workflows/eval: split tag into compare and reviews jobs

Splitting the job up into two is required to then move the reviews job
to a separate, re-usable workflow in the next step.

To avoid the eval workflow from taking more time to finish, after having
it optimized carefully recently, the reviews job starts in parallel to
the compare job, even though it requires the comparison results to
finish. We can then use the time to already set up nix, build
requestReviews and fetch our app-token.

This might seem overly complex, but given that we need to do the same
dance in the next commit when we run the re-usable workflow separately,
it's actually just easier to review that way, not more.

.github/workflows/eval.yml

@@ -153,8 +153,8 @@ jobs:
           name: diff-${{ matrix.system }}
           path: diff/*
 
-  tag:
-    name: Tag
+  compare:
+    name: Comparison
     runs-on: ubuntu-24.04-arm
     needs: [ prepare, outpaths ]
     if: needs.prepare.outputs.targetSha
@@ -210,9 +210,6 @@ jobs:
           name: comparison
           path: comparison/*
 
-      - name: Build the requestReviews derivation
-        run: nix-build trusted/ci -A requestReviews
-
       - name: Labelling pull request
         if: ${{ github.event_name == 'pull_request_target' }}
         env:
@@ -267,6 +264,29 @@ jobs:
             "/repos/$GITHUB_REPOSITORY/statuses/$PR_HEAD_SHA" \
             -f "context=Eval / Summary" -f "state=success" -f "description=$description" -f "target_url=$target_url"
 
+  reviews:
+    name: Request Reviews
+    runs-on: ubuntu-24.04-arm
+    # No dependency on "compare", so that it can start at the same time.
+    # We only wait for the "comparison" artifact to be available, which makes the start-to-finish time
+    # for the eval workflow considerably faster.
+    needs: [ prepare, outpaths ]
+    if: needs.prepare.outputs.targetSha
+    steps:
+      - name: Check out the PR at the base commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: trusted
+          sparse-checkout: ci
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+        with:
+          extra_nix_config: sandbox = true
+
+      - name: Build the requestReviews derivation
+        run: nix-build trusted/ci -A requestReviews
+
       # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
       # Can't use the token received from permissions above, because it can't get enough permissions
       - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
@@ -279,6 +299,30 @@ jobs:
           permission-members: read
           permission-pull-requests: write
 
+      - name: Wait for comparison to be done
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            // Waiting 24 * 5 sec = 2 min. max.
+            for (let i = 0; i < 24; i++) {
+              const result = await github.rest.actions.listWorkflowRunArtifacts({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                run_id: context.runId,
+                name: 'comparison'
+              })
+              if (result.data.total_count > 0) return
+              await new Promise(resolve => setTimeout(resolve, 5000))
+            }
+            throw new Error("No comparison artifact found.")
+
+      - name: Download the comparison results
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          pattern: comparison
+          path: comparison
+          merge-multiple: true
+
       - name: Requesting maintainer reviews
         if: ${{ steps.app-token.outputs.token }}
         env: