chore: trigger Enterprise e2e tests on open PRs

[dharmadeveloper108]

Adds workflow to validate OSS changes against enterprise e2e tests before merging. When a PR is labeled with test-enterprise, the workflow builds the OSS changes and triggers enterprise's CI to run its e2e test suite against the exact commit, catching integration issues early.

TLDR: When you add the test-enterprise label, it validates that your OSS changes don't break enterprise before you merge.

TODO:

• create ENTERPRISE_REPO_TOKEN secret

About the changes

Trigger: Fires whenever a label is added to a PR on this repo.

Job 1: check-label

• Checks if the PR has the test-enterprise label
• Sets an output should-test=true if it does
• This gates the entire second job (it won't run without the label)

Job 2: test-enterprise-e2e (only runs if label is present)

• Checkout OSS: Clones your OSS repository at the PR branch

• Set up Node.js: Installs Node 22.x

• Enable corepack: Activates yarn (Yarn uses corepack for version management)

• Install and build OSS:

  • yarn install --immutable - installs deps exactly as lockfile specifies
  • yarn build:backend - builds your TypeScript backend
  • YARN_ENABLE_SCRIPTS: false - skips postinstall scripts (performance)

• Trigger Enterprise E2E Tests:

  • Calls gh workflow run cicd.yml on the enterprise repo
  • Passes the current PR's commit SHA as the commit input
  • Enterprise's workflow will then check out that exact OSS commit and run its full test suite against it

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/trigger-enterprise-e2e.yaml

Package	Version	License	Issue Type
actions/checkout	6.*.*	Null	Unknown License
actions/setup-node	6.*.*	Null	Unknown License

Allowed Licenses:

Apache-2.0, MIT, MIT-0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, CC0-1.0, Unlicense, BlueOak-1.0.0, CC-BY-4.0, Artistic-2.0, PSF-2.0, MPL-2.0

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	6.*.*	🟢 5.9	Details Check Score Reason Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-node	6.*.*	🟢 6.1	Details Check Score Reason Maintained 🟢 10 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 9 binaries present in source code CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9

Scanned Files

• .github/workflows/trigger-enterprise-e2e.yaml

[gastonfournier]

I don’t think this is quite safe to merge yet, mainly because the current workflow seems to dispatch enterprise cicd.yaml more like the normal OSS sync flow than a dry-run validation flow.

A few things I noticed while comparing it with notify_enterprise.yaml and enterprise cicd.yaml:

• The dispatch currently calls cicd.yml, but the enterprise workflow file is cicd.yaml.
• We only pass commit, so on the enterprise side this still looks like a normal workflow_dispatch OSS bump. That means it can still run the parts we explicitly want to avoid here, like pushing dependency updates, building/pushing docker, and notifications, unless we add a dedicated dry-run mode or equivalent gating.
• notify_enterprise.yaml also publishes the static frontend assets for the commit SHA after dispatching. This PR only builds the backend, but enterprise validate-static-assets expects those commit-based assets to exist, so I think this would fail for PR SHAs.

I think the next step should be to introduce an explicit mode on the enterprise side so OSS can trigger a safe validation-only run, while keeping the existing notify flow working as-is.

[gastonfournier]

Something like this: https://github.com/bricks-software/unleash-enterprise/pull/878 I tried making it backward compatible. You can have a look at it from https://github.com/bricks-software/unleash-enterprise/actions/workflows/cicd.yaml switching the branch:

If this is inline with what you want, we should test a bit on this branch before deciding to merge.