feat: enable bounded-borrow task admission #4064
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "DCO Assistant" | |
| on: | |
| issue_comment: | |
| types: [created] | |
| pull_request_target: | |
| types: [opened,closed,synchronize] | |
| permissions: | |
| actions: write | |
| checks: none | |
| contents: write | |
| deployments: none | |
| id-token: none | |
| issues: none | |
| discussions: none | |
| packages: none | |
| pages: none | |
| pull-requests: write | |
| repository-projects: none | |
| security-events: none | |
| statuses: write | |
| jobs: | |
| DCOAssistant: | |
| if: github.repository_owner == 'NVIDIA-NeMo' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check trusted Agentic CI PR | |
| id: trusted-agentic-ci | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| EVENT_NAME: ${{ github.event_name }} | |
| PR_AUTHOR: ${{ github.event.pull_request.user.login }} | |
| HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }} | |
| HEAD_REF: ${{ github.event.pull_request.head.ref }} | |
| PR_BODY: ${{ github.event.pull_request.body }} | |
| ISSUE_NUMBER: ${{ github.event.issue.number }} | |
| REPO: ${{ github.repository }} | |
| run: | | |
| TRUSTED=false | |
| if [ "$EVENT_NAME" = "issue_comment" ] && [ -n "$ISSUE_NUMBER" ]; then | |
| PR_JSON=$(gh api "repos/${REPO}/pulls/${ISSUE_NUMBER}" 2>/dev/null || true) | |
| if [ -n "$PR_JSON" ]; then | |
| PR_AUTHOR=$(printf '%s' "$PR_JSON" | jq -r '.user.login') | |
| HEAD_REPO=$(printf '%s' "$PR_JSON" | jq -r '.head.repo.full_name') | |
| HEAD_REF=$(printf '%s' "$PR_JSON" | jq -r '.head.ref') | |
| PR_BODY=$(printf '%s' "$PR_JSON" | jq -r '.body // ""') | |
| fi | |
| fi | |
| printf '%s' "$PR_BODY" > /tmp/pr-body-raw.txt | |
| # Commit authors can be spoofed; trust only PR metadata GitHub controls. | |
| if [ "$PR_AUTHOR" = "github-actions[bot]" ] && \ | |
| [ "$HEAD_REPO" = "$REPO" ] && \ | |
| [[ "$HEAD_REF" == agentic-ci/* ]] && \ | |
| grep -Eq '<!-- agentic-ci finding=[^[:space:]]+ suite=[^[:space:]]+ -->' /tmp/pr-body-raw.txt; then | |
| TRUSTED=true | |
| fi | |
| echo "trusted=${TRUSTED}" >> "$GITHUB_OUTPUT" | |
| - name: "DCO Assistant" | |
| if: >- | |
| steps.trusted-agentic-ci.outputs.trusted != 'true' | |
| && ((github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the DCO document and I hereby sign the DCO.') || github.event_name == 'pull_request_target') | |
| uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PERSONAL_ACCESS_TOKEN: ${{ secrets.DCO_ASSISTANT_TOKEN }} | |
| with: | |
| path-to-signatures: "dco-signatures.json" | |
| path-to-document: 'https://github.com/NVIDIA-NeMo/DataDesigner/blob/main/DCO' | |
| branch: 'signatures' | |
| allowlist: dependabot[bot] | |
| create-file-commit-message: "chore: create file to store dco signatures" | |
| signed-commit-message: "chore: $contributorName has signed the dco in #$pullRequestNo" | |
| custom-notsigned-prcomment: "Thank you for your submission! We ask that $you sign our [Developer Certificate of Origin](https://github.com/NVIDIA-NeMo/DataDesigner/blob/main/DCO) before we can accept your contribution. You can sign the DCO by adding a comment below using this text:" | |
| custom-pr-sign-comment: "I have read the DCO document and I hereby sign the DCO." | |
| lock-pullrequest-aftermerge: false | |
| use-dco-flag: true |