ci: Fix the triggering logic for e2e (#578)

* ci: Fix the triggering logic for e2e

* ci: moving to DeterminateSystems/nix-installer-action@v20 (#576)

* fix: CVE-2025-22868

---------

Co-authored-by: Abhay Aggrawal <[email protected]>

Author: thunderboltsid

.github/workflows/build-dev.yaml

@@ -7,11 +7,12 @@ on:
       - main
       - 'release-*'
   pull_request:
-    paths:
-    - '.github/**'
+    types: [opened, synchronize, reopened, labeled]
   pull_request_target:
-    paths-ignore:
-    - '.github/**'
+    types: [opened, synchronize, reopened, labeled]
+    branches:
+      - main
+      - 'release-*'
 jobs:
   check_approvals:
     runs-on: ubuntu-latest
@@ -108,8 +109,7 @@ jobs:
           - "capx-feature-test"
           - "scaling"
       fail-fast: false
-    if: ${{ (github.event_name == 'pull_request' && needs.check_approvals.outputs.external_pr == 'false') || (github.event_name == 'pull_request_target' && needs.check_approvals.outputs.external_pr == 'true' && needs.check_approvals.outputs.check_approvals == 'true') }}
-    needs: check_approvals  
+    needs: check_approvals
     uses: ./.github/workflows/e2e.yaml
     with:
       e2e-labels: ${{ matrix.e2e-labels }}

.github/workflows/e2e.yaml

@@ -19,15 +19,19 @@ jobs:
         with:
           ref: "${{ github.event.pull_request.head.sha }}"
 
-      # Install nix using cachix/install-nix-action if running on ARC runners
-      # See: https://github.com/DeterminateSystems/nix-installer-action/issues/68
+      # Install nix using DeterminateSystems/nix-installer-action if running on ARC runners
+      # This can be removed once jetify-com/devbox-install-action has a release that includes
+      # at least `DeterminateSystems/nix-installer-action@v19` which includes the fix in
+      # https://github.com/DeterminateSystems/nix-installer-action/issues/68
       - name: Install Nix on self-hosted ARC runners
-        uses: cachix/install-nix-action@V27
+        uses: DeterminateSystems/nix-installer-action@v20
         with:
-          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          logger: pretty
+          extra-conf: experimental-features = ca-derivations fetch-closure
 
       - name: Install devbox
-        uses: jetify-com/devbox-install-action@v0.11.0
+        uses: jetify-com/devbox-install-action@v0.13.0
         with:
           enable-cache: "false"
           skip-nix-installation: "true"

go.mod

@@ -180,5 +180,6 @@ require (
 replace (
 	// CVE fixes for https://avd.aquasec.com/nvd/2024/cve-2024-45338
 	golang.org/x/net => golang.org/x/net v0.33.0
+	golang.org/x/oauth2 => golang.org/x/oauth2 v0.27.0
 	sigs.k8s.io/kind v0.20.0 => sigs.k8s.io/kind v0.22.0
 )

go.sum

@@ -1,4 +1,5 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@@ -443,9 +444,8 @@ golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
-golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=