fix(ci): support external and Dependabot PR service test workflows

[vishal-bala]

Motivation

This PR updates the CI flow for external pull requests and Dependabot pull requests while tightening the trust boundary around any secret-bearing execution.

The original goal was to support maintainers running service tests against fork PRs and same-repo Dependabot PRs without breaking regular PR coverage. Review feedback exposed a few places where that policy was still too loose or too brittle, especially around skipped jobs, secret-backed notebook paths, and how the manual external-PR workflow resolved and executed code. This final version hardens those paths so the normal test workflow stays predictable and the manual external-PR workflow is pinned to an explicitly reviewed commit.

Changes

• Update .github/workflows/test.yml so lint is folded into the main test workflow while preserving the historical Style-check status names.
• Keep service-tests skipped for Dependabot PRs in the regular workflow, and also exclude Dependabot from the secret-backed Google auth and notebook steps.
• Add PR-scoped workflow concurrency to test.yml so newer PR pushes cancel older in-flight runs instead of multiplying the full matrix.
• Update .github/workflows/test-fork-pr.yml to support fork PRs and same-repo dependabot[bot] PRs, but require both pr_number and an expected_head_sha input and fail if the live PR head has changed.
• Restrict the manual Dependabot path to standard same-repo dependabot/* branches whose changes are limited to dependency manifest and lockfile paths.
• Add timeout and per-PR concurrency controls to the manual external-PR service-test workflow.
• Replace the PR-controlled local composite action invocation in the manual workflow with trusted inline workflow steps so the privileged orchestration is defined in trusted workflow content rather than in the checked-out PR tree.
• Replace split success/failure check-run updates with a single always() finalizer that completes the custom check for success, failure, or cancellation.

Note for Reviewers

The main policy choice in this branch is still that the regular test matrix is no longer gated behind service-tests; both now depend on lint. That preserves regular test coverage for Dependabot PRs and avoids reintroducing skip-cascade logic, but it does trade some fast-fail behavior for simpler workflow semantics.

For the manual external-PR path, the remaining trust model is intentional: a maintainer may explicitly dispatch the workflow against a reviewed PR commit, and the workflow will then run the checked-out PR code with repository secrets. The hardening in this PR is aimed at ensuring that this happens only after trusted pre-checkout validation, against the exact commit the maintainer intended to run, and with the privileged orchestration sourced from trusted workflow content.

---

Note

Medium Risk
Changes modify CI execution paths that can run untrusted PR code with repository secrets (manual external-PR workflow) and adjust gating/concurrency in the main test workflow, so misconfiguration could impact security or test coverage.

Overview
Consolidates linting into the main test.yml workflow (removing the standalone lint.yml), adds PR-scoped concurrency cancellation, and makes service-tests/secret-backed notebook+GCP steps skip Dependabot PRs while keeping the main test matrix running.

Reworks the manual external PR workflow to validate pr_number + pinned expected_head_sha, support same-repo Dependabot PRs with strict file/branch allowlisting, add per-PR concurrency/timeout, and run tests via trusted inline steps (with a single always() check-run finalizer) instead of invoking a PR-controlled local action.

Bumps the editable package version in uv.lock from 0.17.1 to 0.18.0.

^{Reviewed by Cursor Bugbot for commit 2b393a3. Bugbot is set up for automated code reviews on this repo. Configure here.}

[jit-ci]

🛡️ Jit Security Scan Results

✅ No security findings were detected in this PR

---

^{Security scan by Jit}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fa184c3103

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 3a968fb. Configure here.}