fix(ci): add pull_request trigger and gate GPU jobs for security#7
Closed
ivanbasov wants to merge 1 commit into
Closed
fix(ci): add pull_request trigger and gate GPU jobs for security#7ivanbasov wants to merge 1 commit into
ivanbasov wants to merge 1 commit into
Conversation
- Add `pull_request` trigger so fork PRs get immediate CPU CI feedback without needing a push to `pull-request/N`. - Gate GPU jobs with `if: github.event_name == 'push'` to prevent untrusted fork code from executing on self-hosted runners. Note: the branch ruleset still requires StatusContext entries named "CI / <job> (push)" which are not automatically created by GitHub Actions. An admin needs to update ruleset 13507673 to use CheckRun names (e.g., "unit-tests" instead of "CI / unit-tests (push)"). Made-with: Cursor
ivanbasov
force-pushed
the
fix/ci-required-status-checks
branch
from
1ccf306 to
015195c
Compare
ivanbasov
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pull_requesttrigger so fork PRs get immediate CPU CI feedback without needing a maintainer to push topull-request/Ngpu-tests,smoke-test-gpu) withif: github.event_name == 'push'to prevent untrusted fork code from running on self-hosted NVIDIA runnersRequired admin action: fix ruleset check names
The "Main and Releases" branch ruleset (id
13507673) requires StatusContext entries namedCI / <job> (push), but GitHub Actions creates CheckRun entries with plain names (unit-tests,gpu-tests, etc.). These don't match, leaving PRs stuck with "11 expected" checks that are never satisfied.An admin needs to update the ruleset at Settings > Rules > Main and Releases to change the required status check contexts:
CI / unit-tests (push)unit-testsCI / unit-tests-coverage (push)unit-tests-coverageCI / spdx-header-check (push)spdx-header-checkCI / gpu-tests (push)gpu-testsCI / smoke-test-gpu (push)smoke-test-gpuCI / compat / py3.11 / inference (push)compat / py3.11 / inferenceCI / compat / py3.11 / train (push)compat / py3.11 / trainCI / compat / py3.12 / inference (push)compat / py3.12 / inferenceCI / compat / py3.12 / train (push)compat / py3.12 / trainCI / compat / py3.13 / inference (push)compat / py3.13 / inferenceCI / compat / py3.13 / train (push)compat / py3.13 / trainOr via API (requires admin):
Changed files
.github/workflows/ci.ymlpull_requesttrigger, gate GPU jobs topush/merge_grouponlyTest plan
pull_requestfrom fork triggers CPU jobs only (GPU jobs show as skipped)pushtopull-request/Ntriggers all jobs including GPU