fix(ci): fix rerun workflows for fork PRs

[petebacondarwin]

Fixes the rerun-codeowners workflow failing on fork PRs (e.g. https://github.com/cloudflare/workers-sdk/actions/runs/24451203502/job/71440264028?pr=12456).

For fork PRs, pull_request_review and pull_request events give a read-only GITHUB_TOKEN with no access to secrets, so the rerun workflows cannot call the Actions API to re-run jobs/workflows.

This PR fixes the issue by splitting each rerun workflow into a trigger + privileged pair using the workflow_run pattern:

• Trigger workflow fires on the original event (pull_request_review or pull_request labeled/unlabeled), saves PR context (head SHA, workflow targets) as an artifact, and exits. No privileged API calls.
• Privileged workflow fires on workflow_run when the trigger completes. workflow_run always runs from the default branch with full permissions, so it can perform the re-run even for fork PRs.

The two privileged workflows use different lookup strategies because of a GitHub API asymmetry:

Workflow	Strategy	Why
rerun-codeowners-privileged.yml	Check-name lookup	codeowners.yml uses pull_request_target — its runs are indexed by the base branch SHA, not the PR head. But check runs ARE on the PR head commit, so we find by check name.
rerun-remote-tests-privileged.yml	Workflow-file lookup	E2E workflows use pull_request — their runs are indexed by the PR head SHA. Also, E2E job names are matrix-expanded (e.g. "Wrangler E2E (Linux, shard 1/4)") making check-name lookup fragile.

Also renames rerun_codeowners.yml → rerun-codeowners.yml for consistency with the rest of the workflow files.

---

• Tests

  • Tests included/updated
  • Automated tests not possible - manual testing has been completed as follows:
  • Additional testing not necessary because: CI workflow changes — will be validated on the next fork PR that triggers a review or label change

• Public documentation

  • Cloudflare docs PR(s):
  • Documentation not necessary because: internal CI change only

---

[changeset-bot]

⚠️ No Changeset found

Latest commit: d4656a6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[workers-devprod]

Codeowners approval required for this PR:

• ✅ @cloudflare/wrangler

Show detailed file reviewers

[ask-bonk]

Let me now look closely at the security aspects. The rerun-codeowners.yml uses ${{ github.event.pull_request.head.sha }} directly in a run: block, and rerun-remote-tests.yml uses both ${{ github.event.pull_request.head.sha }} and ${{ github.event.label.name }} directly in run: blocks. Let me think about whether these are actual injection risks:

1. github.event.pull_request.head.sha — This is a 40-char hex SHA. GitHub enforces the format; it cannot be crafted by an attacker. Not injectable.

2. github.event.label.name — This is a label name on the PR. On fork PRs, external contributors cannot create labels (label management requires write access to the repo). The if: guard only matches two specific label names. Not injectable by external actors in practice, since labels can only be set by repo collaborators.

However, the rerun-codeowners.yml trigger workflow fires on any pull_request_review event but does NOT check whether the trigger workflow actually succeeded before the privileged workflow runs — wait, it does check github.event.workflow_run.conclusion == 'success'. Good.

Let me also check one more thing — the rerun-remote-tests.yml has a job-level if that filters to only run for the relevant labels. If the job is skipped, the workflow still "completes" with success conclusion. The privileged workflow then fires but the download-artifact step will fail (no artifact), handled by continue-on-error: true. The subsequent step checks steps.download-context.outcome == 'success' and skips. This is correctly handled.

Let me also think about a race condition: if both the codeowners and remote-tests trigger workflows use the artifact name pr-context, could there be a conflict? No — artifacts are scoped to a workflow run, so different workflow runs each have their own artifacts. And the privileged workflows download from run-id: ${{ github.event.workflow_run.id }}, which is the specific trigger run. This is fine.

One thing I want to verify — the rerun-remote-tests.yml if condition at the job level. When the job is skipped because the label doesn't match, the workflow conclusion is success (skipped jobs don't cause failure). The privileged workflow will fire, try to download the artifact (which doesn't exist since no artifact was uploaded), get an error from continue-on-error: true, and then the next step's if check prevents execution. This works, but it means the privileged workflow fires unnecessarily on every unrelated label change. This isn't a bug — it's a minor efficiency concern — but the design seems intentional given the constraints.

Now let me look at one potential issue more carefully. In rerun-codeowners-privileged.yml line 68, the jq expression extracts the job ID from the details URL. If check_runs is an empty array, check_runs[0] is null, and .details_url is null, so // "" gives "". Then split("/") | last gives "", which passes to split("?") | first giving "". The || true ensures no error exit. Then [ -n "" ] is false, so it falls to the else branch with a warning. This is handled correctly.

I've thoroughly reviewed the code and I don't see any actionable bugs, security issues, or backward compatibility problems. The approach is well-documented, the permissions are correctly scoped, and edge cases are handled.

LGTM

github run

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13512

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13512

miniflare

npm i https://pkg.pr.new/miniflare@13512

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13512

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13512

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13512

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13512

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13512

wrangler

npm i https://pkg.pr.new/wrangler@13512

commit: d4656a6

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 5 additional findings.

[edmundhung]

Looking good!

[workers-devprod]

Codeowners reviews satisfied