NVIDIA
diff --git a/‎.github/actionlint.yaml‎
Lines changed: 9 additions & 0 deletions b/‎.github/actionlint.yaml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.github/labeler.yml‎
Lines changed: 24 additions & 0 deletions b/‎.github/labeler.yml‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 39 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎.github/workflows/pr-auto-label.yml‎
Lines changed: 23 additions & 0 deletions b/‎.github/workflows/pr-auto-label.yml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎.github/workflows/restricted-paths-guard.yml‎
Lines changed: 54 additions & 10 deletions b/‎.github/workflows/restricted-paths-guard.yml‎
Lines changed: 54 additions & 10 deletions
diff --git a/‎.github/workflows/test-sdist-linux.yml‎
Lines changed: 106 additions & 0 deletions b/‎.github/workflows/test-sdist-linux.yml‎
Lines changed: 106 additions & 0 deletions
@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Self-hosted runner labels used in CI workflows.
+# Without this config, actionlint rejects non-GitHub-hosted labels.
+self-hosted-runner:
+  labels:
+    - linux-amd64-cpu8
@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Configuration for https://github.com/actions/labeler
+# Auto-applies labels based on which files a PR changes.
+
+cuda.bindings:
+  - changed-files:
+    - any-glob-to-any-file: 'cuda_bindings/**'
+
+cuda.core:
+  - changed-files:
+    - any-glob-to-any-file: 'cuda_core/**'
+
+cuda.pathfinder:
+  - changed-files:
+    - any-glob-to-any-file: 'cuda_pathfinder/**'
+
+CI/CD:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '.github/**'
+      - 'ci/**'
@@ -286,6 +286,37 @@ jobs:
       cuda-version: ${{ needs.ci-vars.outputs.CUDA_BUILD_VER }}
       prev-cuda-version: ${{ needs.ci-vars.outputs.CUDA_PREV_BUILD_VER }}
 
+  # NOTE: test-sdist jobs are split by platform (mirroring build-* and test-wheel-*)
+  # so platform-specific sources (e.g. cuda_bindings/*_windows.pyx selected by
+  # build_hooks.py) are exercised on their target OS. Keep these job definitions
+  # textually identical except for:
+  #   - host-platform value
+  #   - uses: (test-sdist-linux.yml vs test-sdist-windows.yml)
+  test-sdist-linux:
+    needs:
+      - ci-vars
+      - should-skip
+    name: Test sdist linux-64
+    if: ${{ github.repository_owner == 'nvidia' && !fromJSON(needs.should-skip.outputs.skip) && !fromJSON(needs.should-skip.outputs.doc-only) }}
+    secrets: inherit
+    uses: ./.github/workflows/test-sdist-linux.yml
+    with:
+      host-platform: linux-64
+      cuda-version: ${{ needs.ci-vars.outputs.CUDA_BUILD_VER }}
+
+  # See test-sdist-linux for why sdist test jobs are split by platform.
+  test-sdist-windows:
+    needs:
+      - ci-vars
+      - should-skip
+    name: Test sdist win-64
+    if: ${{ github.repository_owner == 'nvidia' && !fromJSON(needs.should-skip.outputs.skip) && !fromJSON(needs.should-skip.outputs.doc-only) }}
+    secrets: inherit
+    uses: ./.github/workflows/test-sdist-windows.yml
+    with:
+      host-platform: win-64
+      cuda-version: ${{ needs.ci-vars.outputs.CUDA_BUILD_VER }}
+
   # NOTE: Test jobs are split by platform for the same reason as build jobs (see
   # build-linux-64). Keep these job definitions textually identical except for:
   #   - host-platform value
@@ -388,6 +419,8 @@ jobs:
     needs:
       - should-skip
       - detect-changes
+      - test-sdist-linux
+      - test-sdist-windows
       - test-linux-64
       - test-linux-aarch64
       - test-windows
@@ -427,6 +460,12 @@ jobs:
           if ${{ needs.doc.result == 'cancelled' || needs.doc.result == 'failure' }}; then
             exit 1
           fi
+          if ${{ needs.test-sdist-linux.result == 'cancelled' ||
+                 needs.test-sdist-linux.result == 'failure' ||
+                 needs.test-sdist-windows.result == 'cancelled' ||
+                 needs.test-sdist-windows.result == 'failure' }}; then
+            exit 1
+          fi
           if [[ "${doc_only}" != "true" ]]; then
             if ${{ needs.test-linux-64.result == 'cancelled' ||
                    needs.test-linux-64.result == 'failure' ||
 
@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: Copyright (c) 2024-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: "CI: Auto-label PRs by path"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+
+jobs:
+  auto-label:
+    name: Auto-label by changed paths
+    if: github.repository_owner == 'NVIDIA'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Apply labels
+        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b  # v6.0.1
@@ -19,12 +19,13 @@ jobs:
     if: github.repository_owner == 'NVIDIA'
     runs-on: ubuntu-latest
     permissions:
+      contents: write # needed for collaborator permission check
       pull-requests: write
     steps:
       - name: Inspect PR author signals for restricted paths
         env:
-          # PR metadata inputs
-          AUTHOR_ASSOCIATION: ${{ github.event.pull_request.author_association || 'NONE' }}
+          # PR metadata inputs (author_association from event payload is
+          # unreliable for fork PRs, so we query the collaborator API directly)
           PR_AUTHOR: ${{ github.event.pull_request.user.login }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           PR_URL: ${{ github.event.pull_request.html_url }}
@@ -38,6 +39,9 @@ jobs:
         run: |
           set -euo pipefail
 
+          COLLABORATOR_PERMISSION="not checked"
+          COLLABORATOR_PERMISSION_API_ERROR=""
+
           if ! MATCHING_RESTRICTED_PATHS=$(
             gh api \
               --paginate \
@@ -63,7 +67,7 @@ jobs:
               echo ""
               echo "- **Error**: Failed to inspect the PR file list."
               echo "- **Author**: $PR_AUTHOR"
-              echo "- **Author association**: $AUTHOR_ASSOCIATION"
+              echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
               echo ""
               echo "Please update the PR at: $PR_URL"
             } >> "$GITHUB_STEP_SUMMARY"
@@ -83,7 +87,7 @@ jobs:
               echo ""
               echo "- **Error**: Failed to inspect the current PR labels."
               echo "- **Author**: $PR_AUTHOR"
-              echo "- **Author association**: $AUTHOR_ASSOCIATION"
+              echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
               echo ""
               echo "Please update the PR at: $PR_URL"
             } >> "$GITHUB_STEP_SUMMARY"
@@ -102,16 +106,56 @@ jobs:
             echo '```'
           }
 
+          write_collaborator_permission_api_error() {
+            echo "- **Collaborator permission API error**:"
+            echo '```text'
+            printf '%s\n' "$COLLABORATOR_PERMISSION_API_ERROR"
+            echo '```'
+          }
+
           HAS_TRUSTED_SIGNAL=false
           LABEL_ACTION="not needed (no restricted paths)"
           TRUSTED_SIGNALS="(none)"
 
           if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then
-            case "$AUTHOR_ASSOCIATION" in
-              COLLABORATOR|MEMBER|OWNER)
+            # Distinguish a legitimate 404 "not a collaborator" response from
+            # actual API failures. The former is an expected untrusted case;
+            # the latter fails the workflow so it can be rerun later.
+            if COLLABORATOR_PERMISSION_RESPONSE=$(
+              gh api "repos/$REPO/collaborators/$PR_AUTHOR/permission" \
+                --jq '.permission' 2>&1
+            ); then
+              COLLABORATOR_PERMISSION="$COLLABORATOR_PERMISSION_RESPONSE"
+            elif [[ "$COLLABORATOR_PERMISSION_RESPONSE" == *"(HTTP 404)"* ]]; then
+              COLLABORATOR_PERMISSION="none"
+            else
+              COLLABORATOR_PERMISSION="unknown"
+              COLLABORATOR_PERMISSION_API_ERROR="$COLLABORATOR_PERMISSION_RESPONSE"
+              echo "::error::Failed to inspect collaborator permission for $PR_AUTHOR."
+              {
+                echo "## Restricted Paths Guard Failed"
+                echo ""
+                echo "- **Error**: Failed to inspect collaborator permission."
+                echo "- **Author**: $PR_AUTHOR"
+                echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
+                echo ""
+                write_matching_restricted_paths
+                echo ""
+                write_collaborator_permission_api_error
+                echo ""
+                echo "Please retry this workflow. If the failure persists, inspect the collaborator permission API error above."
+              } >> "$GITHUB_STEP_SUMMARY"
+              exit 1
+            fi
+
+            case "$COLLABORATOR_PERMISSION" in
+              admin|maintain|write)
                 HAS_TRUSTED_SIGNAL=true
-                LABEL_ACTION="not needed (author association is a trusted signal)"
-                TRUSTED_SIGNALS="author_association:$AUTHOR_ASSOCIATION"
+                LABEL_ACTION="not needed (collaborator permission is a trusted signal)"
+                TRUSTED_SIGNALS="collaborator_permission:$COLLABORATOR_PERMISSION"
+                ;;
+              *)
+                # triage, read, or none: not a trusted signal
                 ;;
             esac
           fi
@@ -136,7 +180,7 @@ jobs:
                 echo ""
                 echo "- **Error**: Failed to add the \`$REVIEW_LABEL\` label."
                 echo "- **Author**: $PR_AUTHOR"
-                echo "- **Author association**: $AUTHOR_ASSOCIATION"
+                echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
                 echo ""
                 write_matching_restricted_paths
                 echo ""
@@ -154,7 +198,7 @@ jobs:
             echo "## Restricted Paths Guard Completed"
             echo ""
             echo "- **Author**: $PR_AUTHOR"
-            echo "- **Author association**: $AUTHOR_ASSOCIATION"
+            echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
             echo "- **Touches restricted paths**: $TOUCHES_RESTRICTED_PATHS"
             echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
             echo "- **Trusted signals**: $TRUSTED_SIGNALS"
 
@@ -0,0 +1,106 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+on:
+  workflow_call:
+    inputs:
+      host-platform:
+        required: true
+        type: string
+      cuda-version:
+        required: true
+        type: string
+
+defaults:
+  run:
+    shell: bash --noprofile --norc -xeuo pipefail {0}
+
+permissions:
+  contents: read  # This is required for actions/checkout
+
+jobs:
+  test-sdist:
+    name: Test sdist builds
+    runs-on: linux-amd64-cpu8
+    steps:
+      - name: Checkout ${{ github.event.repository.name }}
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: "3.12"
+
+      - name: Install build tools
+        run: pip install build
+
+      # Pure Python packages -- no CTK needed.
+      - name: Build cuda.pathfinder sdist and wheel-from-sdist
+        run: |
+          python -m build --sdist cuda_pathfinder/
+          pip wheel --no-deps --wheel-dir cuda_pathfinder/dist cuda_pathfinder/dist/*.tar.gz
+
+      - name: Build cuda-python sdist and wheel-from-sdist
+        run: |
+          python -m build --sdist cuda_python/
+          pip wheel --no-deps --wheel-dir cuda_python/dist cuda_python/dist/*.tar.gz
+
+      # Cython packages need CTK + sccache.
+      # The env vars ACTIONS_CACHE_SERVICE_V2, ACTIONS_RESULTS_URL, and ACTIONS_RUNTIME_TOKEN
+      # are exposed by this action.
+      - name: Enable sccache
+        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # 0.0.9
+        with:
+          disable_annotations: 'true'
+
+      # xref: https://github.com/orgs/community/discussions/42856#discussioncomment-7678867
+      - name: Adding additional GHA cache-related env vars
+        uses: actions/github-script@v8
+        with:
+          script: |
+            core.exportVariable('ACTIONS_CACHE_URL', process.env['ACTIONS_CACHE_URL'])
+            core.exportVariable('ACTIONS_RUNTIME_URL', process.env['ACTIONS_RUNTIME_URL'])
+
+      - name: Setup proxy cache
+        uses: nv-gha-runners/setup-proxy-cache@main
+        continue-on-error: true
+        with:
+          enable-apt: true
+
+      - name: Set up mini CTK
+        uses: ./.github/actions/fetch_ctk
+        continue-on-error: false
+        with:
+          host-platform: ${{ inputs.host-platform }}
+          cuda-version: ${{ inputs.cuda-version }}
+
+      # cuda_bindings/setup.py parses CUDA headers at import time, so CUDA_PATH
+      # (set by fetch_ctk) must be available for both sdist and wheel builds.
+      - name: Build cuda.bindings sdist and wheel-from-sdist
+        run: |
+          export CUDA_PYTHON_PARALLEL_LEVEL=$(nproc)
+          export CC="sccache cc"
+          export CXX="sccache c++"
+          export PIP_FIND_LINKS="$(pwd)/cuda_pathfinder/dist"
+          python -m build --sdist cuda_bindings/
+          pip wheel --no-deps --wheel-dir cuda_bindings/dist cuda_bindings/dist/*.tar.gz
+
+      # cuda_core sdist delegates to setuptools (no CTK needed), but
+      # wheel-from-sdist needs CTK and cuda-bindings (dynamic build dep via
+      # get_requires_for_build_wheel in build_hooks.py).
+      - name: Build cuda.core sdist and wheel-from-sdist
+        run: |
+          export CUDA_PYTHON_PARALLEL_LEVEL=$(nproc)
+          export CUDA_CORE_BUILD_MAJOR="$(echo '${{ inputs.cuda-version }}' | cut -d. -f1)"
+          export CC="sccache cc"
+          export CXX="sccache c++"
+          export PIP_FIND_LINKS="$(pwd)/cuda_bindings/dist $(pwd)/cuda_pathfinder/dist"
+          python -m build --sdist cuda_core/
+          pip wheel --no-deps --wheel-dir cuda_core/dist cuda_core/dist/*.tar.gz
+
+      - name: Show sccache stats
+        if: always()
+        run: sccache --show-stats