What problem does this PR solve?

• The label-gate composite action (added in QVAC-18608 infra: add .github/actions/label-gate (Node 20) #1968 and hardened in QVAC-18608 fix(label-gate): preserve hyphens in input env-var names #1973, QVAC-18608 fix(label-gate): strip label when non-trusted user applies it #1978, QVAC-18608 fix: trust repository_dispatch events in label-gate #1995) only protects the workflows that call it. Until now, just the vulkaninfo.yml canary did. Every other secret-bearing workflow in this repo still relies solely on the older authorize-pr team check, or on nothing at all when triggered from pull_request / pull_request_target.
• Goal: make the verified label the single PR-side gate for every secret-bearing workflow so a stranger's PR cannot reach secrets.PAT_TOKEN, NPM publish credentials, AWS Device Farm, etc., until a member of qvac-internal-release (or one of the other authorised teams) explicitly applies the label.

How does it solve it?

• Adds a label-gate job at the top of every secret-bearing workflow. The job runs the local ./.github/actions/label-gate composite, which fail-closes on any unrecognised event and on any PR-context event whose verified label was not applied by a trusted actor (and strips the label on misuse, per QVAC-18608 fix(label-gate): strip label when non-trusted user applies it #1978). The action itself defaults to the three trusted teams (qvac-internal-dev, qvac-internal-merge, qvac-internal-release) — the per-workflow gate jobs do not override teams:/users:, so the trust policy lives in exactly one place (.github/actions/label-gate/action.yml).
• Patches every secret-bearing job in those workflows to depend on label-gate and AND its if: with needs.label-gate.outputs.authorised == 'true'. Existing authorize-pr checks are preserved alongside the new gate (belt-and-suspenders during the staged migration the task spec calls out — authorize-pr removal lands in a follow-up).
• Mechanics: the migration was generated by a throwaway script (not committed) using ruamel.yaml purely to identify line ranges and surrounding YAML semantics; all edits are line-based to preserve comments, ordering, quoting, and indentation exactly. Detection heuristic for "secret-bearing" job: explicit environment:, OR any ${{ secrets.<X> }} other than GITHUB_TOKEN, OR secrets: inherit on a workflow_call, OR a non-empty per-call secrets: mapping. Jobs hard-disabled with if: false are skipped (gating is a no-op). The two approval-machinery workflows (see below) are skipped via an explicit exemption.
• 108 workflow files modified by the fan-out (the two approval-machinery workflows below are intentionally untouched; total target was 110). Every secret-bearing job in the repo now passes through label-gate before any secret-touching step runs.

Approval-machinery exemption

Two workflows are intentionally NOT gated and remain byte-identical to main:

• .github/workflows/approval-worker.yml
• .github/workflows/approval-check-worker.yml

These are the tier-based approval bot itself — triggered by issue_comment / pull_request_review to compute the Tier-based Approval Check status check. Gating them with label-gate produces a deadlock incident:

• The PR cannot get the required Tier-based Approval Check status until it has the verified label.
• In normal flow verified is applied after human review.
• So verified would never be requested (no signal to reviewers that the PR is ready), and even if it were applied, the approval bot would only re-evaluate on the next review/comment event.

These workflows are part of the gate machinery itself and must run ungated, the same way authorize-pr runs ungated.

if: false jobs

Jobs with a hard-disabled if: false (e.g. the notify job in docs-deploy-notify.yml) are deliberately not rewritten — the gate guard would have clobbered the inline explanation comment for zero behavioural change. If a workflow's only secret-bearing job is hard-disabled, the file is left untouched (no orphan label-gate job inserted).

Net workflow scope

• approval-worker.yml + approval-check-worker.yml → byte-identical to main (deadlock prevention).
• docs-post-merge-sync.yml + docs-release-pipeline.yml → gated (consume DOCS_SYNC_PAT / AI_AUGMENT_API_KEY).
• docs-deploy-notify.yml → untouched (only secret-bearing job is if: false).
• Total gated workflows: 108 (out of an originally-scoped 110, minus the 2 approval workflows).

yamlfmt cleanup (commit cf1311f1, narrowed by 4a8700ff and 15949925)

The label-gate fan-out touches .github/workflows/*onnx*.yml, which matches on-pr-onnx.yml's paths: filter. That workflow runs yamlfmt v0.17.0 against the entire repo at default workdir, so any pre-existing workflow yamlfmt drift would block this PR from merging. The cleanup was therefore bundled in for the workflows directory only.

• cf1311f1 — yamlfmt v0.17.0 -formatter retain_line_breaks_single=true across .github/workflows/ and .github/actions/.
• 4a8700ff — reverts the composite-action portion of cf1311f1. The retain_line_breaks_single=true formatter inserts #magic___^_^___line markers throughout collapsed folded scalars and folds multi-line description: blocks into long single lines — review noise unrelated to the gate change.
• 15949925 — reverts a 4-file packages/transcription-whispercpp/ sweep that had been included for the same yamlfmt-CI reason. Touching package paths triggers expensive build pipelines wholly unrelated to this PR.

Composite-action and packages drift remains pre-existing on main and will be addressed in a dedicated yamlfmt cleanup PR. Trade-off: the on-pr-onnx yamlfmt sub-check may flag the unchanged drift in those areas — identical to pre-existing CI noise on main, not a regression introduced by this PR.

Net diff scope: 123 files, all under .github/workflows/. Zero composite actions, zero packages, zero scripts.

How was it tested?

• actionlint clean against the full .github/workflows/ tree post-migration. Remaining warnings (shellcheck reported, runner-label, composite-action type key, workflow-call signature mismatches) all exist on origin/main — verified by diffing the warning sets. Zero new lint warnings introduced by the migration or the yamlfmt cleanup.
• Idempotency: re-running the (uncommitted) migration script on the migrated tree exits 0 with zero MIGRATED lines.
• Spot-checked every diff pattern manually: simple Pattern A (trigger-docs-translation-nmtcpp.yml), Pattern B with peer authorize-pr (publish-sdk.yml, on-pr-bci-whispercpp.yml), reusable workflow_call with secrets: inherit (test-android-sdk.yml, cpp-lint.yaml), folded if: >- blocks (trigger-reusable-lib-cli.yml, benchmark-ocr-onnx.yml), if: always() cleanup paths (test-android-sdk.yml's cleanup-device-farm), and the inline-step authorize-pr outlier (on-pr-test-sdk.yml — the script gates the downstream run-tests workflow_call correctly without touching the inline step).
• if: ${{ ... }}-wrapping bug caught and fixed during validation. GHA evaluates if: <bare> && ${{ <expr> }} as a string literal (always-true). The script now unwraps the outer ${{ }} from the original expression before composing, so the resulting if: is fully bare.
• Live canary PR QVAC-18612 infra: repurpose vulkaninfo as label-gate safety canary #1971 (vulkaninfo.yml) currently authorises and skips correctly under the rebased label-gate behaviour. Full live validation against THIS PR will use the 5-step matrix (no-label deny / label authorise / push-while-labeled / unlabel-then-push deny / full actionlint).

Action pinning

• actions/checkout: each new label-gate job pins to de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 — the same SHA every other workflow in this repo already uses. No version drift.

Permissions changes

• Scope: per-job, only on the new label-gate job in each of the 108 gated workflow files.
• Before: n/a (the job did not exist; the rest of each workflow's permissions: blocks are unchanged).
• After:

  permissions:
    contents: read
    pull-requests: write

• Justification: contents: read for the sparse-checkout of .github/actions/label-gate; pull-requests: write because the gate strips the verified label when a non-trusted actor applies it (per QVAC-18608 fix(label-gate): strip label when non-trusted user applies it #1978). Workflows that already declare a top-level permissions: block keep that block untouched — the per-job grant on label-gate does not propagate to other jobs.

Known pre-existing CI noise (not introduced by this PR)

• Tier-based Approval Check failing — the bot reports ❌ Tier 1 requirements not met. Need: 1 Team Member (0/1) + 1 TL/Management (0/1). This is the expected state for a PR with zero approvals; it will go green once reviewers approve.
• 6 CodeQL critical alerts flagged on this PR for .github/actions/run-lint-and-unit-tests/action.yaml (actions/untrusted-checkout/critical, ×4) and .github/workflows/publish-sdk.yml (actions/artifact-poisoning/critical, ×2). All 6 are pre-existing open alerts on main (created 2026-04-20 and 2026-05-01) — verified via gh api repos/tetherto/qvac/code-scanning/alerts. CodeQL re-fires them on this PR because the surrounding lines moved (yamlfmt + label-gate insertion shifted line numbers); the underlying alerts will resolve as code-scanning duplicates against main once a reviewer attests. This PR introduces zero new CodeQL findings.