From 79465a4168dd08e0dacc7e61edabad0459dcd05e Mon Sep 17 00:00:00 2001
From: CL Kao <clkao@datarecce.io>
Date: Sat, 13 Jun 2026 00:18:55 -0700
Subject: [PATCH] ci: gate main-PRs on install-e2e + runtime-live-e2e offline
 suite
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Post-flip, main is the release trunk and PRs target it, but install-e2e.yml
and runtime-live-e2e.yml triggered pull_request on [next] only — so a main-PR
ran neither the offline go test ./... gate nor the install smoke (only
docs.yml). Extend the pull_request branch filter to [next, main] in both.

runtime-live-e2e's pull_request trigger is workflow-level, so adding main
queues all four jobs on a main-PR, but the three live jobs each declare an
approval-gated environment: + needs: offline, so they sit in waiting (no
auto-credit-burn). Only the secret-free offline job (go build + go test) runs
unconditionally — the same build-runs / deploy-gated split docs.yml uses.
Refresh the SECURITY-MODEL header phrase to match the new trigger; the
security reasoning is branch-agnostic and unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/install-e2e.yml      | 2 +-
 .github/workflows/runtime-live-e2e.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/install-e2e.yml b/.github/workflows/install-e2e.yml
index af8f6f07..b229d33d 100644
--- a/.github/workflows/install-e2e.yml
+++ b/.github/workflows/install-e2e.yml
@@ -12,7 +12,7 @@ name: install-e2e
 on:
   workflow_dispatch:
   pull_request:
-    branches: [next]
+    branches: [next, main]
 
 permissions:
   contents: read
diff --git a/.github/workflows/runtime-live-e2e.yml b/.github/workflows/runtime-live-e2e.yml
index 30cca536..dafd611e 100644
--- a/.github/workflows/runtime-live-e2e.yml
+++ b/.github/workflows/runtime-live-e2e.yml
@@ -1,7 +1,7 @@
 # SECURITY MODEL — read before editing.
 #
 # Triggers: workflow_dispatch (a maintainer triggers it manually) and
-# pull_request on `next`. It uses pull_request, NOT pull_request_target, so it
+# pull_request on `next` and `main`. It uses pull_request, NOT pull_request_target, so it
 # runs the PR-head version of the workflow and GitHub withholds repo secrets from
 # FORK PRs — untrusted fork code cannot exfiltrate live API keys because the
 # secrets are simply absent for forks. Workflow-level permissions are read-only.
@@ -43,7 +43,7 @@ on:
   # cannot exfiltrate live API keys because the secrets are simply absent.
   # Same-repo PRs get the secret; the live job stays per-variant environment-gated.
   pull_request:
-    branches: [next]
+    branches: [next, main]
 
 permissions:
   contents: read