ci : add approval gate to remaining workflows

[ggerganov]

Overview

Extend the manual CI approval gate (from approval.yml) to all remaining workflows that were missed in the initial rollout. This prevents expensive CI runs on non-master branches from executing without manual approval via the ci-approval environment.

Covered workflows (17 files):

• build-3rd-party, build-android, build-cache, build-cann, build-cross
• build-msys, build-openvino, build-riscv, build-sanitize
• build-self-hosted, build-sycl, build-virtgpu, build-vulkan
• server, server-sanitize, server-self-hosted
• ui-ci

ui-build.yml and ui-publish.yml are skipped as they're only triggered via workflow_call and inherit the gate from their caller.

Requirements

• I have read and agree with the contributing guidelines
• AI usage disclosure: YES. llama.cpp + pi + Qwen3.6-27B-MTP:Q4_K

[CISC]

Massive notification spam, but ohwell...

[CISC]

What initial rollout BTW? :)

[ggerganov]

@CISC There are 2 big problems with this approach:

• There is no way to turn off the "Deployment review" notifications from Github (https://github.com/orgs/community/discussions/14564)
• All approvals for a given environment are "queued" - they need to happen one-by-one. This means we can't reuse a single approval.yml for all workflows. Each workflow has to have it's own approval environment. Unless there is some limit on the number of environments we can create, this should be resolvable. Nvm, it is possible to approve individual workflows - it's just the UX is a bit obscure.

Not sure what to do about the notifications.

What initial rollout BTW? :)

This is because I continued the branch from yesterday ggml-org#33 and didn't explain that to the bot.

[CISC]

The new sidebar link is useful I guess, even though the filtering is not.
https://github.com/ggml-org/llama.cpp/deployments

[ggerganov]

I really can't believe there isn't a way to disable the notifications ... This is basically a showstopper for this approach.

[CISC]

I really can't believe there isn't a way to disable the notifications ... This is basically a showstopper for this approach.

Yeah, and for years to boot...

[ggerganov]

The boot would probably be simple to solve by having a dedicated self-hosted runner for the approvals.

[CISC]

The boot would probably be simple to solve by having a dedicated self-hosted runner for the approvals.

Sorry, that was "to boot", as in the idiom. :)

It's quite unbelievable this has not been addressed in the many years it has been a feature.

[CISC]

I imagine we will get the same spam every time a Collaborator is pushing a change as well.