From 49ccb5f41139a3bf61a2fda2de2f6100db6722c3 Mon Sep 17 00:00:00 2001
From: Piotr Mlocek <pmlocek@nvidia.com>
Date: Wed, 22 Apr 2026 15:21:16 -0700
Subject: [PATCH] fix(ci): e2e gate must verify work actually ran, not just
 top-level success

The gate passed whenever `Branch E2E Checks` (or `GPU Test`) concluded
`success` for the head SHA. But when the required label wasn't set at
the time of the run, `pr_metadata` gates downstream jobs out, every
non-gate job is `skipped`, and the workflow still reports `success`.
Result: labeling a PR after the workflow already ran left the gate
green even though E2E never executed.

Now also query the run's jobs and require at least one non-gate
(`name != "Resolve PR metadata"`) job to have concluded `success`. If
only the gate job itself succeeded, fail with an actionable message
asking the maintainer to re-run the workflow so the gate re-evaluates
with the label in place.

Signed-off-by: Piotr Mlocek <pmlocek@nvidia.com>
---
 .github/workflows/e2e-gate-check.yml | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/e2e-gate-check.yml b/.github/workflows/e2e-gate-check.yml
index 81b71ce64..5065663c1 100644
--- a/.github/workflows/e2e-gate-check.yml
+++ b/.github/workflows/e2e-gate-check.yml
@@ -84,18 +84,30 @@ jobs:
             exit 1
           fi
 
+          run_id=$(jq -r '.id' <<< "$latest")
           status=$(jq -r '.status' <<< "$latest")
           conclusion=$(jq -r '.conclusion' <<< "$latest")
 
-          if [ "$conclusion" = "success" ]; then
-            echo "$WORKFLOW_FILE succeeded for $HEAD_SHA."
-            exit 0
-          fi
-
           if [ "$status" != "completed" ]; then
             echo "::error::$WORKFLOW_FILE is $status for $HEAD_SHA. This gate will re-evaluate on completion."
             exit 1
           fi
 
-          echo "::error::$WORKFLOW_FILE concluded as $conclusion for $HEAD_SHA."
-          exit 1
+          if [ "$conclusion" != "success" ]; then
+            echo "::error::$WORKFLOW_FILE concluded as $conclusion for $HEAD_SHA."
+            exit 1
+          fi
+
+          # Top-level success isn't enough: if `pr_metadata` gated downstream
+          # jobs out (label wasn't set at run time), only the gate job itself
+          # concludes `success` and the workflow still reports `success`.
+          # Require at least one non-gate job to have succeeded as proof the
+          # label was present when the workflow ran.
+          real_success=$(gh api "repos/$GH_REPO/actions/runs/$run_id/jobs" --jq '[.jobs[] | select(.conclusion == "success" and .name != "Resolve PR metadata")] | length')
+          if [ "$real_success" -lt 1 ]; then
+            echo "::error::$WORKFLOW_FILE run $run_id only ran the metadata gate — $REQUIRED_LABEL was not set when the workflow last executed. Re-run $WORKFLOW_FILE so the gate re-evaluates with the label present."
+            exit 1
+          fi
+
+          echo "$WORKFLOW_FILE run $run_id executed and succeeded for $HEAD_SHA ($real_success non-gate job(s) passed)."
+          exit 0