Merge branch 'main' into cuda-bindings-bench-more

Author: danielfrg

.github/workflows/restricted-paths-guard.yml

@@ -0,0 +1,173 @@
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+name: "CI: Restricted Paths Guard"
+
+on:
+  # Run on drafts too so maintainers get early awareness on WIP PRs.
+  # Label updates on fork PRs require pull_request_target permissions.
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+
+jobs:
+  restricted-paths-guard:
+    name: Apply review label if needed
+    if: github.repository_owner == 'NVIDIA'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Inspect PR author signals for restricted paths
+        env:
+          # PR metadata inputs
+          AUTHOR_ASSOCIATION: ${{ github.event.pull_request.author_association || 'NONE' }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+
+          # Workflow policy inputs
+          REVIEW_LABEL: Needs-Restricted-Paths-Review
+
+          # API request context/auth
+          GH_TOKEN: ${{ github.token }}
+          REPO: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+
+          if ! MATCHING_RESTRICTED_PATHS=$(
+            gh api \
+              --paginate \
+              --jq '
+                .[]
+                | select(
+                    (.filename | startswith("cuda_bindings/"))
+                    or ((.previous_filename // "") | startswith("cuda_bindings/"))
+                    or (.filename | startswith("cuda_python/"))
+                    or ((.previous_filename // "") | startswith("cuda_python/"))
+                  )
+                | if (.previous_filename // "") != "" then
+                    "\(.previous_filename) -> \(.filename)"
+                  else
+                    .filename
+                  end
+              ' \
+              "repos/$REPO/pulls/$PR_NUMBER/files"
+          ); then
+            echo "::error::Failed to inspect the PR file list."
+            {
+              echo "## Restricted Paths Guard Failed"
+              echo ""
+              echo "- **Error**: Failed to inspect the PR file list."
+              echo "- **Author**: $PR_AUTHOR"
+              echo "- **Author association**: $AUTHOR_ASSOCIATION"
+              echo ""
+              echo "Please update the PR at: $PR_URL"
+            } >> "$GITHUB_STEP_SUMMARY"
+            exit 1
+          fi
+
+          # Fetch live PR labels to avoid stale event payload (race condition
+          # when labels are changed shortly before the workflow runs).
+          if ! LIVE_LABELS=$(
+            gh pr view "${PR_NUMBER}" --repo "${REPO}" \
+              --json labels \
+              --jq '[.labels[].name]'
+          ); then
+            echo "::error::Failed to inspect the current PR labels."
+            {
+              echo "## Restricted Paths Guard Failed"
+              echo ""
+              echo "- **Error**: Failed to inspect the current PR labels."
+              echo "- **Author**: $PR_AUTHOR"
+              echo "- **Author association**: $AUTHOR_ASSOCIATION"
+              echo ""
+              echo "Please update the PR at: $PR_URL"
+            } >> "$GITHUB_STEP_SUMMARY"
+            exit 1
+          fi
+
+          TOUCHES_RESTRICTED_PATHS=false
+          if [ -n "$MATCHING_RESTRICTED_PATHS" ]; then
+            TOUCHES_RESTRICTED_PATHS=true
+          fi
+
+          write_matching_restricted_paths() {
+            echo "- **Matched restricted paths**:"
+            echo '```text'
+            printf '%s\n' "$MATCHING_RESTRICTED_PATHS"
+            echo '```'
+          }
+
+          HAS_TRUSTED_SIGNAL=false
+          LABEL_ACTION="not needed (no restricted paths)"
+          TRUSTED_SIGNALS="(none)"
+
+          if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then
+            case "$AUTHOR_ASSOCIATION" in
+              COLLABORATOR|MEMBER|OWNER)
+                HAS_TRUSTED_SIGNAL=true
+                LABEL_ACTION="not needed (author association is a trusted signal)"
+                TRUSTED_SIGNALS="author_association:$AUTHOR_ASSOCIATION"
+                ;;
+            esac
+          fi
+
+          NEEDS_REVIEW_LABEL=false
+          if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ] && [ "$HAS_TRUSTED_SIGNAL" = "false" ]; then
+            NEEDS_REVIEW_LABEL=true
+          fi
+
+          LABEL_ALREADY_PRESENT=false
+          if jq -e --arg label "$REVIEW_LABEL" '.[] == $label' <<<"$LIVE_LABELS" >/dev/null; then
+            LABEL_ALREADY_PRESENT=true
+          fi
+
+          if [ "$NEEDS_REVIEW_LABEL" = "true" ]; then
+            if [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
+              LABEL_ACTION="already present"
+            elif ! gh pr edit "$PR_NUMBER" --repo "$REPO" --add-label "$REVIEW_LABEL"; then
+              echo "::error::Failed to add the $REVIEW_LABEL label."
+              {
+                echo "## Restricted Paths Guard Failed"
+                echo ""
+                echo "- **Error**: Failed to add the \`$REVIEW_LABEL\` label."
+                echo "- **Author**: $PR_AUTHOR"
+                echo "- **Author association**: $AUTHOR_ASSOCIATION"
+                echo ""
+                write_matching_restricted_paths
+                echo ""
+                echo "Please update the PR at: $PR_URL"
+              } >> "$GITHUB_STEP_SUMMARY"
+              exit 1
+            else
+              LABEL_ACTION="added"
+            fi
+          elif [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
+            LABEL_ACTION="left in place (manual removal required)"
+          fi
+
+          {
+            echo "## Restricted Paths Guard Completed"
+            echo ""
+            echo "- **Author**: $PR_AUTHOR"
+            echo "- **Author association**: $AUTHOR_ASSOCIATION"
+            echo "- **Touches restricted paths**: $TOUCHES_RESTRICTED_PATHS"
+            echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
+            echo "- **Trusted signals**: $TRUSTED_SIGNALS"
+            echo "- **Label action**: $LABEL_ACTION"
+            if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then
+              echo ""
+              write_matching_restricted_paths
+            fi
+            if [ "$NEEDS_REVIEW_LABEL" = "true" ]; then
+              echo ""
+              echo "- **Manual follow-up**: No trusted signal was found, so \`$REVIEW_LABEL\` is required."
+            elif [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
+              echo ""
+              echo "- **Manual follow-up**: Existing \`$REVIEW_LABEL\` was left in place intentionally because this workflow does not inspect every commit. Remove it manually after reviewing the PR for restricted-paths policy compliance."
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/test-wheel-linux.yml

@@ -267,7 +267,7 @@ jobs:
         run: |
           pip install pyperf
           pushd cuda_bindings/benchmarks
-          python run_pyperf.py --fast --loops 1 --min-time 1
+          python run_pyperf.py --fast --min-time 1
           popd
 
       - name: Run cuda.core tests

cuda_bindings/benchmarks/pixi.toml

@@ -55,7 +55,7 @@ source = { features = ["cu13", "cu13-source", "bench", "cpp-bench", "dev", "bind
 cmd = ["python", "$PIXI_PROJECT_ROOT/run_pyperf.py"]
 
 [target.linux.tasks.bench-smoke-test]
-cmd = ["python", "$PIXI_PROJECT_ROOT/run_pyperf.py", "--fast", "--loops", "1", "--min-time", "0"
+cmd = ["python", "$PIXI_PROJECT_ROOT/run_pyperf.py", "--fast", "--min-time", "1"
 ]
 
 [target.linux.tasks.bench-legacy]

cuda_bindings/cuda/bindings/_test_helpers/arch_check.py

@@ -8,6 +8,7 @@
 import pytest
 
 from cuda.bindings import nvml
+from cuda.bindings._internal.utils import FunctionNotFoundError as NvmlSymbolNotFoundError
 
 
 @cache
@@ -49,9 +50,10 @@ def unsupported_before(device: int, expected_device_arch: nvml.DeviceArch | str
 
         try:
             yield
-        except nvml.NotSupportedError:
-            # The API call raised NotSupportedError, so we skip the test, but
-            # don't fail it
+        except (nvml.NotSupportedError, nvml.FunctionNotFoundError, NvmlSymbolNotFoundError):
+            # The API call raised NotSupportedError, NVML status FunctionNotFoundError,
+            # or NvmlSymbolNotFoundError (symbol absent from the loaded NVML DLL), so we
+            # skip the test but don't fail it
             pytest.skip(
                 f"Unsupported call for device architecture {nvml.DeviceArch(device_arch).name} "
                 f"on device '{nvml.device_get_name(device)}'"

cuda_core/tests/system/test_system_device.py

@@ -586,7 +586,7 @@ def test_clock():
             with unsupported_before(device, DeviceArch.MAXWELL):
                 try:
                     offsets = clock.get_offsets(pstate)
-                except system.InvalidArgumentError:
+                except (system.InvalidArgumentError, system.NotFoundError):
                     pass
                 else:
                     assert isinstance(offsets, system.ClockOffsets)