ci: auto-approve integration tests for internal PRs

[danielmeppiel]

Problem

Every PR — including internal ones from repo collaborators — triggers the Integration Tests (PR) workflow which requires manual environment approval before running. This creates unnecessary friction:

• Maintainers must navigate to Actions → find the waiting run → click "Review deployments" → approve
• Each branch update triggers a new approval request (we just had 6 queued at once after rebasing open PRs)
• Internal contributors already have write access, so the approval gate adds no security value for their PRs

Additionally, 4 integration test files hardcoded .venv/bin/apm as the binary path, bypassing the PR artifact binary that CI places on PATH. This meant integration tests were silently testing main's source code instead of the PR's binary, defeating the purpose of fork-safe artifact testing.

Changes

1. Auto-approve internal PRs (ci-integration.yml)

Split the approve job into two:

Job	Trigger condition	Approval
approve-fork	PR from a fork (head_repository != github.repository)	Manual environment gate (unchanged)
approve-internal	PR from the same repo	Auto-approved (no gate)

Downstream jobs (smoke-test → integration-tests → release-validation) run if either approval job succeeds (the other is skipped).

2. Fix integration test binary resolution (test_ado_e2e.py, test_mixed_deps.py, test_skill_compile.py, test_skill_install.py)

Inverted binary lookup priority in 4 test files: prefer shutil.which("apm") (finds the PR binary on PATH in CI) over the hardcoded .venv/bin/apm (main's source install). Falls back to venv path for local development where PATH includes the venv.

Without this fix: integration tests for ADO, mixed deps, skills, and skill compilation run against main's source code, not the PR's artifact — regressions go undetected.

3. Upgrade CodeQL Action (codeql.yml)

Updated CodeQL Action from v3 to v4 (Node.js 16 deprecation).

Security model (unchanged for forks)

• Fork PRs still require manual approval via the integration-tests environment protection rules
• The workflow still checks out main (never PR code) for test scripts
• Fork artifacts are still isolated — a maintainer reviews the fork's code before secrets are exposed to artifacts built from it
• Internal PRs skip the gate because contributors already have write access to push directly to main if needed

Validation

• Test harness fix validated end-to-end: applied PR fix: virtual subdirectory deps marked as orphaned, skipping instruction processing #100's regressed source code on top → ADO tests correctly fail (detect the 'azure-devops' → 'github' source label regression). Reverted → all 9 ADO tests pass.
• All 1046 unit tests pass
• CodeQL v4 upgrade tested in CI

[Copilot]

Pull request overview

This PR implements auto-approval for integration tests on internal PRs while maintaining the manual approval security gate for fork PRs. It addresses the workflow friction where repo collaborators with write access must manually approve environment protection rules for their own PRs, which provides no security benefit since they can already push directly to main.

Changes:

• Split the single approve job into approve-fork (requires manual environment approval) and approve-internal (auto-approved)
• Update downstream job dependencies to run if either approval path succeeds using always() conditional logic
• Update workflow comments to reflect the dual approval path architecture

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

[Copilot]

Missing final fallback to "apm" when venv path doesn't exist. The other three test files modified in this PR (test_skill_install.py, test_skill_compile.py, test_mixed_deps.py) all include a final return "apm" statement after checking the venv path. This ensures the test can still attempt to find apm on the system PATH if neither the CI artifact nor the venv binary are available.

Without this fallback, if the venv doesn't exist and shutil.which("apm") returns None, the code will use a Path object instead of a string for apm_path, which could cause unexpected behavior when constructing the command string.

Suggested change

	# Fallback to local dev venv
	apm_path = Path(__file__).parent.parent.parent / ".venv" / "bin" / "apm"
	# Fallback to local dev venv, then final fallback to "apm"
	venv_apm = Path(__file__).parent.parent.parent / ".venv" / "bin" / "apm"
	if venv_apm.exists():
	apm_path = str(venv_apm)
	else:
	# If the venv binary is not available, still attempt to use "apm" on PATH
	apm_path = "apm"

[SebastienDegodez]

LGTM