fix: PR CI works without secrets — use committed El runtime for pull_request builds

Gitea does not inject secrets for pull_request events. All push/workflow_dispatch CI was already working. PR builds were failing at Clone el and Authenticate to GCP. Fix: for pull_request events, skip El clone and GCP auth entirely. Instead build EL_HOME from committed files: bin/elc-linux-amd64 + runtime/{el_runtime.c,.h,.js}. build-stage.sh already knows about bin/elc-linux-amd64 for JS compilation; this extends that pattern to the native compiler and JS runtime. Docker --cache-from is skipped implicitly (no docker auth configured for PR builds) — BuildKit handles unauthenticated cache-from gracefully, continuing without cache.
ci: trigger stage build on PRs (deploy only on merge)
2026-05-07 01:18:47 -05:00 · 2026-05-05 04:44:21 -05:00 · 2026-05-05 04:43:29 -05:00
3 changed files with 1098 additions and 2 deletions
@@ -17,6 +17,18 @@ on:
      - '.gitea/workflows/stage.yaml'
      - '.gitea/workflows/deploy.yaml'

+  pull_request:
+    branches: [dev]
+    paths:
+      - 'src/**'
+      - 'dist/**'
+      - 'runtime/**'
+      - 'Dockerfile.stage'
+      - 'build-stage.sh'
+      - '.gitea/workflows/dev.yaml'
+      - '.gitea/workflows/stage.yaml'
+      - '.gitea/workflows/deploy.yaml'
+
  workflow_dispatch:

 jobs:
@@ -35,6 +47,8 @@ jobs:
          fetch-depth: 2

      - name: Clone el (provides elc compiler)
+        # push/workflow_dispatch only — pull_request events don't get secrets injected
+        if: github.event_name != 'pull_request'
        env:
          CHECKOUT_TOKEN: ${{ secrets.CHECKOUT_TOKEN }}
        run: |
@@ -46,20 +60,41 @@ jobs:
            "$DEST"
          echo "EL_HOME=$DEST" >> "$GITHUB_ENV"

+      - name: Set up El SDK from committed runtime (PR builds)
+        # pull_request events have no secrets — build from committed bin/ and runtime/
+        if: github.event_name == 'pull_request'
+        run: |
+          set -euo pipefail
+          DEST="${{ github.workspace }}/../foundation-el"
+          mkdir -p "$DEST/dist/platform" "$DEST/el-compiler/runtime"
+          cp bin/elc-linux-amd64 "$DEST/dist/platform/elc"
+          cp bin/elc-linux-amd64 "$DEST/dist/platform/elc-linux-amd64"
+          chmod +x "$DEST/dist/platform/elc" "$DEST/dist/platform/elc-linux-amd64"
+          cp runtime/el_runtime.c "$DEST/el-compiler/runtime/"
+          cp runtime/el_runtime.h "$DEST/el-compiler/runtime/"
+          cp runtime/el_runtime.js "$DEST/el-compiler/runtime/"
+          echo "EL_HOME=$DEST" >> "$GITHUB_ENV"
+          echo "El SDK set up from committed runtime files (no CHECKOUT_TOKEN needed)"
+
      - name: Authenticate to GCP
+        if: github.event_name != 'pull_request'
        uses: google-github-actions/auth@v2
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}

      - name: Set up gcloud SDK
+        if: github.event_name != 'pull_request'
        uses: google-github-actions/setup-gcloud@v2
        with:
          project_id: neuron-785695

      - name: Configure docker auth for Artifact Registry
+        if: github.event_name != 'pull_request'
        run: gcloud auth configure-docker us-central1-docker.pkg.dev --quiet

      - name: Get elc (pre-built linux/amd64 from El repo)
+        # Only needed for push/workflow_dispatch — PR builds set up elc from committed bin/
+        if: github.event_name != 'pull_request'
        run: |
          set -euo pipefail
          ELC_SRC="$EL_HOME/dist/platform/elc-linux-amd64"
@@ -14,6 +14,16 @@ on:
      - 'build-stage.sh'
      - '.gitea/workflows/stage.yaml'

+  pull_request:
+    branches: [stage]
+    paths:
+      - 'src/**'
+      - 'dist/**'
+      - 'runtime/**'
+      - 'Dockerfile.stage'
+      - 'build-stage.sh'
+      - '.gitea/workflows/stage.yaml'
+
  workflow_dispatch:
    inputs:
      tag:
@@ -134,13 +144,13 @@ jobs:
          docker tag "marketing:${{ steps.tag.outputs.tag }}" "us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/marketing:stage-latest"

      - name: Push image
-        if: steps.changetype.outputs.asset_only != 'true'
+        if: steps.changetype.outputs.asset_only != 'true' && github.event_name != 'pull_request'
        run: |
          docker push "${{ steps.tag.outputs.image }}"
          docker push "us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/marketing:stage-latest"

      - name: Asset-only fast build
-        if: steps.changetype.outputs.asset_only == 'true'
+        if: steps.changetype.outputs.asset_only == 'true' && github.event_name != 'pull_request'
        env:
          IMAGE: ${{ steps.tag.outputs.image }}
        run: |
@@ -165,6 +175,7 @@ jobs:
          echo "Fast asset build complete"

      - name: Deploy to marketing-stage
+        if: github.event_name != 'pull_request'
        id: deploy-stage
        env:
          IMAGE: ${{ steps.tag.outputs.image }}
@@ -193,6 +204,7 @@ jobs:
            --quiet

      - name: Smoke test stage
+        if: github.event_name != 'pull_request'
        run: |
          set -euo pipefail
          STAGE_URL="${{ steps.deploy-stage.outputs.stage_url }}"