ci: add OS-49 phase 5 shadow workflows

[jtoelke2]

Summary

Add non-required OS-49 Phase 5 shadow workflows for branch checks, CI image builds, Branch E2E, and the reusable E2E test path on supported shared CPU runners.

Related Issue

Related to OS-129 / OS-49.

Changes

• Added shadow-branch-checks.yml on linux-{amd64,arm64}-cpu8 with trusted PR mirror validation and GHA-backed sccache.
• Added shadow-ci-image.yml to build CI images natively per architecture with the local Buildx driver and no registry push.
• Added shadow-branch-e2e.yml and shadow-e2e-test.yml using the existing test:e2e gate and shared arm64 runner.
• Added an optional image-tag input to docker-build.yml so shadow E2E publishes isolated shadow-* tags.
• Made pr-gate usable for both label-gated E2E shadows and label-free copied-PR shadow workflows.
• Run the shadow mise lock check unconditionally so copied-PR push events cannot miss earlier mise.toml / mise.lock changes in the PR diff.
• Serialized VFIO refcount-map tests that mutate shared global state, fixing the parallel-test race found by the first shadow Branch Checks run.
• Removed path filtering from shadow-ci-image.yml so it always exercises copied PR pushes during the Phase 5 shadow bake.
• Documented the Phase 5 shadow trigger/gating model.

Testing

• git diff --check passes
• Workflow YAML files parse locally with Ruby YAML loader
• mise x -- cargo test -p openshell-vfio --lib passes
• mise run pre-commit passes with sanitized PATH
• GitHub Branch Checks pass on PR ci: add OS-49 phase 5 shadow workflows #1075
• GitHub Shadow Branch Checks pass on PR ci: add OS-49 phase 5 shadow workflows #1075, including the unconditional mise lock path
• GitHub Shadow CI Image passes on PR ci: add OS-49 phase 5 shadow workflows #1075
• Shadow E2E/GPU metadata gates pass and correctly skip without test:e2e / test:e2e-gpu labels
• Full Docker image build run locally
• E2E tests run locally

Note: an initial mise run pre-commit with the default WSL/Windows-heavy PATH failed ssh::tests::launch_editor_returns_friendly_error_when_binary_missing; the isolated test and full pre-commit passed with Windows PATH entries removed.

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[jtoelke2]

@pimlock I addressed the remaining changed-files concern by dropping the guard in shadow-branch-checks.yml and running mise lock unconditionally for the copied-PR shadow path. The thread is resolved, the new commit is c5ff69c1, and the PR checks are green again. Ready for another look.

[pimlock]

Overall question to make sure I understand what happens once this merges.

All new PRs will now run the shadow checks as well as regular ones, so if something fails in the shadow check, it may block the PR from merging, right?

Looking at this PR, it all looks good, just wanted to check.

Also, for these new checks to run, the copy-pr-bot needs to mirror the pull request, so all the commits need to be signed, or the /ok to test SHA comment is needed?

I think this is okay, alternative would be to guard the shadow infra behind a tag (which is what we do for the E2E already), but that's likely unnecessary here.

[jtoelke2]

Thanks, and yes, that matches my understanding with one important distinction: these shadow workflows will show up as PR checks, but they are not intended to be required checks for merge.

I checked the current main ruleset and it does not require these shadow status checks. So if a shadow job fails, it should be visible/noisy, but it should not block the PR unless we later add it to required checks or decide as humans to hold the PR.

For triggering: yes, the PR needs to be mirrored by copy-pr-bot into pull-request/N. For trusted/signed commits that should happen automatically; otherwise a maintainer needs /ok to test <SHA> to mirror or refresh the branch. The pr-gate then verifies that the copied branch SHA still matches the PR head SHA.