CI: Enable interop requests from ZcashFoundation/zebra

[str4d]

This would need to be paired with a CI trigger in their repo equivalent to https://github.com/zcash/wallet/blob/a96b778a4dab0421cc93006a31d7d724a58ff0fe/.github/workflows/ci.yml#L118-L136 (but using the zebra-interop-request event instead), along with the necessary GitHub App to power the integration (cc @nuttycom who set the Zallet one up).

[daira]

What authority does this private key grant? Can its scope be reduced? (Similarly for the existing Zallet private key.)

[nuttycom]

This private key is used to sign JWT tokens so that the action can have the authority granted to the github app for execution of operations. More details here: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps

In the past, we used individual user tokens for this kind of operation, meaning that it was effectively the github action performing the operation on behalf of a specific user that provided the secret. Here, instead, it's not a user; it's a github app registered with the org that is granted the authority to perform the operation and granting the secret to the github action then allows it to exercise that app's capabilities.

[nuttycom]

This would need to be paired with a CI trigger in their repo equivalent to https://github.com/zcash/wallet/blob/a96b778a4dab0421cc93006a31d7d724a58ff0fe/.github/workflows/ci.yml#L118-L136 (but using the zebra-interop-request event instead), along with the necessary GitHub App to power the integration (cc @nuttycom who set the Zallet one up).

This will be potentially somewhat more complex, as we'll need the relationship to be across repositories. I think that we might need ZF to install the Z3 Integration Testing app (https://github.com/organizations/zcash/settings/installations/109782012) into the Zebra repository, and then we would need to install the corresponding app to be able to write back the other direction? I'll have to investigate.

[str4d]

Rebased on main to bring in recent changes including the CI fix in #37.

[oxarbitrage]

The PR here looks good.

There are some decisions needed, mainly in the Zebra side:

1. Cross-org GitHub App (@nuttycom / @gustavovalverde): The main open question is how the app auth works across orgs. Specifically: zcash/integration-tests needs to post commit statuses back to ZcashFoundation/zebra. Options:
   • Extend the existing "Z3 Integration Testing" app (installation 109782012) to also cover ZcashFoundation/zebra, or
   • Create a separate mirrored app installed in the ZcashFoundation org.
2. Which Zebra workflow gets the trigger (@oxarbitrage / @gustavovalverde)? Should the trigger-integration job live in a new dedicated workflow file, or be appended to e.g. tests-unit.yml?

Action items once decisions are made:

• Sort out the GitHub App cross-org setup, then add ZEBRA_APP_ID + ZEBRA_APP_PRIVATE_KEY secrets to zcash/integration-tests
• ZF / Zebra side: Add a trigger-integration job to ZcashFoundation/zebra CI
• Merge this PR once secrets are in place and the Zebra-side trigger is confirmed working

Let us know if that plan of action need changes.

[gustavovalverde]

Here's what I did @oxarbitrage

GitHub App setup:

• Created an enterprise-owned GitHub App (multi-org-z3-integration-testing) under our new Enterprise org. This avoids the cross-org complexity @nuttycom raised, because it's a single app with "internal" visibility, installed in both orgs.
• Installed in zcash org (repos: integration-tests, wallet) and ZcashFoundation org (repo: zebra).
• Permissions: contents:write, statuses:write, metadata:read.

Secrets:

• I addedZ3_APP_ID and Z3_APP_PRIVATE_KEY in both zcash/integration-tests and ZcashFoundation/zebra.

Zebra-side trigger:

• Vibe coded ci: Add workflow to trigger Z3 integration tests ZcashFoundation/zebra#10372 (because of lack of time 😄), which adds a trigger-integration-tests.yml workflow that dispatches zebra-interop-request to zcash/integration-tests on Rust code changes.
  • I'll be out tomorrow, so please review this PR and intervene it if necessary.

Remaining:

• This PR should update its secret references from ZEBRA_APP_ID / ZEBRA_APP_PRIVATE_KEY to Z3_APP_ID / Z3_APP_PRIVATE_KEY to match what's configured.
• Optionally: zcash/wallet can be migrated from the old org-owned app (z3-integration-testing) to the new enterprise app, to unify credentials.

[str4d]

Rebased on main to bring in the latest changes.

@oxarbitrage @gustavovalverde please discuss the interop GitHub app approach in #42. Once an approach is settled upon and documented there, I'll update this PR if needed.