Merge branch 'main' into khazic/fix/vlm-packed-mrope-position-ids

Author: HuiyingLi

.github/workflows/cicd-approve-test-queue.yml

@@ -16,13 +16,18 @@ name: Approve Test Queue
 
 on:
   schedule:
-    - cron: '*/5 * * * *'  # Runs every 5 minutes
-  workflow_dispatch:  # Allows manual triggering
+    - cron: "*/5 * * * *" # Runs every 5 minutes
+  workflow_dispatch: # Allows manual triggering
 
 jobs:
   approve-queue:
     runs-on: ubuntu-latest
     environment: main
+    if: github.repository == 'NVIDIA-NeMo/Automodel'
+    strategy:
+      matrix:
+        branch: [main, others, workflow_dispatch]
+        contributor_type: [internal, external]
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -37,22 +42,53 @@ jobs:
           python -m pip install --upgrade pip
           pip install requests
 
+      - name: Download SSO users list
+        run: |
+          gh release download v0.1.0 \
+            --repo NVIDIA-GitHub-Management/github-audits \
+            --pattern users_sso.json \
+            --output users_sso.json || echo '{}' > users_sso.json
+        env:
+          GH_TOKEN: ${{ secrets.NVIDIA_MANAGEMENT_ORG_PAT }}
+
       - name: Approve waiting deployments
         env:
           GITHUB_TOKEN: ${{ secrets.PAT }}
           MAX_CONCURRENCY: ${{ vars.MAX_CONCURRENCY || 1 }}
+          MAX_CONCURRENCY_EXTERNAL: ${{ vars.MAX_CONCURRENCY_EXTERNAL || 3 }}
+          MAX_CONCURRENCY_WORKFLOW_DISPATCH: ${{ vars.MAX_CONCURRENCY || 1 }}
+          CONTRIBUTOR_TYPE: ${{ matrix.contributor_type }}
+          MATRIX_BRANCH: ${{ matrix.branch }}
+          SSO_USERS_FILE: users_sso.json
+          PYTHONUNBUFFERED: 1
+        shell: python
         run: |
-          python - <<EOF
           import os
+          import json
           import requests
+          import re
           import time
 
-
           # GitHub API configuration
           GITHUB_TOKEN = os.environ["GITHUB_TOKEN"]
           REPO = os.environ["GITHUB_REPOSITORY"]
-          MAX_CONCURRENCY = int(os.environ["MAX_CONCURRENCY"])
-          API_BASE = f"https://api.github.com/repos/{REPO}"
+          CONTRIBUTOR_TYPE = os.environ["CONTRIBUTOR_TYPE"]
+          MATRIX_BRANCH = os.environ["MATRIX_BRANCH"]
+          if MATRIX_BRANCH == "workflow_dispatch":
+              MAX_CONCURRENCY = int(os.environ["MAX_CONCURRENCY_WORKFLOW_DISPATCH"])
+              API_BASE = f"https://api.github.com/repos/{REPO}"
+              WORKFLOW_NAME = "CICD NeMo"
+          else:
+              if CONTRIBUTOR_TYPE == "external":
+                  MAX_CONCURRENCY = int(os.environ["MAX_CONCURRENCY_EXTERNAL"])
+              else:
+                  MAX_CONCURRENCY = int(os.environ["MAX_CONCURRENCY"])
+              API_BASE = "https://api.github.com/repos/NVIDIA-NeMo/Automodel"
+              WORKFLOW_NAME = "CICD NeMo"
+
+          # Load SSO users for internal/external classification
+          with open(os.environ["SSO_USERS_FILE"]) as f:
+              sso_users = json.load(f)
 
           # Headers for GitHub API
           headers = {
@@ -94,7 +130,91 @@ jobs:
               print(f"Max retries ({max_retries}) exceeded for {endpoint}")
               return None
 
+          def is_internal_contributor(pr_info):
+              """Return True if the PR author is a member of NVIDIA or NVIDIA-NeMo org (is_org_member)."""
+              login = pr_info.get("user", {}).get("login", "")
+              org_roles = sso_users.get(login, {}).get("org_roles", [])
+              return any(role in ("NVIDIA:Member", "NVIDIA-NeMo:Member") for role in org_roles)
+
+          def get_pr_base_branch(workflow_run):
+              """
+              Return the base branch of the PR associated with a workflow run, or None.
+              Extracts PR number from head branch like 'pull-request/1913' and fetches PR info.
+              Returns (base_branch, pr_info) tuple, or (None, None) if not a PR run.
+              """
+              print(workflow_run.get("head_branch", ""))
+              head_branch = workflow_run.get("head_branch", "")
+              match = re.match(r"pull-request/(\d+)", head_branch)
+              if not match:
+                  return None, None  # Not a PR branch pattern
+
+              pr_number = int(match.group(1))
+
+              # Fetch PR info from GitHub API
+              pr_info = make_request(f"pulls/{pr_number}")
+              if not pr_info:
+                  print(f"Failed to fetch PR #{pr_number}")
+                  return None, None
+
+              base_branch = pr_info.get("base", {}).get("ref")
+              return base_branch, pr_info
+
+          def is_internal_actor(workflow_run):
+              """Return True if the actor who triggered the workflow run is an NVIDIA/NVIDIA-NeMo member."""
+              login = (workflow_run.get("triggering_actor") or workflow_run.get("actor") or {}).get("login", "")
+              org_roles = sso_users.get(login, {}).get("org_roles", [])
+              return any(role in ("NVIDIA:Member", "NVIDIA-NeMo:Member") for role in org_roles)
+
+          def is_pr_run(workflow_run):
+              """Return True if this run was triggered by a PR (head_branch matches pull-request/<number>)."""
+              return bool(re.match(r"pull-request/\d+", workflow_run.get("head_branch", "")))
+
+          def is_workflow_dispatch_run(workflow_run):
+              """Return True if this run was manually triggered (head_branch starts with mcore-testing-)."""
+              return workflow_run.get("head_branch", "").startswith("mcore-testing-")
+
+          def matches_queue(workflow_run, target_branch, contributor_type):
+              """
+              Return True if the workflow run belongs to this queue cell:
+              matching target branch AND matching contributor type (internal/external).
+
+              workflow_dispatch runs (head_branch: mcore-testing-*) are routed to the 'workflow_dispatch' queue only.
+              PR runs (head_branch: pull-request/<n>) are routed to 'main' or 'others' queues only.
+              """
+              if target_branch == "workflow_dispatch":
+                  if not is_workflow_dispatch_run(workflow_run):
+                      return False
+                  internal = is_internal_actor(workflow_run)
+                  contributor_match = (contributor_type == "internal") == internal
+                  if contributor_match:
+                      actor = (workflow_run.get("triggering_actor") or workflow_run.get("actor") or {}).get("login", "unknown")
+                      print(f"workflow_dispatch run by {actor}, contributor_type={contributor_type} (internal={internal})")
+                  return contributor_match
+
+              # PR queue: skip non-PR runs
+              if not is_pr_run(workflow_run):
+                  return False
+
+              base_branch, pr_info = get_pr_base_branch(workflow_run)
+              if base_branch is None:
+                  return False
+
+              branch_match = (
+                  (base_branch == target_branch) or
+                  (base_branch != "main" and base_branch != "dev" and target_branch == "others")
+              )
+              if not branch_match:
+                  return False
+
+              pr_number = re.match(r"pull-request/(\d+)", workflow_run.get("head_branch", "")).group(1)
+              internal = is_internal_contributor(pr_info)
+              contributor_match = (contributor_type == "internal") == internal
+              if branch_match and contributor_match:
+                  print(f"PR #{pr_number} targets {target_branch}, contributor_type={contributor_type} (internal={internal})")
+              return branch_match and contributor_match
+
           # Get current running and queued workflows
+          print(f"\n=== Queue cell: branch=${{ matrix.branch }}, contributor_type={CONTRIBUTOR_TYPE} ===")
           print("Fetching workflow runs...")
           queued_resp = make_request("actions/runs?status=queued")
           if queued_resp is None:
@@ -107,13 +227,25 @@ jobs:
               exit(1)
           in_progress_workflow_runs = in_progress_resp.get("workflow_runs", [])
 
+          def log_and_filter(runs, label):
+              cicd_runs = [r for r in runs if r["name"] == WORKFLOW_NAME]
+              print(f"{label}: {len(runs)} total, {len(cicd_runs)} {WORKFLOW_NAME}")
+              for r in cicd_runs:
+                  actor = (r.get("triggering_actor") or r.get("actor") or {}).get("login", "unknown")
+                  matched = matches_queue(r, "${{ matrix.branch }}", CONTRIBUTOR_TYPE)
+                  print(f"  run={r['id']} head_branch={r.get('head_branch')} event={r.get('event')} actor={actor} -> matched={matched}")
+              return [r for r in cicd_runs if matches_queue(r, "${{ matrix.branch }}", CONTRIBUTOR_TYPE)]
+
+          queued_workflow_runs = log_and_filter(queued_workflow_runs, "queued")
+          in_progress_workflow_runs = log_and_filter(in_progress_workflow_runs, "in_progress")
+
           # Count running and queued workflows
-          queued_workflows = sum(1 for run in queued_workflow_runs if run["name"] == "CICD NeMo")
-          in_progress_workflows = sum(1 for run in in_progress_workflow_runs if run["name"] == "CICD NeMo")
+          queued_workflows = len(queued_workflow_runs)
+          in_progress_workflows = len(in_progress_workflow_runs)
 
           total_workflows = queued_workflows + in_progress_workflows
-          print(f"Current queued workflows: {queued_workflows}")
-          print(f"Current running workflows: {in_progress_workflows}")
+          print(f"Current queued workflows (PRs targeting ${{ matrix.branch }}, {CONTRIBUTOR_TYPE}): {queued_workflows}")
+          print(f"Current running workflows (PRs targeting ${{ matrix.branch }}, {CONTRIBUTOR_TYPE}): {in_progress_workflows}")
           print(f"Total workflows: {total_workflows}")
           print(f"Max concurrency: {MAX_CONCURRENCY}")
 
@@ -122,20 +254,19 @@ jobs:
               exit(0)
 
           # Get waiting CI workflows for test environment
-          print("Fetching deployments...")
+          print("Fetching waiting deployments...")
           waiting_resp = make_request("actions/runs?status=waiting")
           if waiting_resp is None:
               print("Failed to fetch waiting workflow runs after retries, exiting")
               exit(1)
-          pending_workflows = waiting_resp.get("workflow_runs", [])
-          pending_workflows = [run for run in pending_workflows if run["name"] == "CICD NeMo"]
+          pending_workflows = log_and_filter(waiting_resp.get("workflow_runs", []), "waiting")
 
           # Sort deployments by creation date (oldest first)
           print("Sorting workflows...")
           pending_workflows = sorted(pending_workflows, key=lambda x: x["created_at"])
 
           # Process each deployment
-          print("Processing ...")
+          print(f"Processing {len(pending_workflows)} pending workflows...")
           for workflow in pending_workflows:
               if total_workflows >= MAX_CONCURRENCY:
                   print("Maximum concurrency reached, stopping approvals")
@@ -166,8 +297,6 @@ jobs:
               else:
                   print(f"Failed to approve deployment {deployment['id']}")
                   exit(1)
-
-          EOF
   notify:
     if: failure()
     runs-on: ubuntu-latest

.github/workflows/cicd-main.yml

@@ -611,6 +611,7 @@ jobs:
       (
         (needs.pre-flight.outputs.is_ci_workload == 'true' && !failure())
         || success()
+        || (needs.pre-flight.outputs.is_member != 'true' && needs.Nemo_CICD_Test.result == 'success')
       )
       && !cancelled()
       && vars.ENABLE_CODECOV == 'true'
@@ -664,20 +665,3 @@ jobs:
           path: |
             .coverage
           include-hidden-files: true
-
-  cleanup-taint-node:
-    runs-on: ${{ needs.pre-flight.outputs.runner_prefix }}
-    needs:
-      - pre-flight
-      - Nemo_CICD_Test
-      - Coverage
-      - Coverage_Fake
-    if: |
-      always()
-      && !cancelled()
-      && needs.pre-flight.outputs.is_deployment_workflow != 'true'
-    steps:
-      - name: Taint node for cleanup
-        if: contains(runner.name, 'ephemeral')
-        shell: bash
-        run: taint-node.sh

docs/conf.py

@@ -20,12 +20,17 @@
 # -- Project information -----------------------------------------------------
 # https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information
 
+import datetime
 import os
 import sys
 
 # flake8: noqa
 # pylint: skip-file
 
+# Embed a build timestamp so every docs build produces unique content,
+# ensuring Akamai ECCU revalidate detects changed ETags on S3.
+build_timestamp = datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
 project = "NeMo-AutoModel"
 copyright = "2026, NVIDIA Corporation"
 author = "NVIDIA Corporation"
@@ -105,7 +110,8 @@
         "version_match": release,
     },
     "extra_head": {
-        """
+        f"""
+    <meta name="build-timestamp" content="{build_timestamp}">
     <script src="https://assets.adobedtm.com/5d4962a43b79/c1061d2c5e7b/launch-191c2462b890.min.js" ></script>
     """
     },