[no-ci] CI: drive restricted paths guard from user-in-org-check-bot#1901
Closed
rwgk wants to merge 2 commits intoNVIDIA:mainfrom
Closed
[no-ci] CI: drive restricted paths guard from user-in-org-check-bot#1901rwgk wants to merge 2 commits intoNVIDIA:mainfrom
rwgk wants to merge 2 commits intoNVIDIA:mainfrom
Conversation
Consume explicit membership-bot labels so restricted-path PRs fail closed on bot errors or timeouts, short-circuit on trusted outcomes, and only require manual review for confirmed non-members. Made-with: Cursor
Exercise this branch's workflow definition in a PR before switching back to pull_request_target for the real rollout. Made-with: Cursor
Contributor
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
Contributor
Author
|
Closing: github-apps PR 78 did not receive direct feedback, an alternative PR 79 is on track to provide a different solution. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related issue: #1139
Depends on the paired
github-appsPR 78 that adds and deploysuser-in-org-check-bot.TODO before merging:
.github/workflows/restricted-paths-guard.ymlback frompull_requesttopull_request_target# XXX DUMMY CHANGE XXXline fromcuda_bindings/pyproject.tomlSummary
This PR is the
cuda-pythonhalf of the rollout for the newuser-in-org-check-bot.It adds repository config for the new bot and rewrites
.github/workflows/restricted-paths-guard.ymlto consume explicit bot-managed PR-author membership labels instead of relying onauthor_association.What changes
.github/user-in-org-check-bot.yamlto configureuser-in-org-check-botforNVIDIA/cuda-pythonrestricted-paths-guard.ymlto recognize these terminal membership labels:PR-Author-In-NVIDIA-OrgPR-Author-Outside-NVIDIA-OrgPR-Author-Org-Check-FailureNeeds-Restricted-Paths-Reviewas the policy label for confirmed non-member PRs that touchcuda_bindings/orcuda_python/labeled/unlabeledevents when one of the membership-bot labels changesWorkflow behavior
For PRs that do not touch restricted paths, the guard exits green.
For PRs that touch restricted paths, the guard now works as follows:
Needs-Restricted-Paths-Reviewis already present, exit quickly and leave it sticky for manual removalPR-Author-In-NVIDIA-Orgis already present, exit quickly and passPR-Author-Outside-NVIDIA-Orgis already present, ensureNeeds-Restricted-Paths-Reviewis present and finish greenPR-Author-Org-Check-Failureis already present, fail with guidance to rerun later or apply a manual override labelPR-Author-In-NVIDIA-OrgandPR-Author-Outside-NVIDIA-Orgare present at the same time, fail explicitly because the state is inconsistentWhy this shape
author_association.PR-Author-In-NVIDIA-OrgPR-Author-Outside-NVIDIA-OrgNeeds-Restricted-Paths-Reviewmanually if neededScope boundary
This PR does not make
Needs-Restricted-Paths-Reviewmerge-blocking by itself.That remains intentionally separate from the guard logic. The follow-on gate PR,
#1896, handles the merge-blocking status check so the policy and enforcement pieces can be reviewed independently.Testing note
Because Probot repo config is read from the default branch, the full end-to-end behavior with the deployed app cannot be exercised from this PR alone before merge.
To make the workflow logic testable in this PR:
pull_request_targettopull_requestcuda_bindings/pyproject.tomlincludes a temporary dummy line so the PR definitely touches a restricted pathTest plan
pull_requesttrigger runs.PR-Author-In-NVIDIA-Organd confirm the guard succeeds quickly without addingNeeds-Restricted-Paths-Review.PR-Author-Outside-NVIDIA-Organd confirm the guard addsNeeds-Restricted-Paths-Reviewand succeeds.PR-Author-Org-Check-Failureand confirm the guard fails with rerun/manual-override guidance.PR-Author-In-NVIDIA-OrgandPR-Author-Outside-NVIDIA-Organd confirm the guard fails with an explicit conflicting-label error.pull_request_target.