ci: integrate gate logic into e2e workflow

Integrate permission checking and ok-to-test gating directly into the
e2e workflow as a gate job. This allows the gating to work immediately
without needing a separate workflow file on main first.

Flow:
- Privileged users (admin/maintain/write): tests run automatically
- External contributors: instructions posted, wait for /ok-to-test
- /ok-to-test from privileged user: rocket reaction, tests run
- /ok-to-test from non-privileged: thumbs down reaction, no tests

The gate job outputs should_run and ref, which downstream jobs use
to determine whether to proceed and which SHA to checkout.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: clubanderson

.github/workflows/ci-e2e-openshift.yaml

@@ -1,15 +1,18 @@
 name: CI - OpenShift E2E Tests
 
-# Permissions needed for the build-image job to push to GHCR
 permissions:
   contents: read
   packages: write
+  pull-requests: write
+  issues: write
 
 on:
   pull_request:
     branches:
       - main
       - dev
+  issue_comment:
+    types: [created]
   workflow_dispatch:
     inputs:
       model_id:
@@ -42,14 +45,137 @@ on:
         default: '30'
 
 jobs:
-  # Build the WVA controller image on GitHub-hosted runner (has proper Docker setup)
+  # Gate: Check permissions and post instructions for external contributors
+  gate:
+    runs-on: ubuntu-latest
+    outputs:
+      should_run: ${{ steps.check.outputs.should_run }}
+      ref: ${{ steps.check.outputs.ref }}
+    steps:
+      - name: Check permissions and determine if tests should run
+        id: check
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const privilegedRoles = ['admin', 'maintain', 'write'];
+
+            // Handle workflow_dispatch - always run
+            if (context.eventName === 'workflow_dispatch') {
+              core.setOutput('should_run', 'true');
+              core.setOutput('ref', context.sha);
+              console.log('workflow_dispatch: running tests');
+              return;
+            }
+
+            // Handle issue_comment (/ok-to-test)
+            if (context.eventName === 'issue_comment') {
+              // Only process comments on PRs that contain /ok-to-test
+              if (!context.payload.issue.pull_request ||
+                  !context.payload.comment.body.includes('/ok-to-test')) {
+                core.setOutput('should_run', 'false');
+                console.log('issue_comment: not a /ok-to-test comment on a PR');
+                return;
+              }
+
+              // Check commenter permission
+              const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: context.payload.comment.user.login
+              });
+              const isPrivileged = privilegedRoles.includes(permission.permission);
+              console.log(`Commenter ${context.payload.comment.user.login} permission: ${permission.permission}, privileged: ${isPrivileged}`);
+
+              // Add reaction
+              await github.rest.reactions.createForIssueComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: context.payload.comment.id,
+                content: isPrivileged ? 'rocket' : '-1'
+              });
+
+              if (isPrivileged) {
+                // Get PR SHA
+                const { data: pr } = await github.rest.pulls.get({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  pull_number: context.payload.issue.number
+                });
+                core.setOutput('should_run', 'true');
+                core.setOutput('ref', pr.head.sha);
+                console.log(`Approved by ${context.payload.comment.user.login}, running tests for PR #${pr.number} at ${pr.head.sha}`);
+              } else {
+                core.setOutput('should_run', 'false');
+                console.log('Commenter is not privileged, not running tests');
+              }
+              return;
+            }
+
+            // Handle pull_request
+            if (context.eventName === 'pull_request') {
+              const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: context.payload.pull_request.user.login
+              });
+              const isPrivileged = privilegedRoles.includes(permission.permission);
+              console.log(`PR author ${context.payload.pull_request.user.login} permission: ${permission.permission}, privileged: ${isPrivileged}`);
+
+              if (isPrivileged) {
+                core.setOutput('should_run', 'true');
+                core.setOutput('ref', context.payload.pull_request.head.sha);
+                console.log('PR author is privileged, running tests');
+              } else {
+                core.setOutput('should_run', 'false');
+                console.log('PR author is not privileged, posting instructions');
+
+                // Check if we already posted instructions
+                const comments = await github.rest.issues.listComments({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.payload.pull_request.number
+                });
+
+                const botComment = comments.data.find(c =>
+                  c.user.type === 'Bot' &&
+                  c.body.includes('OpenShift E2E tests require approval')
+                );
+
+                if (!botComment) {
+                  await github.rest.issues.createComment({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    issue_number: context.payload.pull_request.number,
+                    body: `## OpenShift E2E Tests
+
+OpenShift E2E tests require approval before running on external contributions.
+
+**For maintainers/admins:** Comment \`/ok-to-test\` to approve and run the OpenShift E2E tests.
+
+**For contributors:** Please wait for a maintainer to review and approve your PR for E2E testing.
+
+_This check uses GPU resources on a shared OpenShift cluster._`
+                  });
+                }
+              }
+              return;
+            }
+
+            // Unknown event
+            core.setOutput('should_run', 'false');
+
+  # Build the WVA controller image on GitHub-hosted runner
   build-image:
+    needs: gate
+    if: needs.gate.outputs.should_run == 'true'
     runs-on: ubuntu-latest
     outputs:
       image_tag: ${{ steps.build.outputs.image_tag }}
     steps:
       - name: Checkout source
         uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.gate.outputs.ref }}
 
       - name: Log in to GHCR
         uses: docker/login-action@v3
@@ -63,7 +189,7 @@ jobs:
         env:
           REGISTRY: ghcr.io
           IMAGE_NAME: ${{ github.repository }}
-          GIT_REF: ${{ github.sha }}
+          GIT_REF: ${{ needs.gate.outputs.ref }}
         run: |
           # Build image with git ref tag for this PR
           # Use first 8 chars of the git ref
@@ -82,7 +208,8 @@ jobs:
   # Run e2e tests on OpenShift self-hosted runner
   e2e-openshift:
     runs-on: [self-hosted, openshift]
-    needs: build-image
+    needs: [gate, build-image]
+    if: needs.gate.outputs.should_run == 'true'
     env:
       MODEL_ID: ${{ github.event.inputs.model_id || 'unsloth/Meta-Llama-3.1-8B' }}
       ACCELERATOR_TYPE: ${{ github.event.inputs.accelerator_type || 'H100' }}
@@ -99,6 +226,8 @@ jobs:
     steps:
       - name: Checkout source
         uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.gate.outputs.ref }}
 
       - name: Extract Go version from go.mod
         run: sed -En 's/^go (.*)$/GO_VERSION=\1/p' go.mod >> $GITHUB_ENV