fix: drift detection and safe pr gate (#5458)

Author: junpuf

.github/scripts/buildkitd.sh

@@ -79,6 +79,7 @@ sudo mkdir -p /etc/buildkit
 CONFIG_PATH="/etc/buildkit/buildkitd.toml"
 
 TMP_CONFIG=$(mktemp)
+sudo chmod 644 "$TMP_CONFIG"
 cat <<EOF > "$TMP_CONFIG"
 [worker.oci]
   enabled = true
@@ -90,7 +91,6 @@ cat <<EOF > "$TMP_CONFIG"
   defaultKeepStorage = "$KEEP_HUMAN"
   [[gc.policy]]
     keepDuration = "720h"    # 30 days
-    keepBytes = "$KEEP_BYTES"
     filters = ["type==regular"]
 EOF
 

.github/workflows/example.yml renamed to .github/workflows/pr-example.yml

@@ -1,27 +1,29 @@
 name: Example Workflow
 
 on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
+  workflow_run:
+    workflows: ["PR Permission Gate"]
+    types:
+      - completed
 
 permissions:
   contents: read
 
 jobs:  
-  gatekeeper:
+  pre-commit:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: astral-sh/ruff-action@v3
-      - run: ruff check --line-length 100 .
-      - uses: ./.github/actions/pr-permission-gate
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+      - uses: pre-commit/action@v3.0.1
+        with:
+          extra_args: --all-files
 
   example-on-default-runner:
-    needs: [gatekeeper]
+    needs: [pre-commit]
     runs-on:
       - codebuild-runner-${{ github.run_id }}-${{ github.run_attempt }}
     steps:
@@ -45,9 +47,6 @@ jobs:
         fleet:x86-g6xl-runner
     steps:
       - uses: actions/checkout@v5
-      - uses: ./.github/actions/pr-permission-gate 
-        with:
-          required-level: admin
       - run: .github/scripts/runner_setup.sh
       - run: |
           nvidia-smi
@@ -59,9 +58,6 @@ jobs:
         fleet:x86-g6xl-runner
     steps:
       - uses: actions/checkout@v5
-      - uses: ./.github/actions/pr-permission-gate 
-        with:
-          required-level: admin
       - run: .github/scripts/runner_setup.sh
       - run: |
           nvidia-smi

.github/workflows/pr-gate.yml

@@ -0,0 +1,28 @@
+name: PR Permission Gate
+on:
+  pull_request_target:
+    branches: [main]
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: pr-gate-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  gatekeeper:
+    name: gatekeeper
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout base branch (safe)
+        uses: actions/checkout@v5
+        with:
+          # checkout the workflow's commit (base branch), not the PR head
+          ref: ${{ github.event.pull_request.base.sha }}
+          fetch-depth: 1
+
+      - name: Run permission gate (from base)
+        uses: ./.github/actions/pr-permission-gate

.github/workflows/pre-commit.yml

@@ -7,19 +7,21 @@ default_stages:
   - manual
 
 repos:
-  # - repo: https://github.com/reteps/dockerfmt
-  #   # run `pre-commit autoupdate` to pin the version
-  #   rev: main
-  #   hooks:
-  #     - id: dockerfmt
-  #       args:
-  #         # optional: add additional arguments here
-  #         - --indent=2
-  #         - --write
-  # - repo: https://github.com/rhysd/actionlint
-  #   rev: v1.7.7
-  #   hooks:
-  #   - id: actionlint
+  - repo: https://github.com/reteps/dockerfmt
+    # run `pre-commit autoupdate` to pin the version
+    rev: main
+    hooks:
+      - id: dockerfmt
+        args:
+          # optional: add additional arguments here
+          - --indent=2
+          - --write
+        stages: [manual] # run in CI
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.7
+    hooks:
+    - id: actionlint
+      stages: [manual] # run in CI
   - repo: https://github.com/scop/pre-commit-shfmt
     rev: v3.12.0-2 # Use the latest stable revision
     hooks: