diff --git a/.github/workflows/pr-author-org-check.yml b/.github/workflows/pr-author-org-check.yml new file mode 100644 index 0000000000..96e5b8f9a1 --- /dev/null +++ b/.github/workflows/pr-author-org-check.yml @@ -0,0 +1,165 @@ +# SPDX-FileCopyrightText: Copyright (c) 2024-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-License-Identifier: Apache-2.0 + +name: "CI: Check PR author signals for restricted paths" + +on: + # Label updates on fork PRs require pull_request_target permissions. + # TODO BEFORE MERGING: change to pull_request_target + pull_request: + types: + - opened + - synchronize + - reopened + - ready_for_review + +jobs: + check-author-org: + name: PR author signals recorded for restricted paths + if: github.repository_owner == 'NVIDIA' + runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: read + steps: + - name: Inspect PR author signals for restricted paths + env: + # PR metadata inputs + AUTHOR_ASSOCIATION: ${{ github.event.pull_request.author_association || 'NONE' }} + EXISTING_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }} + PR_AUTHOR: ${{ github.event.pull_request.user.login }} + PR_NUMBER: ${{ github.event.pull_request.number }} + PR_URL: ${{ github.event.pull_request.html_url }} + + # Workflow policy inputs + REVIEW_LABEL: Check-PR-author-ORG + + # Checked-in allowlist inputs + INTERNAL_AUTHOR_ALLOWLIST: | + rwgk + + # API request context/auth + GH_TOKEN: ${{ github.token }} + REPO: ${{ github.repository }} + run: | + set -euo pipefail + + if ! MATCHING_RESTRICTED_PATHS=$( + gh api \ + --paginate \ + --jq ' + .[] + | select( + (.filename | startswith("cuda_bindings/")) + or ((.previous_filename // "") | startswith("cuda_bindings/")) + or (.filename | startswith("cuda_python/")) + or ((.previous_filename // "") | startswith("cuda_python/")) + ) + | if (.previous_filename // "") != "" then + "\(.previous_filename) -> \(.filename)" + else + .filename + end + ' \ + "repos/$REPO/pulls/$PR_NUMBER/files" + ); then + echo "::error::Failed to inspect the PR file list." + { + echo "## PR Author Organization Check Failed" + echo "" + echo "- **Error**: Failed to inspect the PR file list." + echo "- **Author**: $PR_AUTHOR" + echo "- **Author association**: $AUTHOR_ASSOCIATION" + echo "" + echo "Please update the PR at: $PR_URL" + } >> "$GITHUB_STEP_SUMMARY" + exit 1 + fi + + TOUCHES_RESTRICTED_PATHS=false + if [ -n "$MATCHING_RESTRICTED_PATHS" ]; then + TOUCHES_RESTRICTED_PATHS=true + fi + + write_matching_restricted_paths() { + echo "- **Matched restricted paths**:" + echo '```text' + printf '%s\n' "$MATCHING_RESTRICTED_PATHS" + echo '```' + } + + HAS_TRUSTED_SIGNAL=false + ALLOWLIST_CHECK="not needed (no restricted paths)" + LABEL_ACTION="not needed (no restricted paths)" + TRUSTED_SIGNALS="(none)" + PR_AUTHOR_CANONICAL=${PR_AUTHOR,,} + + if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then + case "$AUTHOR_ASSOCIATION" in + MEMBER|OWNER) + HAS_TRUSTED_SIGNAL=true + ALLOWLIST_CHECK="skipped (author association is a trusted signal)" + LABEL_ACTION="not needed (author association is a trusted signal)" + TRUSTED_SIGNALS="author_association:$AUTHOR_ASSOCIATION" + ;; + esac + + if [ "$HAS_TRUSTED_SIGNAL" = "false" ]; then + if printf '%s\n' "$INTERNAL_AUTHOR_ALLOWLIST" | tr '[:upper:]' '[:lower:]' | grep -Fxq "$PR_AUTHOR_CANONICAL"; then + HAS_TRUSTED_SIGNAL=true + ALLOWLIST_CHECK="matched ($PR_AUTHOR_CANONICAL)" + LABEL_ACTION="not needed (workflow allowlist is a trusted signal)" + TRUSTED_SIGNALS="workflow_allowlist:$PR_AUTHOR_CANONICAL" + else + ALLOWLIST_CHECK="not matched ($PR_AUTHOR_CANONICAL)" + fi + fi + fi + + LABEL_ALREADY_PRESENT=false + if jq -e --arg label "$REVIEW_LABEL" '.[] == $label' <<<"$EXISTING_LABELS" >/dev/null; then + LABEL_ALREADY_PRESENT=true + fi + + if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ] && [ "$HAS_TRUSTED_SIGNAL" = "false" ]; then + if [ "$LABEL_ALREADY_PRESENT" = "true" ]; then + LABEL_ACTION="already present" + elif ! gh issue edit "$PR_NUMBER" --repo "$REPO" --add-label "$REVIEW_LABEL"; then + echo "::error::Failed to add the $REVIEW_LABEL label." + { + echo "## PR Author Organization Check Failed" + echo "" + echo "- **Error**: Failed to add the \`$REVIEW_LABEL\` label." + echo "- **Author**: $PR_AUTHOR" + echo "- **Author association**: $AUTHOR_ASSOCIATION" + echo "- **Allowlist check**: $ALLOWLIST_CHECK" + echo "" + write_matching_restricted_paths + echo "" + echo "Please update the PR at: $PR_URL" + } >> "$GITHUB_STEP_SUMMARY" + exit 1 + else + LABEL_ACTION="added" + fi + fi + + { + echo "## PR Author Organization Check Completed" + echo "" + echo "- **Author**: $PR_AUTHOR" + echo "- **Author association**: $AUTHOR_ASSOCIATION" + echo "- **Touches restricted paths**: $TOUCHES_RESTRICTED_PATHS" + echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`" + echo "- **Allowlist check**: $ALLOWLIST_CHECK" + echo "- **Trusted signals**: $TRUSTED_SIGNALS" + echo "- **Label action**: $LABEL_ACTION" + if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then + echo "" + write_matching_restricted_paths + fi + if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ] && [ "$HAS_TRUSTED_SIGNAL" = "false" ]; then + echo "" + echo "- **Manual follow-up**: No trusted signal was found, so \`$REVIEW_LABEL\` is required." + fi + } >> "$GITHUB_STEP_SUMMARY" diff --git a/cuda_bindings/pyproject.toml b/cuda_bindings/pyproject.toml index f4866fc4f8..b53ed6d075 100644 --- a/cuda_bindings/pyproject.toml +++ b/cuda_bindings/pyproject.toml @@ -1,5 +1,6 @@ # SPDX-FileCopyrightText: Copyright (c) 2023-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. # SPDX-License-Identifier: LicenseRef-NVIDIA-SOFTWARE-LICENSE +# XXX DUMMY CHANGE XXX [build-system] requires = [ "setuptools>=80.0.0",