From 015195c6c9150aa28ad58396243e3246c1dc4e75 Mon Sep 17 00:00:00 2001
From: Ivan Basov <ibasov@nvidia.com>
Date: Thu, 5 Mar 2026 12:00:43 -0800
Subject: [PATCH] fix(ci): add pull_request trigger and gate GPU jobs

- Add `pull_request` trigger so fork PRs get immediate CPU CI
  feedback without needing a push to `pull-request/N`.
- Gate GPU jobs with `if: github.event_name == 'push'` to prevent
  untrusted fork code from executing on self-hosted runners.

Note: the branch ruleset still requires StatusContext entries named
"CI / <job> (push)" which are not automatically created by GitHub
Actions. An admin needs to update ruleset 13507673 to use CheckRun
names (e.g., "unit-tests" instead of "CI / unit-tests (push)").

Made-with: Cursor
---
 .github/workflows/ci.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ac8c9a9..5edefed 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,9 @@ name: CI
 
 on:
   workflow_dispatch:
+  pull_request:
+    branches:
+      - main
   push:
     branches:
       - main
@@ -114,6 +117,7 @@ jobs:
   # GPU jobs (self-hosted NVIDIA runners)
   # ---------------------------------------------------------------------------
   gpu-tests:
+    if: github.event_name == 'push' || github.event_name == 'merge_group'
     runs-on: linux-amd64-gpu-rtxpro6000-latest-1
     container:
       image: ubuntu:22.04