forked from NVIDIA/cuda-python
-
Notifications
You must be signed in to change notification settings - Fork 0
173 lines (158 loc) · 6.62 KB
/
restricted-paths-guard.yml
File metadata and controls
173 lines (158 loc) · 6.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
name: "CI: Restricted Paths Guard"
on:
# Run on drafts too so maintainers get early awareness on WIP PRs.
# Label updates on fork PRs require pull_request_target permissions.
pull_request_target:
types:
- opened
- synchronize
- reopened
- ready_for_review
jobs:
restricted-paths-guard:
name: Apply review label if needed
if: github.repository_owner == 'NVIDIA'
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Inspect PR author signals for restricted paths
env:
# PR metadata inputs
AUTHOR_ASSOCIATION: ${{ github.event.pull_request.author_association || 'NONE' }}
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_URL: ${{ github.event.pull_request.html_url }}
# Workflow policy inputs
REVIEW_LABEL: Needs-Restricted-Paths-Review
# API request context/auth
GH_TOKEN: ${{ github.token }}
REPO: ${{ github.repository }}
run: |
set -euo pipefail
if ! MATCHING_RESTRICTED_PATHS=$(
gh api \
--paginate \
--jq '
.[]
| select(
(.filename | startswith("cuda_bindings/"))
or ((.previous_filename // "") | startswith("cuda_bindings/"))
or (.filename | startswith("cuda_python/"))
or ((.previous_filename // "") | startswith("cuda_python/"))
)
| if (.previous_filename // "") != "" then
"\(.previous_filename) -> \(.filename)"
else
.filename
end
' \
"repos/$REPO/pulls/$PR_NUMBER/files"
); then
echo "::error::Failed to inspect the PR file list."
{
echo "## Restricted Paths Guard Failed"
echo ""
echo "- **Error**: Failed to inspect the PR file list."
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo ""
echo "Please update the PR at: $PR_URL"
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
# Fetch live PR labels to avoid stale event payload (race condition
# when labels are changed shortly before the workflow runs).
if ! LIVE_LABELS=$(
gh pr view "${PR_NUMBER}" --repo "${REPO}" \
--json labels \
--jq '[.labels[].name]'
); then
echo "::error::Failed to inspect the current PR labels."
{
echo "## Restricted Paths Guard Failed"
echo ""
echo "- **Error**: Failed to inspect the current PR labels."
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo ""
echo "Please update the PR at: $PR_URL"
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
TOUCHES_RESTRICTED_PATHS=false
if [ -n "$MATCHING_RESTRICTED_PATHS" ]; then
TOUCHES_RESTRICTED_PATHS=true
fi
write_matching_restricted_paths() {
echo "- **Matched restricted paths**:"
echo '```text'
printf '%s\n' "$MATCHING_RESTRICTED_PATHS"
echo '```'
}
HAS_TRUSTED_SIGNAL=false
LABEL_ACTION="not needed (no restricted paths)"
TRUSTED_SIGNALS="(none)"
if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then
case "$AUTHOR_ASSOCIATION" in
COLLABORATOR|MEMBER|OWNER)
HAS_TRUSTED_SIGNAL=true
LABEL_ACTION="not needed (author association is a trusted signal)"
TRUSTED_SIGNALS="author_association:$AUTHOR_ASSOCIATION"
;;
esac
fi
NEEDS_REVIEW_LABEL=false
if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ] && [ "$HAS_TRUSTED_SIGNAL" = "false" ]; then
NEEDS_REVIEW_LABEL=true
fi
LABEL_ALREADY_PRESENT=false
if jq -e --arg label "$REVIEW_LABEL" '.[] == $label' <<<"$LIVE_LABELS" >/dev/null; then
LABEL_ALREADY_PRESENT=true
fi
if [ "$NEEDS_REVIEW_LABEL" = "true" ]; then
if [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
LABEL_ACTION="already present"
elif ! gh pr edit "$PR_NUMBER" --repo "$REPO" --add-label "$REVIEW_LABEL"; then
echo "::error::Failed to add the $REVIEW_LABEL label."
{
echo "## Restricted Paths Guard Failed"
echo ""
echo "- **Error**: Failed to add the \`$REVIEW_LABEL\` label."
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo ""
write_matching_restricted_paths
echo ""
echo "Please update the PR at: $PR_URL"
} >> "$GITHUB_STEP_SUMMARY"
exit 1
else
LABEL_ACTION="added"
fi
elif [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
LABEL_ACTION="left in place (manual removal required)"
fi
{
echo "## Restricted Paths Guard Completed"
echo ""
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo "- **Touches restricted paths**: $TOUCHES_RESTRICTED_PATHS"
echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
echo "- **Trusted signals**: $TRUSTED_SIGNALS"
echo "- **Label action**: $LABEL_ACTION"
if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then
echo ""
write_matching_restricted_paths
fi
if [ "$NEEDS_REVIEW_LABEL" = "true" ]; then
echo ""
echo "- **Manual follow-up**: No trusted signal was found, so \`$REVIEW_LABEL\` is required."
elif [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
echo ""
echo "- **Manual follow-up**: Existing \`$REVIEW_LABEL\` was left in place intentionally because this workflow does not inspect every commit. Remove it manually after reviewing the PR for restricted-paths policy compliance."
fi
} >> "$GITHUB_STEP_SUMMARY"