fix(ci): trust generated agentic CI PRs

andreatgretel · andreatgretel · commit 646c9a22f588 · 2026-05-13T16:45:57.000Z
Signed-off-by: Andre Manoel &lt;amanoel@nvidia.com&gt;
diff --git a/.github/workflows/dco-assistant.yml b/.github/workflows/dco-assistant.yml
@@ -25,8 +25,45 @@ jobs:
     if: github.repository_owner == 'NVIDIA-NeMo'
     runs-on: ubuntu-latest
     steps:
+      - name: Check trusted Agentic CI PR
+        id: trusted-agentic-ci
+        env:
+          GH_TOKEN: ${{ github.token }}
+          EVENT_NAME: ${{ github.event_name }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
+          PR_BODY: ${{ github.event.pull_request.body }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          REPO: ${{ github.repository }}
+        run: |
+          TRUSTED=false
+
+          if [ "$EVENT_NAME" = "issue_comment" ] && [ -n "$ISSUE_NUMBER" ]; then
+            PR_JSON=$(gh api "repos/${REPO}/pulls/${ISSUE_NUMBER}" 2>/dev/null || true)
+            if [ -n "$PR_JSON" ]; then
+              PR_AUTHOR=$(printf '%s' "$PR_JSON" | jq -r '.user.login')
+              HEAD_REPO=$(printf '%s' "$PR_JSON" | jq -r '.head.repo.full_name')
+              HEAD_REF=$(printf '%s' "$PR_JSON" | jq -r '.head.ref')
+              PR_BODY=$(printf '%s' "$PR_JSON" | jq -r '.body // ""')
+            fi
+          fi
+
+          printf '%s' "$PR_BODY" > /tmp/pr-body-raw.txt
+          # Commit authors can be spoofed; trust only PR metadata GitHub controls.
+          if { [ "$PR_AUTHOR" = "github-actions[bot]" ] || [ "$PR_AUTHOR" = "agentic-ci" ]; } && \
+             [ "$HEAD_REPO" = "$REPO" ] && \
+             [[ "$HEAD_REF" == agentic-ci/* ]] && \
+             grep -q '<!-- agentic-ci ' /tmp/pr-body-raw.txt; then
+            TRUSTED=true
+          fi
+
+          echo "trusted=${TRUSTED}" >> "$GITHUB_OUTPUT"
+
       - name: "DCO Assistant"
-        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the DCO document and I hereby sign the DCO.') || github.event_name == 'pull_request_target'
+        if: >-
+          steps.trusted-agentic-ci.outputs.trusted != 'true'
+          && ((github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the DCO document and I hereby sign the DCO.') || github.event_name == 'pull_request_target')
         uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pr-linked-issue.yml b/.github/workflows/pr-linked-issue.yml
@@ -36,9 +36,23 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
           PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
+          PR_BODY: ${{ github.event.pull_request.body }}
+          REPO: ${{ github.repository }}
         run: |
           USER="$PR_AUTHOR"
 
+          printf '%s' "$PR_BODY" > /tmp/pr-body-raw.txt
+          # Commit authors can be spoofed; trust only PR metadata GitHub controls.
+          if { [ "$USER" = "github-actions[bot]" ] || [ "$USER" = "agentic-ci" ]; } && \
+             [ "$HEAD_REPO" = "$REPO" ] && \
+             [[ "$HEAD_REF" == agentic-ci/* ]] && \
+             grep -q '<!-- agentic-ci ' /tmp/pr-body-raw.txt; then
+            echo "is_collaborator=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
           # Bots that are always allowed (match DCO allowlist pattern).
           if [ "$USER" = "dependabot[bot]" ]; then
             echo "is_collaborator=true" >> "$GITHUB_OUTPUT"
