ci : add gatekeeper workflow for manual approval on non-master branches

[ggerganov]

Overview

Add a reusable gatekeeper.yml workflow that gates CI runs on non-master branches behind a manual approval step via the ci-manual environment. On the master branch, the gatekeeper is a no-op (auto-approve).

The main build.yml is wired through the gatekeeper as the first example. Remaining workflow files will be wired in follow-up PRs.

How it works

• Master branch: gatekeeper-auto job runs immediately — no delay
• Non-master branches: gatekeeper-review job pauses and waits for manual approval from a reviewer assigned to the ci-manual environment

All downstream jobs use needs: [gatekeeper] so nothing runs until the gatekeeper clears.

Setup required

The ci-manual environment must be created in Settings → Environments with at least one required reviewer before non-master CI runs can proceed.

Requirements

• I have read and agree with the contributing guidelines
• AI usage disclosure: YES. llama.cpp + pi

[CISC]

Oh, nice.

[ggerganov]

Yeah, I think we can even split the gatekeepers into sections (e.g. main, cuda, metal, etc.) and have different teams assigned to approve those.

[ggerganov]

The auto-approve of the gatekeeper on master worked: https://github.com/ggml-org/tmp/actions/runs/26274760334/job/77336260892

[ggerganov]

I will start implementing the gatekeepers in the main repo.

[CISC]

I will start implementing the gatekeepers in the main repo.

Great, with the added affinity we should be able to do more targeted workflow runs.