fix(e2e): use workflow_run trigger pattern to support fork PRs

.github/workflows/self-review-pr-trigger.yml

@@ -4,7 +4,7 @@
 name: Self PR Review - Trigger
 on:
   pull_request:
-    types: [ ready_for_review, opened, review_requested ]
+    types: [review_requested]
   pull_request_review_comment:
     types: [ created ]
 

.github/workflows/test-e2e-trigger.yml

@@ -0,0 +1,31 @@
+# Copyright The Docker Agent Action authors
+# SPDX-License-Identifier: Apache-2.0
+
+name: Test E2E Trigger
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches: [main]
+
+permissions: {}
+
+jobs:
+  save-context:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Save event context
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          mkdir -p context
+          printf '%s' "${{ github.event_name }}" > context/event_name.txt
+          printf '%s' "$PR_NUMBER" > context/pr_number.txt
+          printf '%s' "$PR_HEAD_SHA" > context/pr_head_sha.txt
+
+      - name: Upload context
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: e2e-test-context
+          path: context/
+          retention-days: 1

.github/workflows/test-e2e.yml

@@ -4,11 +4,12 @@
 name: Test Docker Agent Action
 
 on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-    branches: [main]
   push:
     branches: [main]
+  workflow_run:
+    workflows: ["Test E2E Trigger"]
+    types: [completed]
+    branches: [main]
   workflow_dispatch:
     inputs:
       pr_number:
@@ -23,11 +24,17 @@ jobs:
   test-output-extraction:
     name: Output Extraction Tests
     runs-on: ubuntu-latest
+    if: |
+      github.event_name == 'push' ||
+      github.event_name == 'workflow_dispatch' ||
+      github.event.workflow_run.conclusion == 'success'
     permissions:
       contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || '' }}
 
       - name: Run output extraction tests
         run: |
@@ -38,26 +45,84 @@ jobs:
   test-job-summary:
     name: Job Summary Format Tests
     runs-on: ubuntu-latest
+    if: |
+      github.event_name == 'push' ||
+      github.event_name == 'workflow_dispatch' ||
+      github.event.workflow_run.conclusion == 'success'
     permissions:
       contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || '' }}
 
       - name: Run job summary tests
         run: |
           cd tests
           chmod +x test-job-summary.sh
           ./test-job-summary.sh
 
+  resolve-context:
+    name: Resolve PR Context
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success'
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
+    outputs:
+      pr-number: ${{ steps.read.outputs.pr-number }}
+      pr-head-sha: ${{ steps.read.outputs.pr-head-sha }}
+    steps:
+      - name: Setup credentials
+        uses: docker/docker-agent-action/setup-credentials@3c0fa9d282c3f84d08dfd70ab0a28b151d11db70 # v2.0.0
+
+      - name: Verify token for cross-run artifact download
+        shell: bash
+        run: |
+          if [ -z "$GITHUB_APP_TOKEN" ]; then
+            echo "::error::GITHUB_APP_TOKEN is not set. setup-credentials may have failed."
+            echo "::error::Cross-run artifact download requires a token with actions:read scope."
+            exit 1
+          fi
+
+      - name: Download trigger context
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: e2e-test-context
+          path: /tmp/context
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ env.GITHUB_APP_TOKEN }}
+
+      - name: Read context
+        id: read
+        shell: bash
+        run: |
+          if [ ! -f /tmp/context/pr_number.txt ]; then
+            echo "::error::pr_number.txt missing from artifact"
+            exit 1
+          fi
+          echo "pr-number=$(cat /tmp/context/pr_number.txt)" >> $GITHUB_OUTPUT
+          if [ -f /tmp/context/pr_head_sha.txt ]; then
+            echo "pr-head-sha=$(cat /tmp/context/pr_head_sha.txt)" >> $GITHUB_OUTPUT
+          fi
+
   test-pirate-agent:
     name: Pirate Agent Test
     runs-on: ubuntu-latest
+    needs: [resolve-context]
+    if: |
+      always() &&
+      needs.resolve-context.result == 'success'
     permissions:
       contents: read
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: refs/pull/${{ needs.resolve-context.outputs.pr-number }}/head
 
       - name: Setup pnpm
         uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5
@@ -73,13 +138,16 @@ jobs:
       - name: Build action
         run: pnpm install --frozen-lockfile && pnpm build
 
+      - name: Setup credentials
+        uses: ./setup-credentials
+
       - name: Run test
         id: pirate
         uses: ./
         with:
           agent: agentcatalog/pirate
           prompt: "What do we ship today?"
-          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
+          openai-api-key: ${{ env.OPENAI_API_KEY_FROM_SSM || secrets.OPENAI_API_KEY }}
 
       - name: Validate output and exit code
         run: |
@@ -130,11 +198,18 @@ jobs:
   test-invalid-agent:
     name: Invalid Agent Test
     runs-on: ubuntu-latest
+    needs: [resolve-context]
+    if: |
+      always() &&
+      needs.resolve-context.result == 'success'
     permissions:
       contents: read
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: refs/pull/${{ needs.resolve-context.outputs.pr-number }}/head
 
       - name: Setup pnpm
         uses: pnpm/action-setup@8912a9102ac27614460f54aedde9e1e7f9aec20d # v6.0.5
@@ -150,14 +225,17 @@ jobs:
       - name: Build action
         run: pnpm install --frozen-lockfile && pnpm build
 
+      - name: Setup credentials
+        uses: ./setup-credentials
+
       - name: Test should fail on invalid agent
         id: invalid-agent
         continue-on-error: true
         uses: ./
         with:
           agent: agentcatalog/nonexistent
           prompt: "This should fail"
-          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
+          openai-api-key: ${{ env.OPENAI_API_KEY_FROM_SSM || secrets.OPENAI_API_KEY }}
 
       - name: Verify invalid agent failed
         run: |
@@ -205,7 +283,7 @@ jobs:
         run: pnpm install --frozen-lockfile && pnpm build
 
       - name: Setup credentials
-        uses: docker/docker-agent-action/setup-credentials@3c0fa9d282c3f84d08dfd70ab0a28b151d11db70 # v2.0.0
+        uses: ./setup-credentials
 
       - name: Create anchor issue comment on current PR
         id: create-anchor
@@ -345,7 +423,7 @@ jobs:
         run: pnpm install --frozen-lockfile && pnpm build
 
       - name: Setup credentials
-        uses: docker/docker-agent-action/setup-credentials@3c0fa9d282c3f84d08dfd70ab0a28b151d11db70 # v2.0.0
+        uses: ./setup-credentials
 
       - name: Create anchor review comment on current PR
         id: create-anchor