docs: refresh top-models telemetry figure and add uv generator #93
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Authorize Agentic CI" | |
| on: | |
| issue_comment: | |
| types: [created] | |
| permissions: | |
| actions: write | |
| contents: read | |
| issues: write | |
| pull-requests: read | |
| defaults: | |
| run: | |
| shell: bash | |
| concurrency: | |
| group: authorize-agentic-ci-${{ github.event.issue.number }} | |
| cancel-in-progress: false | |
| jobs: | |
| authorize: | |
| if: >- | |
| github.repository_owner == 'NVIDIA-NeMo' | |
| && github.event.issue.pull_request != null | |
| && github.event.comment.body == '/authorize-agentic-ci' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check commenter permission | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| COMMENT_AUTHOR: ${{ github.event.comment.user.login }} | |
| PR_NUMBER: ${{ github.event.issue.number }} | |
| REPO: ${{ github.repository }} | |
| run: | | |
| PERMISSION=$(gh api "repos/${REPO}/collaborators/${COMMENT_AUTHOR}/permission" \ | |
| --jq '.permission' 2>/dev/null || echo "none") | |
| echo "Comment author ${COMMENT_AUTHOR} has ${PERMISSION} permission." | |
| case "$PERMISSION" in | |
| admin|maintain|write) | |
| ;; | |
| *) | |
| gh api --method POST "repos/${REPO}/issues/${PR_NUMBER}/comments" \ | |
| -f body="Only maintainers with write access can authorize Agentic CI checks." >/dev/null || \ | |
| echo "::warning::Unable to post permission failure comment." | |
| exit 1 | |
| ;; | |
| esac | |
| - name: Load PR metadata | |
| id: pr | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| PR_NUMBER: ${{ github.event.issue.number }} | |
| REPO: ${{ github.repository }} | |
| run: | | |
| PR_JSON=$(gh api "repos/${REPO}/pulls/${PR_NUMBER}") | |
| PR_AUTHOR=$(printf '%s' "$PR_JSON" | jq -r '.user.login') | |
| HEAD_REPO=$(printf '%s' "$PR_JSON" | jq -r '.head.repo.full_name') | |
| HEAD_REF=$(printf '%s' "$PR_JSON" | jq -r '.head.ref') | |
| HEAD_SHA=$(printf '%s' "$PR_JSON" | jq -r '.head.sha') | |
| STATE=$(printf '%s' "$PR_JSON" | jq -r '.state') | |
| PR_BODY=$(printf '%s' "$PR_JSON" | jq -r '.body // ""') | |
| TRUSTED=false | |
| printf '%s' "$PR_BODY" > /tmp/pr-body-raw.txt | |
| # Commit authors can be spoofed; trust only PR metadata GitHub controls. | |
| if [ "$PR_AUTHOR" = "github-actions[bot]" ] && \ | |
| [ "$HEAD_REPO" = "$REPO" ] && \ | |
| [[ "$HEAD_REF" == agentic-ci/* ]] && \ | |
| grep -Eq '<!-- agentic-ci finding=[^[:space:]]+ suite=[^[:space:]]+ -->' /tmp/pr-body-raw.txt; then | |
| TRUSTED=true | |
| fi | |
| echo "author=${PR_AUTHOR}" >> "$GITHUB_OUTPUT" | |
| echo "head_ref=${HEAD_REF}" >> "$GITHUB_OUTPUT" | |
| echo "head_sha=${HEAD_SHA}" >> "$GITHUB_OUTPUT" | |
| echo "state=${STATE}" >> "$GITHUB_OUTPUT" | |
| echo "trusted=${TRUSTED}" >> "$GITHUB_OUTPUT" | |
| - name: Validate Agentic CI PR | |
| env: | |
| COMMENT_ID: ${{ github.event.comment.id }} | |
| GH_TOKEN: ${{ github.token }} | |
| HEAD_SHA: ${{ steps.pr.outputs.head_sha }} | |
| PR_NUMBER: ${{ github.event.issue.number }} | |
| REPO: ${{ github.repository }} | |
| STATE: ${{ steps.pr.outputs.state }} | |
| TRUSTED: ${{ steps.pr.outputs.trusted }} | |
| run: | | |
| comment() { | |
| gh api --method POST "repos/${REPO}/issues/${PR_NUMBER}/comments" \ | |
| -f body="$1" >/dev/null || \ | |
| echo "::warning::Unable to post authorization failure comment." | |
| } | |
| comment_file() { | |
| tmp=$(mktemp) | |
| trap 'rm -f "$tmp"' RETURN | |
| jq -n --rawfile body "$1" '{body: $body}' > "$tmp" | |
| gh api --method POST "repos/${REPO}/issues/${PR_NUMBER}/comments" \ | |
| --input "$tmp" >/dev/null || \ | |
| echo "::warning::Unable to post authorization failure comment." | |
| } | |
| if [ "$STATE" != "open" ]; then | |
| comment "Agentic CI checks were not authorized because this PR is not open." | |
| exit 1 | |
| fi | |
| if [ "$TRUSTED" != "true" ]; then | |
| comment "Agentic CI checks were not authorized because this PR does not match the trusted Agentic CI metadata." | |
| exit 1 | |
| fi | |
| if [ -z "$COMMENT_ID" ]; then | |
| comment "Agentic CI checks were not authorized because the authorization comment ID was missing." | |
| exit 1 | |
| fi | |
| COMMENT_FOUND=false | |
| for ATTEMPT in 1 2 3; do | |
| gh api --paginate "repos/${REPO}/issues/${PR_NUMBER}/timeline?per_page=100" \ | |
| -H "Accept: application/vnd.github+json" \ | |
| --jq '.[] | [.event, ((.id // .sha // "") | tostring)] | @tsv' > /tmp/pr-timeline.tsv | |
| if awk -F '\t' -v comment_id="$COMMENT_ID" ' | |
| $1 == "commented" && $2 == comment_id { found = 1 } | |
| END { exit found ? 0 : 1 } | |
| ' /tmp/pr-timeline.tsv; then | |
| COMMENT_FOUND=true | |
| break | |
| fi | |
| sleep 2 | |
| done | |
| if [ "$COMMENT_FOUND" != "true" ]; then | |
| comment "Agentic CI checks were not authorized because the authorization comment was not found in the PR timeline." | |
| exit 1 | |
| fi | |
| HEAD_EVENT_AFTER_COMMENT=$(awk -F '\t' -v comment_id="$COMMENT_ID" ' | |
| $1 == "commented" && $2 == comment_id { seen_comment = 1; next } | |
| seen_comment && ($1 == "committed" || $1 == "head_ref_force_pushed" || $1 == "head_ref_deleted" || $1 == "head_ref_restored") { | |
| print $1 " " $2 | |
| exit | |
| } | |
| ' /tmp/pr-timeline.tsv) | |
| if [ -n "$HEAD_EVENT_AFTER_COMMENT" ]; then | |
| { | |
| echo "Agentic CI checks were not authorized because the PR head changed after the authorization comment." | |
| echo | |
| echo "Latest PR head: \`${HEAD_SHA}\`" | |
| echo "Detected update: \`${HEAD_EVENT_AFTER_COMMENT}\`" | |
| echo | |
| echo "Please review the latest commit and comment \`/authorize-agentic-ci\` again." | |
| } > /tmp/agentic-ci-auth-stale.md | |
| comment_file /tmp/agentic-ci-auth-stale.md | |
| exit 1 | |
| fi | |
| BLOCKED=$(gh pr diff "$PR_NUMBER" --repo "$REPO" --name-only \ | |
| | grep -E '^\.github/' || true) | |
| if [ -n "$BLOCKED" ]; then | |
| { | |
| echo "Agentic CI checks were not authorized because this PR changes privileged repository files:" | |
| echo | |
| printf '%s\n' "$BLOCKED" | sed 's/^/- `/' | sed 's/$/`/' | |
| } > /tmp/agentic-ci-auth-failed.md | |
| comment_file /tmp/agentic-ci-auth-failed.md | |
| exit 1 | |
| fi | |
| echo "Authorizing checks for ${HEAD_SHA}." | |
| - name: Dispatch checks | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| HEAD_REF: ${{ steps.pr.outputs.head_ref }} | |
| HEAD_SHA: ${{ steps.pr.outputs.head_sha }} | |
| PR_NUMBER: ${{ github.event.issue.number }} | |
| REPO: ${{ github.repository }} | |
| run: | | |
| gh workflow run ci.yml --repo "$REPO" --ref "$HEAD_REF" \ | |
| -f expected_head_sha="$HEAD_SHA" | |
| gh workflow run agentic-ci-authorized-checks.yml --repo "$REPO" --ref "$HEAD_REF" \ | |
| -f pr_number="$PR_NUMBER" \ | |
| -f expected_head_sha="$HEAD_SHA" | |
| gh api --method POST "repos/${REPO}/issues/${PR_NUMBER}/comments" \ | |
| -f body="Authorized Agentic CI checks for \`${HEAD_SHA}\`. Launched CI and authorization checks." >/dev/null || \ | |
| echo "::warning::Unable to post authorization confirmation comment." |