e2e tests cannot access secrets for PRs from forked repositories

[gjkim42]

What happened?

PR #784 (from a forked repository) cannot run test-e2e CI job because GitHub Actions does not expose repository secrets to pull_request events from forks. Even with the ok-to-test label applied, the secrets (CLAUDE_CODE_OAUTH_TOKEN, CODEX_AUTH_JSON) are empty, causing the e2e tests to fail.

This is a GitHub Actions security restriction — pull_request events from forks never receive secrets regardless of labels or branch protection settings.

What did you expect to happen?

When a maintainer adds the ok-to-test label to a fork PR, the e2e tests should be able to run with the required secrets.

How to reproduce?

1. Receive a PR from a forked repository (e.g. feat: add bedrock credential type for AWS Bedrock authentication #784)
2. Add the ok-to-test label
3. Observe that test-e2e job fails due to missing secrets

Possible approach

Switch the e2e trigger from pull_request to pull_request_target, which runs in the base repository's context and has access to secrets. The existing ok-to-test label gate ensures a maintainer has reviewed the code before secrets are exposed.

/kind bug

[kelos-bot]

🤖 Kelos Task Status

Task kelos-triage-793 has succeeded. ✅

[kelos-bot]

🤖 Kelos Agent @gjkim42

Kelos Triage Report

Kind: kind/bug
Priority: priority/important-soon — Blocks external contributors from getting e2e test coverage on fork PRs; directly impacts contributor experience and CI reliability
Actor: actor/kelos — Clear scope: change pull_request to pull_request_target in .github/workflows/ci.yaml for the e2e job, with appropriate checkout safeguards

Status: STILL VALID

Evidence:

• .github/workflows/ci.yaml:6 uses pull_request trigger, which does not provide secrets for fork PRs per GitHub Actions security model
• .github/workflows/ci.yaml:115-116 references secrets.CLAUDE_CODE_OAUTH_TOKEN and secrets.CODEX_AUTH_JSON in the test-e2e job — these will be empty for fork PRs
• The ok-to-test label gate exists (line 79) but cannot overcome the pull_request event secret restriction
• No merged PRs or commits reference this issue or address this problem
• The project already uses pull_request_target successfully in .github/workflows/label.yaml

Duplicates found: None found

Recommendation: KEEP OPEN — The fix involves switching the e2e trigger to pull_request_target with explicit ref checkout pointing to the PR head SHA (to avoid the security pitfall of running untrusted code in the base repo context). The existing ok-to-test label gate provides the necessary maintainer review before secrets are exposed.

[gjkim42]

/kelos pick-up

[kelos-bot]

🤖 Kelos Task Status

Task kelos-workers-793 has succeeded. ✅