Simplify approval gate with dual-environment pattern

[sylvainsf]

Description

Simplifies the approval gate in functional-test-cloud.yaml by adopting a dual-environment pattern (inspired by SAP/crossplane-provider-btp).

Problem

The previous approach conditionally skipped the approval-gate job for trusted users and only ran it for external contributors. This led to a complex if condition on the setup job that had to enumerate every possible approval-gate result (success, skipped). The original implementation (before PR #11189) also had a falsy-value bug: (condition) && '' || 'environment' always returned 'environment' because empty string is falsy in GitHub Actions expressions.

Solution

Instead of skip-based gating, the approval-gate job now always runs on pull_request_target events and selects one of two GitHub environments:

User type	Environment	Protection rules
Org members (OWNER/MEMBER/COLLABORATOR), dependabot	pr-trusted	None (instant)
External contributors	external-contributor-approval	Required reviewers

Both branches of the ternary expression are truthy strings, avoiding the falsy-value bug entirely.

The setup job condition is simplified from always() && (event != ... || result == 'success' || result == 'skipped') to !cancelled() && result != 'failure'.

Prerequisites

⚠️ Before merging: Create a pr-trusted GitHub environment in repository settings with NO protection rules.

Type of change

• This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional).

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

• An overview of proposed schema changes is included in a linked GitHub issue.
  • Yes
  • Not applicable
• A design document PR is created in the design-notes repository, if new APIs are being introduced.
  • Yes
  • Not applicable
• The design document has been reviewed and approved by Radius maintainers/approvers.
  • Yes
  • Not applicable
• A PR for the samples repository is created, if existing samples are affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
  • Yes
  • Not applicable
• A PR for the recipes repository is created, if existing recipes are affected by the changes in this PR.
  • Yes
  • Not applicable

[Copilot]

Pull request overview

This PR refactors the approval gate mechanism in the functional-test-cloud.yaml workflow from a skip-based approach to a dual-environment pattern. The previous implementation (fixed in PR #11189) conditionally skipped the approval-gate job for trusted users, requiring complex downstream conditions. The new approach always runs the approval-gate job for pull_request_target events but selects between two environments: pr-trusted (no protection rules) for org members and dependabot, and external-contributor-approval (manual approval required) for external contributors. This eliminates the falsy-value bug and simplifies the setup job's conditional logic.

Changes:

• Refactored approval-gate job to always run on pull_request_target and use conditional environment selection instead of conditional job execution
• Simplified setup job condition from checking multiple approval-gate results (success, skipped) to a single cleaner check (!cancelled() && result != 'failure')
• Enhanced inline documentation explaining the dual-environment pattern and prerequisites

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	a7fe173
Unique ID	func3707fd7224
Image tag	pr-func3707fd7224

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func3707fd7224
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func3707fd7224
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func3707fd7224
• controller test image location: ghcr.io/radius-project/dev/controller:pr-func3707fd7224
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func3707fd7224
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
⌛ Starting ucp-cloud functional tests...
❌ corerp-cloud functional test failed. Please check the logs for more details
❌ ucp-cloud functional test failed. Please check the logs for more details

[github-actions]

Unit Tests

4 783 tests  ±0   4 780 ✅ ±0   7m 53s ⏱️ +12s
  330 suites ±0       3 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit a7fe173. ± Comparison against base commit 088b1fe.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.99%. Comparing base (088b1fe) to head (a7fe173).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11300      +/-   ##
==========================================
- Coverage   51.00%   50.99%   -0.02%     
==========================================
  Files         679      679              
  Lines       43174    43174              
==========================================
- Hits        22023    22015       -8     
- Misses      19033    19037       +4     
- Partials     2118     2122       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.