ci: fix staging release workflow gating

[senamakel]

Summary

• remove the unnecessary pull-requests: read permission request from the reusable test/E2E workflows so release-staging.yml no longer fails validation at startup
• add a skip_e2e workflow_dispatch input to release-staging.yml and gate the downstream build jobs so an intentional E2E skip still allows the staging build to run
• pass the skip state into build-desktop.yml and log it there so the build record shows when the normal E2E pretest contract was relaxed
• update the release manual smoke checklist to require documenting the reason and prior green E2E signal when the override is used

Problem

• Release Staging run #25957728832 failed during workflow startup, before any jobs ran.
• The concrete validation error was: test-reusable.yml requested pull-requests: read, but release-staging.yml only granted pull-requests: none to called workflows.
• Operators also had no supported way to cut a staging build while intentionally bypassing the slow all-OS E2E gate.

Solution

• narrow the reusable workflow permission surface to contents: read, which is all these jobs actually use
• add an explicit skip_e2e dispatch flag on release-staging.yml
• make pretest-e2e conditional on that flag, and allow build-desktop / build-docker to proceed only when unit/rust pretests passed and E2E either passed or was intentionally skipped
• keep the override visible by threading a metadata flag into build-desktop.yml and documenting the operator expectation in the release smoke checklist

Submission Checklist

• Tests added or updated (happy path + at least one failure / edge case) per Testing Strategy
• Diff coverage ≥ 80% — changed lines (Vitest + cargo-llvm-cov merged via diff-cover) meet the gate enforced by .github/workflows/coverage.yml. Run pnpm test:coverage and pnpm test:rust locally; PRs below 80% on changed lines will not merge.
• Coverage matrix updated — added/removed/renamed feature rows in docs/TEST-COVERAGE-MATRIX.md reflect this change (or N/A: behaviour-only change)
• All affected feature IDs from the matrix are listed in the PR description under ## Related
• No new external network dependencies introduced (mock backend used per Testing Strategy)
• Manual smoke checklist updated if this touches release-cut surfaces (docs/RELEASE-MANUAL-SMOKE.md)
• Linked issue closed via Closes #NNN in the ## Related section

Impact

• affects GitHub Actions release-cut behavior only
• fixes staging workflow startup validation and adds an explicit operator-only bypass for the full E2E pretest gate
• no runtime desktop, core, or Tauri behavior changed

Related

• Closes: N/A
• Follow-up PR(s)/TODOs: N/A

---

AI Authored PR Metadata (required for Codex/Linear PRs)

Linear Issue

• Key: N/A
• URL: N/A

Commit & Branch

• Branch: codex/fix-staging-skip-e2e
• Commit SHA: c59c8864

Validation Run

• pnpm --filter openhuman-app format:check
• pnpm typecheck
• Focused tests: gh workflow view .github/workflows/release-staging.yml
• Rust fmt/check (if changed): pnpm rust:check
• Tauri fmt/check (if changed): N/A: workflow/docs-only change

Validation Blocked

• command: actionlint .github/workflows/*.yml
• error: actionlint is not installed in this environment
• impact: workflow syntax was sanity-checked with gh workflow view, but no local actionlint pass or live Actions dry run was available

Behavior Changes

• Intended behavior change: staging releases can now be dispatched with skip_e2e=true, and the reusable permission mismatch no longer blocks workflow startup
• User-visible effect: release operators can cut a staging build without waiting on the full E2E matrix when they intentionally choose that override

Parity Contract

• Legacy behavior preserved: default release-staging.yml dispatch still runs the full E2E pretest gate before building
• Guard/fallback/dispatch parity checks: downstream build jobs require unit/rust pretests to pass and accept E2E only when it succeeded or was explicitly skipped

Duplicate / Superseded PR Handling

• Duplicate PR(s): N/A
• Canonical PR: this PR
• Resolution (closed/superseded/updated): N/A

Summary by CodeRabbit

• Chores

  • Updated CI/CD pipeline permissions configuration for improved security controls.
  • Added optional capability to skip E2E testing during staging releases when necessary.

• Documentation

  • Added guidance for release operators on the process for bypassing E2E validation and documenting the rationale.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 19d619a5-9777-4865-8564-e6202264a307

📥 Commits

Reviewing files that changed from the base of the PR and between 8f93ca0 and c59c886.

📒 Files selected for processing (5)

• .github/workflows/build-desktop.yml
• .github/workflows/e2e-reusable.yml
• .github/workflows/release-staging.yml
• .github/workflows/test-reusable.yml
• docs/RELEASE-MANUAL-SMOKE.md

---

📝 Walkthrough

Walkthrough

Staging release workflow now supports operator-driven E2E pretest bypass via skip_e2e input, gating downstream builds on unit/rust success and E2E success-or-skip. Build-desktop reusable workflow receives the skip flag and logs build policy. Token permissions in reusable workflows narrowed from pull-requests to contents scope. Manual smoke test docs updated.

Changes

E2E Pretest Skip Gate with Permission Narrowing

Layer / File(s)	Summary
Build-desktop reusable workflow skip input and logging build-desktop.yml	New skip_e2e_pretest boolean input added to workflow contract; early build step logs effective build policy including skip decision.
Staging release workflow E2E skip gate and build conditioning release-staging.yml	New skip_e2e dispatch input conditionally gates pretest-e2e job; build-desktop and build-docker jobs run only when unit/rust pretests succeed and pretest-e2e either succeeds or is skipped. Skip decision forwarded to build-desktop reusable workflow; dependency comment updated.
Manual smoke test operator documentation docs/RELEASE-MANUAL-SMOKE.md	New step instructs operators to document reason and link prior successful E2E run when dispatching with skip_e2e=true.
Reusable workflow token permission narrowing e2e-reusable.yml, test-reusable.yml	GitHub Actions token permissions narrowed from pull-requests: read to contents: read in both reusable workflows.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• tinyhumansai/openhuman#1887: Both PRs modify CI pretest gating flow; this PR adds an operator override to bypass the E2E pretest gate introduced in the referenced PR.

Poem

🐰 A skip gate for releases, now you can choose,
Dispatch with the truth when you need a quick move,
Log why you're bypassing, link tests that are green,
Build swift as a rabbit—the fastest you've seen! 🚀

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}