From c590b55fe5d92371be2f69794f7fb705c227a8a4 Mon Sep 17 00:00:00 2001 From: Derek Misler Date: Tue, 23 Jun 2026 21:00:33 +0000 Subject: [PATCH 1/4] fix(e2e): use workflow_run trigger pattern to support fork PRs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fork PRs cannot access repository secrets, so agent E2E tests that require an OpenAI API key silently skip (empty key). This patch applies the same two-workflow trigger pattern already used by self-review-pr. Change 1 — new test-e2e-trigger.yml: Lightweight pull_request workflow with zero permissions. Writes PR number and head SHA to flat files, uploads as the 'e2e-test-context' artifact (1-day retention). Runs in the base repo context so it can be referenced by workflow_run. Change 2 — test-e2e.yml converted to workflow_run: - Remove pull_request trigger; add workflow_run referencing 'Test E2E Trigger' - Add resolve-context job: downloads e2e-test-context artifact via OIDC (setup-credentials + GITHUB_APP_TOKEN), outputs pr-number and pr-head-sha - test-pirate-agent and test-invalid-agent now depend on resolve-context, checkout the PR head ref, use setup-credentials for OIDC, and fall back through OPENAI_API_KEY_FROM_SSM before secrets.OPENAI_API_KEY - test-output-extraction and test-job-summary run on both push and workflow_run (no secrets needed); checkout PR head SHA on workflow_run - mention-reply jobs unchanged (workflow_dispatch only) Change 3 — self-review-pr-trigger.yml: Narrow pull_request types from [ready_for_review, opened, review_requested] to [review_requested] to reduce unnecessary trigger noise. --- .github/workflows/self-review-pr-trigger.yml | 2 +- .github/workflows/test-e2e-trigger.yml | 31 +++++++ .github/workflows/test-e2e.yml | 88 ++++++++++++++++++-- 3 files changed, 115 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/test-e2e-trigger.yml diff --git a/.github/workflows/self-review-pr-trigger.yml b/.github/workflows/self-review-pr-trigger.yml index 70ae791..ddd0c46 100644 --- a/.github/workflows/self-review-pr-trigger.yml +++ b/.github/workflows/self-review-pr-trigger.yml @@ -4,7 +4,7 @@ name: Self PR Review - Trigger on: pull_request: - types: [ ready_for_review, opened, review_requested ] + types: [review_requested] pull_request_review_comment: types: [ created ] diff --git a/.github/workflows/test-e2e-trigger.yml b/.github/workflows/test-e2e-trigger.yml new file mode 100644 index 0000000..4e19bd5 --- /dev/null +++ b/.github/workflows/test-e2e-trigger.yml @@ -0,0 +1,31 @@ +# Copyright The Docker Agent Action authors +# SPDX-License-Identifier: Apache-2.0 + +name: Test E2E Trigger +on: + pull_request: + types: [opened, synchronize, reopened] + branches: [main] + +permissions: {} + +jobs: + save-context: + runs-on: ubuntu-latest + steps: + - name: Save event context + env: + PR_NUMBER: ${{ github.event.pull_request.number }} + PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} + run: | + mkdir -p context + printf '%s' "${{ github.event_name }}" > context/event_name.txt + printf '%s' "$PR_NUMBER" > context/pr_number.txt + printf '%s' "$PR_HEAD_SHA" > context/pr_head_sha.txt + + - name: Upload context + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: e2e-test-context + path: context/ + retention-days: 1 diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index f484ccb..5248f44 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -4,11 +4,12 @@ name: Test Docker Agent Action on: - pull_request: - types: [opened, synchronize, reopened] - branches: [main] push: branches: [main] + workflow_run: + workflows: ["Test E2E Trigger"] + types: [completed] + branches: [main] workflow_dispatch: inputs: pr_number: @@ -23,11 +24,17 @@ jobs: test-output-extraction: name: Output Extraction Tests runs-on: ubuntu-latest + if: | + github.event_name == 'push' || + github.event_name == 'workflow_dispatch' || + github.event.workflow_run.conclusion == 'success' permissions: contents: read steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || '' }} - name: Run output extraction tests run: | @@ -38,11 +45,17 @@ jobs: test-job-summary: name: Job Summary Format Tests runs-on: ubuntu-latest + if: | + github.event_name == 'push' || + github.event_name == 'workflow_dispatch' || + github.event.workflow_run.conclusion == 'success' permissions: contents: read steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || '' }} - name: Run job summary tests run: | @@ -50,14 +63,69 @@ jobs: chmod +x test-job-summary.sh ./test-job-summary.sh + resolve-context: + name: Resolve PR Context + runs-on: ubuntu-latest + if: github.event.workflow_run.conclusion == 'success' + permissions: + contents: read + id-token: write + actions: read + outputs: + pr-number: ${{ steps.read.outputs.pr-number }} + pr-head-sha: ${{ steps.read.outputs.pr-head-sha }} + steps: + - name: Setup credentials + uses: docker/docker-agent-action/setup-credentials@3c0fa9d282c3f84d08dfd70ab0a28b151d11db70 # v2.0.0 + + - name: Verify token for cross-run artifact download + shell: bash + run: | + if [ -z "$GITHUB_APP_TOKEN" ]; then + echo "::error::GITHUB_APP_TOKEN is not set. setup-credentials may have failed." + echo "::error::Cross-run artifact download requires a token with actions:read scope." + exit 1 + fi + + - name: Download trigger context + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: e2e-test-context + path: /tmp/context + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ env.GITHUB_APP_TOKEN }} + + - name: Read context + id: read + shell: bash + run: | + if [ ! -f /tmp/context/pr_number.txt ]; then + echo "::error::pr_number.txt missing from artifact" + exit 1 + fi + echo "pr-number=$(cat /tmp/context/pr_number.txt)" >> $GITHUB_OUTPUT + if [ -f /tmp/context/pr_head_sha.txt ]; then + echo "pr-head-sha=$(cat /tmp/context/pr_head_sha.txt)" >> $GITHUB_OUTPUT + fi + test-pirate-agent: name: Pirate Agent Test runs-on: ubuntu-latest + needs: [resolve-context] + if: | + always() && + needs.resolve-context.result == 'success' permissions: contents: read + id-token: write steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: refs/pull/${{ needs.resolve-context.outputs.pr-number }}/head + + - name: Setup credentials + uses: docker/docker-agent-action/setup-credentials@3c0fa9d282c3f84d08dfd70ab0a28b151d11db70 # v2.0.0 - name: Setup pnpm uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5 @@ -79,7 +147,7 @@ jobs: with: agent: agentcatalog/pirate prompt: "What do we ship today?" - openai-api-key: ${{ secrets.OPENAI_API_KEY }} + openai-api-key: ${{ env.OPENAI_API_KEY_FROM_SSM || secrets.OPENAI_API_KEY }} - name: Validate output and exit code run: | @@ -130,11 +198,21 @@ jobs: test-invalid-agent: name: Invalid Agent Test runs-on: ubuntu-latest + needs: [resolve-context] + if: | + always() && + needs.resolve-context.result == 'success' permissions: contents: read + id-token: write steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: refs/pull/${{ needs.resolve-context.outputs.pr-number }}/head + + - name: Setup credentials + uses: docker/docker-agent-action/setup-credentials@3c0fa9d282c3f84d08dfd70ab0a28b151d11db70 # v2.0.0 - name: Setup pnpm uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5 @@ -157,7 +235,7 @@ jobs: with: agent: agentcatalog/nonexistent prompt: "This should fail" - openai-api-key: ${{ secrets.OPENAI_API_KEY }} + openai-api-key: ${{ env.OPENAI_API_KEY_FROM_SSM || secrets.OPENAI_API_KEY }} - name: Verify invalid agent failed run: | From d64c7efcb32650c2a68775e53edf03323b53c131 Mon Sep 17 00:00:00 2001 From: Derek Misler Date: Tue, 23 Jun 2026 21:03:50 +0000 Subject: [PATCH 2/4] fix(e2e): use ./setup-credentials in jobs that have a checkout resolve-context has no checkout step so it must keep the pinned ref. The four jobs that do check out the PR head (test-pirate-agent, test-invalid-agent, test-mention-reply-toplevel, test-mention-reply-inline) now use ./setup-credentials, consistent with how ./ and ./review-pr/mention-reply are referenced in the same file. --- .github/workflows/test-e2e.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index 5248f44..a1d8c92 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -125,7 +125,7 @@ jobs: ref: refs/pull/${{ needs.resolve-context.outputs.pr-number }}/head - name: Setup credentials - uses: docker/docker-agent-action/setup-credentials@3c0fa9d282c3f84d08dfd70ab0a28b151d11db70 # v2.0.0 + uses: ./setup-credentials - name: Setup pnpm uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5 @@ -212,7 +212,7 @@ jobs: ref: refs/pull/${{ needs.resolve-context.outputs.pr-number }}/head - name: Setup credentials - uses: docker/docker-agent-action/setup-credentials@3c0fa9d282c3f84d08dfd70ab0a28b151d11db70 # v2.0.0 + uses: ./setup-credentials - name: Setup pnpm uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5 @@ -283,7 +283,7 @@ jobs: run: pnpm install --frozen-lockfile && pnpm build - name: Setup credentials - uses: docker/docker-agent-action/setup-credentials@3c0fa9d282c3f84d08dfd70ab0a28b151d11db70 # v2.0.0 + uses: ./setup-credentials - name: Create anchor issue comment on current PR id: create-anchor @@ -423,7 +423,7 @@ jobs: run: pnpm install --frozen-lockfile && pnpm build - name: Setup credentials - uses: docker/docker-agent-action/setup-credentials@3c0fa9d282c3f84d08dfd70ab0a28b151d11db70 # v2.0.0 + uses: ./setup-credentials - name: Create anchor review comment on current PR id: create-anchor From f7472be34ef63e72a1191232f60d0127e9b2471b Mon Sep 17 00:00:00 2001 From: Derek Misler Date: Tue, 23 Jun 2026 21:06:55 +0000 Subject: [PATCH 3/4] fix(e2e): build dist/ before ./setup-credentials in agent test jobs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ./setup-credentials runs node dist/credentials.js, so dist/ must exist first. Reorder steps in test-pirate-agent and test-invalid-agent: checkout → pnpm setup → node setup → build → setup-credentials → run test. The mention-reply jobs already had the correct order; no change there. --- .github/workflows/test-e2e.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml index a1d8c92..123a6f8 100644 --- a/.github/workflows/test-e2e.yml +++ b/.github/workflows/test-e2e.yml @@ -124,9 +124,6 @@ jobs: with: ref: refs/pull/${{ needs.resolve-context.outputs.pr-number }}/head - - name: Setup credentials - uses: ./setup-credentials - - name: Setup pnpm uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5 with: @@ -141,6 +138,9 @@ jobs: - name: Build action run: pnpm install --frozen-lockfile && pnpm build + - name: Setup credentials + uses: ./setup-credentials + - name: Run test id: pirate uses: ./ @@ -211,9 +211,6 @@ jobs: with: ref: refs/pull/${{ needs.resolve-context.outputs.pr-number }}/head - - name: Setup credentials - uses: ./setup-credentials - - name: Setup pnpm uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5 with: @@ -228,6 +225,9 @@ jobs: - name: Build action run: pnpm install --frozen-lockfile && pnpm build + - name: Setup credentials + uses: ./setup-credentials + - name: Test should fail on invalid agent id: invalid-agent continue-on-error: true From d3aa901266bda910d55d11e2b8920626f5912a4a Mon Sep 17 00:00:00 2001 From: Derek Misler Date: Tue, 23 Jun 2026 21:11:41 +0000 Subject: [PATCH 4/4] fix(e2e): add ready_for_review to trigger types Re-run E2E tests when a draft PR is marked ready for review. --- .github/workflows/test-e2e-trigger.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-e2e-trigger.yml b/.github/workflows/test-e2e-trigger.yml index 4e19bd5..c86c447 100644 --- a/.github/workflows/test-e2e-trigger.yml +++ b/.github/workflows/test-e2e-trigger.yml @@ -4,7 +4,7 @@ name: Test E2E Trigger on: pull_request: - types: [opened, synchronize, reopened] + types: [opened, synchronize, reopened, ready_for_review] branches: [main] permissions: {}