the default branch — fork authors cannot modify it — and only
+# calls the Actions API (no checkout of untrusted code).
 on:
-  pull_request:
+  pull_request_target:
     types: [labeled, unlabeled]
 
 permissions: {}
 
 jobs:
   rerun-e2e:
     name: "Rerun E2E Tests"
-    if: github.event.label.name == 'run-remote-tests'
+    if: github.event.label.name == 'run-remote-tests' || github.event.label.name == 'run-c3-frameworks-tests'
     runs-on: ubuntu-latest
     permissions:
       actions: write
@@ -25,30 +33,36 @@ jobs:
           HEAD_SHA: ${{ github.event.pull_request.head.sha }}
           REPO: ${{ github.repository }}
         run: |
-          for workflow in e2e-wrangler.yml e2e-vite.yml c3-e2e.yml; do
-            run=$(gh api "repos/${REPO}/actions/workflows/${workflow}/runs?head_sha=${HEAD_SHA}&per_page=1" \
+          # Determine which workflows to re-run based on the label.
+          if [ "${{ github.event.label.name }}" = "run-remote-tests" ]; then
+            WORKFLOWS="e2e-wrangler.yml e2e-vite.yml c3-e2e.yml"
+          else
+            WORKFLOWS="c3-e2e.yml"
+          fi
+
+          for workflow in ${WORKFLOWS}; do
+            # Find the most recent run of this workflow at the PR head SHA.
+            run_info=$(gh api "repos/${REPO}/actions/workflows/${workflow}/runs?head_sha=${HEAD_SHA}&per_page=1" \
               --jq '.workflow_runs[0] | "\(.id) \(.status)"' || true)
 
-            run_id=$(echo "$run" | awk '{print $1}')
-            status=$(echo "$run" | awk '{print $2}')
+            run_id=$(echo "$run_info" | awk '{print $1}')
+            status=$(echo "$run_info" | awk '{print $2}')
 
             if [ -z "$run_id" ] || [ "$run_id" = "null" ]; then
-              echo "No run found for ${workflow} at SHA ${HEAD_SHA}"
+              echo "::warning::No run found for ${workflow} at SHA ${HEAD_SHA}"
               continue
             fi
 
-            # Each E2E workflow has a "check-remote" step that calls
-            # `gh pr view ... --json labels` at runtime, so a run that
-            # hasn't started yet will see the newly-added label on its
-            # own — no need to cancel and re-run it.
+            # Runs that haven't started yet will see the newly-added label
+            # when they begin — no need to cancel and re-run them.
             if [ "$status" != "completed" ] && [ "$status" != "in_progress" ]; then
               echo "${workflow} run ${run_id} is ${status} — not yet started, skipping."
               continue
             fi
 
-            # If the run is actively executing, the label check has
-            # already evaluated to false. Cancel it first — the rerun
-            # endpoint only works on completed runs.
+            # If the run is actively executing, the label check has already
+            # evaluated (likely to the old value). Cancel it first — the
+            # rerun endpoint only works on completed runs.
             if [ "$status" = "in_progress" ]; then
               echo "Cancelling in-progress ${workflow} run ${run_id}..."
               gh api "repos/${REPO}/actions/runs/${run_id}/cancel" --method POST || true
@@ -67,54 +81,5 @@ jobs:
 
             gh api "repos/${REPO}/actions/runs/${run_id}/rerun" --method POST \
               && echo "Re-triggered ${workflow} (run ${run_id})" \
-              || echo "Failed to re-run ${workflow} (run ${run_id})"
+              || echo "::warning::Failed to re-run ${workflow} (run ${run_id})"
           done
-
-  rerun-c3-frameworks:
-    name: "Rerun C3 Frameworks E2E Tests"
-    if: github.event.label.name == 'run-c3-frameworks-tests'
-    runs-on: ubuntu-latest
-    permissions:
-      actions: write
-    steps:
-      - name: "Re-run C3 E2E workflow"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          REPO: ${{ github.repository }}
-        run: |
-          workflow=c3-e2e.yml
-          run=$(gh api "repos/${REPO}/actions/workflows/${workflow}/runs?head_sha=${HEAD_SHA}&per_page=1" \
-            --jq '.workflow_runs[0] | "\(.id) \(.status)"' || true)
-
-          run_id=$(echo "$run" | awk '{print $1}')
-          status=$(echo "$run" | awk '{print $2}')
-
-          if [ -z "$run_id" ] || [ "$run_id" = "null" ]; then
-            echo "No run found for ${workflow} at SHA ${HEAD_SHA}"
-            exit 0
-          fi
-
-          if [ "$status" != "completed" ] && [ "$status" != "in_progress" ]; then
-            echo "${workflow} run ${run_id} is ${status} — not yet started, skipping."
-            exit 0
-          fi
-
-          if [ "$status" = "in_progress" ]; then
-            echo "Cancelling in-progress ${workflow} run ${run_id}..."
-            gh api "repos/${REPO}/actions/runs/${run_id}/cancel" --method POST || true
-
-            for i in $(seq 1 30); do
-              current=$(gh api "repos/${REPO}/actions/runs/${run_id}" --jq '.status')
-              if [ "$current" = "completed" ]; then
-                echo "Run ${run_id} is now completed (cancelled)."
-                break
-              fi
-              echo "  Waiting for cancellation to finish (${i}/30, status: ${current})..."
-              sleep 2
-            done
-          fi
-
-          gh api "repos/${REPO}/actions/runs/${run_id}/rerun" --method POST \
-            && echo "Re-triggered ${workflow} (run ${run_id})" \
-            || echo "Failed to re-run ${workflow} (run ${run_id})"

.github/workflows/rerun_codeowners.yml

@@ -86,7 +86,7 @@ This exists only so that GitHub branch protection can gate merging on the bot's
 
 ### `.github/workflows/codeowners.yml` — GitHub Actions Workflow
 
-A single workflow handles PR events (`pull_request_target`). When reviews are submitted or dismissed, the separate `rerun_codeowners.yml` workflow re-runs the check.
+A single workflow handles PR events (`pull_request_target`). When reviews are submitted or dismissed, the `rerun-codeowners.yml` / `rerun-codeowners-privileged.yml` workflow pair re-runs the check (using the `workflow_run` pattern so it works for fork PRs too).
 
 Using `pull_request_target` (not `pull_request`) ensures the workflow has access to secrets for **fork PRs**. The checkout is always the base branch, so PR authors cannot modify ownership rules.