fix(ci): enable e2e tests for fork PRs via pull_request_target

Fork PRs receive a read-only GITHUB_TOKEN under pull_request that
cannot push images to the org's GHCR package registry. Switch the
branch e2e workflow to pull_request_target which runs in the base repo
context with write permissions.

Security: the test:e2e label is a maintainer trust gate — only org
members can apply it, signalling that the PR code has been reviewed.

Changes:
- Switch branch-e2e.yml from pull_request to pull_request_target
- Add ref input to docker-build.yml and e2e-test.yml so callers can
  explicitly pass the PR head SHA for checkout and image tagging
- Use github.event.pull_request.head.sha instead of github.sha (which
  points to the base branch under pull_request_target)

Author: johntmyers

.github/workflows/branch-e2e.yml

@@ -1,7 +1,11 @@
 name: Branch E2E Checks
 
+# pull_request_target runs in the base repo context with write permissions,
+# enabling fork PRs to push docker images to GHCR and run e2e tests.
+# Security: the test:e2e label is a maintainer trust gate — only org members
+# can apply it, signalling that the PR code has been reviewed.
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, reopened, labeled]
 
 permissions:
@@ -16,6 +20,7 @@ jobs:
       component: gateway
       platform: linux/arm64
       runner: build-arm64
+      ref: ${{ github.event.pull_request.head.sha }}
 
   build-cluster:
     if: contains(github.event.pull_request.labels.*.name, 'test:e2e')
@@ -24,10 +29,12 @@ jobs:
       component: cluster
       platform: linux/arm64
       runner: build-arm64
+      ref: ${{ github.event.pull_request.head.sha }}
 
   e2e:
     needs: [build-gateway, build-cluster]
     uses: ./.github/workflows/e2e-test.yml
     with:
-      image-tag: ${{ github.sha }}
+      image-tag: ${{ github.event.pull_request.head.sha }}
       runner: build-arm64
+      ref: ${{ github.event.pull_request.head.sha }}

.github/workflows/docker-build.yml

@@ -32,6 +32,11 @@ on:
         required: false
         type: string
         default: ""
+      ref:
+        description: "Git ref to checkout (defaults to the triggering event ref)"
+        required: false
+        type: string
+        default: ""
 
 env:
   MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -55,14 +60,15 @@ jobs:
       volumes:
         - /var/run/docker.sock:/var/run/docker.sock
     env:
-      IMAGE_TAG: ${{ github.sha }}
+      IMAGE_TAG: ${{ inputs.ref || github.sha }}
       IMAGE_REGISTRY: ghcr.io/nvidia/openshell
       DOCKER_PUSH: ${{ inputs.push && '1' || '0' }}
       DOCKER_PLATFORM: ${{ inputs.platform }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: ${{ inputs.ref || '' }}
 
       - name: Mark workspace safe for git
         run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

.github/workflows/e2e-test.yml

@@ -12,6 +12,11 @@ on:
         required: false
         type: string
         default: "build-amd64"
+      ref:
+        description: "Git ref to checkout (defaults to the triggering event ref)"
+        required: false
+        type: string
+        default: ""
 
 permissions:
   contents: read
@@ -40,6 +45,8 @@ jobs:
       OPENSHELL_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref || '' }}
 
       - name: Log in to GHCR
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin