You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/plans/runtime-live-e2e-pr-trigger-and-environment-gate.md
+19Lines changed: 19 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -68,3 +68,22 @@ The summary output should continue to show:
68
68
- Workflow-structure inspection: verify trigger block, environment fields, and provenance logic for both event types. Cost/complexity: low. No E2E required.
69
69
- Focused offline tests: update/add static tests for the PR-trigger and `CI-E2E` environment wiring. Cost/complexity: low-medium. No E2E required.
70
70
- Optional GitHub smoke after merge: open or reuse a PR and confirm the runtime workflow appears on the PR and waits for `CI-E2E` approval before the live jobs run. Cost/complexity: medium. E2E required: yes, but not required to finish implementation in this cycle.
71
+
72
+
## Stage Report: implementation
73
+
74
+
-[x] Add `pull_request` triggering while keeping `workflow_dispatch`.
75
+
`.github/workflows/runtime-live-e2e.yml` now includes both triggers, with `workflow_dispatch` retained for targeted reruns.
76
+
-[x] Add `environment: CI-E2E` to both live jobs.
77
+
Both `claude-live` and `codex-live` declare the `CI-E2E` environment, which is the approval gate for the live runtime checks.
78
+
-[x] Resolve PR provenance correctly for both trigger paths.
79
+
The provenance step branches on `github.event_name` and uses `github.event.pull_request.number` for PR runs or `inputs.pr_number` for manual dispatch runs.
80
+
-[x] Update the operator docs for the new PR-native flow and rerun path.
81
+
`tests/README.md` now explains the pending `CI-E2E` approval flow, the environment-scoped secrets, and the retained manual rerun command.
82
+
-[x] Update offline coverage for the trigger/environment behavior.
83
+
`tests/test_runtime_live_e2e_workflow.py` now checks the trigger block, job environments, provenance fields, and the README wording.
84
+
-[x] Run focused verification for the edited workflow/docs/test files.
85
+
`unset CLAUDECODE && uv run tests/test_runtime_live_e2e_workflow.py` is the targeted static check for this change set.
86
+
87
+
### Summary
88
+
89
+
Implemented the PR-native live E2E workflow shape with `CI-E2E` approval gating while keeping manual dispatch available for reruns. The workflow now carries event-specific provenance, the operator docs explain the approval flow, and the offline test coverage matches the new wiring.
Copy file name to clipboardExpand all lines: tests/README.md
+8-5Lines changed: 8 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -191,11 +191,13 @@ make test-e2e TEST=tests/test_gate_guardrail.py RUNTIME=codex
191
191
uv run tests/test_gate_guardrail.py --runtime codex
192
192
```
193
193
194
-
## Manual PR Runtime Live E2E
194
+
## PR Runtime Live E2E
195
195
196
-
The expensive runtime-backed PR suite lives in `.github/workflows/runtime-live-e2e.yml`. It is a `workflow_dispatch` workflow, not an always-on `pull_request`workflow. A maintainer runs it only after the PR has been approved and the always-on static workflow is already green.
196
+
The expensive runtime-backed PR suite lives in `.github/workflows/runtime-live-e2e.yml`. It now triggers on `pull_request`so the runtime jobs show up on the PR alongside Static CI, and it still supports `workflow_dispatch` for targeted reruns.
197
197
198
-
Invoke it from the Actions UI on the branch under test, or with:
198
+
GitHub blocks each runtime job behind the `CI-E2E` environment review gate. Until an approved reviewer releases that environment, the job stays pending and cannot access the environment-scoped API keys.
199
+
200
+
Open a PR and then approve the pending `CI-E2E` deployment to release the live runtime checks. For targeted reruns or branch-local debugging, invoke the workflow manually from Actions or with:
199
201
200
202
```bash
201
203
gh workflow run runtime-live-e2e.yml --ref <pr-branch> -f pr_number=<N>
@@ -206,17 +208,18 @@ This workflow runs exactly two jobs:
206
208
-`claude-live`
207
209
-`codex-live`
208
210
209
-
Required repository secrets:
211
+
Required `CI-E2E` environment secrets:
210
212
211
213
-`ANTHROPIC_API_KEY` for `claude-live`
212
214
-`OPENAI_API_KEY` for `codex-live`
213
215
214
-
Each job fails immediately with a clear message if its required secret is missing.
216
+
Each job fails immediately with a clear message if its required secret is missing after the environment is approved.
215
217
216
218
This workflow is expected to report current live-suite status honestly. If a runtime test fails, the corresponding job stays red; shipping the manual CI wiring does not imply the Claude and Codex suites are already fully green.
217
219
218
220
Operators should expect each job summary to show the run provenance explicitly:
0 commit comments