ci: fix the always-failing PR checks (LFS-404 + upstream-only gating)

[Pterjudin]

Summary

Every PR on this repo currently shows ~15 red checks. Almost all of them have always been red since long before the 1.118.1 sync (confirmed on PR #44 from Feb 2026). The team has been relying on cortexide-builder for real validation. This PR triages the inherited-from-upstream noise without disabling any check that's catching real regressions.

This is a draft; do not merge until reviewed.

Root causes found

After pulling logs from PRs #46 and #47, the failures collapse into three buckets:

1. LFS-404 (drives ~15 of the failures). actions/checkout@v6 with lfs: true fails because every LFS pointer in the repo resolves to 404 on our LFS server:

   [d326ad15c05a...] Object does not exist on the server: [404]
   error: failed to fetch some objects from 'https://github.com/OpenCortexIDE/cortexide.git/info/lfs'
   The process '/usr/bin/git' failed with exit code 2
   

   The only LFS-tracked files in the repo are extensions/copilot/test/simulation/cache/*.sqlite (and extensions/copilot/.gitattributes declares them). The pointer files are committed; the actual blobs were never uploaded to our LFS endpoint.

2. Microsoft-specific infrastructure the fork doesn't have credentials/runners/endpoints for:

   • Monaco Editor checks — part of upstream's npm-publish flow for monaco-editor.
   • Prevent engineering system changes in PRs — queries microsoft/vscode collaborator permissions (403 Resource not accessible by integration) and references vs-code-engineering[bot].
   • Check API Proposal Version Changes — enforces upstream's vscode.proposed.*.d.ts versioning policy that we don't manage.
   • Checking Component Screenshots — uploads to hediet-screenshots.azurewebsites.net with an OIDC token our identity isn't authorized for (curl: (22) The requested URL returned error: 403).
   • copilot-setup-steps — uses runs-on: vscode-large-runners (Microsoft-only self-hosted runner), sits queued 24h before GitHub force-fails it.

3. Real test failures — Component Fixture Tests is failing 8 Playwright tests in tests/imageCarousel.spec.ts (locator('.image-carousel-editor') never becomes visible). This fails identically on PR Sync/vscode 1.110.0 #44 from February, so it's a pre-existing bug unrelated to the 1.118.1 rebase. Not fixed in this PR; see follow-ups below.

Fixes in this PR

Check	Root cause	Fix
Compile & Hygiene	LFS-404	lfs: false in pr.yml (compile doesn't read sqlite)
Linux / {Browser, Electron, Remote}	LFS-404	lfs: false in pr-linux-test.yml
macOS / {Browser, Electron, Remote}	LFS-404	lfs: false in pr-darwin-test.yml
Windows / {Browser, Electron, Remote}	LFS-404	lfs: false in pr-win32-test.yml
Linux / CLI	LFS-404	lfs: false in pr-linux-cli-test.yml
Copilot - Check Telemetry	LFS-404	lfs: false in pr.yml (telemetry extractor reads TS sources)
Copilot - Check Test Cache	needs LFS-tracked sqlite	Gated off on fork via if: github.repository_owner != 'OpenCortexIDE'
Copilot - Test (Linux)	needs LFS-tracked sqlite for simulate-ci	Gated off on fork
Copilot - Test (Windows)	needs LFS-tracked sqlite for simulate-ci	Gated off on fork
Monaco Editor checks	upstream npm-publish flow + LFS-404	Gated off on fork
Prevent engineering system changes in PRs	queries microsoft/vscode permissions	Gated off on fork
Check API Proposal Version Changes	upstream API governance	Gated off on fork
Checking Component Screenshots	upstream Azure endpoint (403)	Gated off on fork
copilot-setup-steps	uses upstream's self-hosted runner pool	Gated off on fork

All gating uses if: github.repository_owner != 'OpenCortexIDE' so the workflows are kept verbatim and will run normally on any other fork that has the upstream infra. To revert, drop the if: line.

Intentionally NOT fixed

• Component Fixture Tests (Playwright imageCarousel timeouts) — this is a real test failure, but it pre-existed the rebase by several months and isn't load-bearing for shipping (the actual product build runs in cortexide-builder, which is green). Fixing it requires investigating why .image-carousel-editor never mounts in headless Chromium and is out of scope here. Suggest a separate fix/image-carousel-playwright PR.
• chat-lib tests (ubuntu/macos/windows) — these are passing and unaffected.
• Check metadata (telemetry.yml) — passing.
• pr-node-modules.yml — push-to-main only, doesn't run on PRs.
• sessions-e2e.yml / chat-perf.yml — already workflow_dispatch-only.
• The cortexide-builder workflows in the sibling repo were not touched.

Follow-ups requiring user decision (not in this PR)

1. LFS data: do we want to actually upload the copilot simulation sqlite files to our LFS server (~1-2 GB) so the simulate-ci jobs can run? If yes, ungate the three copilot test jobs. If no, leave gated.
2. Engineering-system guardrail: upstream's "no PR may modify .github/workflows or build/" rule is a sensible policy. If you want it enforced on this repo too, the workflow could be rewritten to query OpenCortexIDE/cortexide collaborator permissions instead of microsoft/vscode. Happy to do that in a follow-up.
3. Screenshot diff service: if there's appetite, we can stand up our own Azure-Static-Web-Apps screenshot service and re-enable the workflow.

Test plan

• Open this draft PR and watch the checks list — only valid checks should run; the gated ones should not appear (or appear as skipped).
• Confirm Compile & Hygiene, Linux/macOS/Windows × Browser/Electron/Remote, Linux / CLI, and Copilot - Check Telemetry all get past actions/checkout (they may still fail later for other reasons — that's a separate problem we want to see).
• Confirm chat-lib tests and Check metadata still pass.
• Verify gated workflows show no run for this PR head SHA.

🤖 Generated with Claude Code