Skip to content

[no-ci] CI: drive restricted paths guard from user-in-org-check-bot#1901

Draft
rwgk wants to merge 2 commits intoNVIDIA:mainfrom
rwgk:restricted-paths-guard_using_user-in-org-check-bot
Draft

[no-ci] CI: drive restricted paths guard from user-in-org-check-bot#1901
rwgk wants to merge 2 commits intoNVIDIA:mainfrom
rwgk:restricted-paths-guard_using_user-in-org-check-bot

Conversation

@rwgk
Copy link
Copy Markdown
Collaborator

@rwgk rwgk commented Apr 14, 2026
edited
Loading

Related issue: #1139

Depends on the paired github-apps PR 78 that adds and deploys user-in-org-check-bot.

TODO before merging:

  • switch .github/workflows/restricted-paths-guard.yml back from pull_request to pull_request_target
  • remove the temporary # XXX DUMMY CHANGE XXX line from cuda_bindings/pyproject.toml

Summary

This PR is the cuda-python half of the rollout for the new user-in-org-check-bot.

It adds repository config for the new bot and rewrites .github/workflows/restricted-paths-guard.yml to consume explicit bot-managed PR-author membership labels instead of relying on author_association.

What changes

  • add .github/user-in-org-check-bot.yaml to configure user-in-org-check-bot for NVIDIA/cuda-python
  • update restricted-paths-guard.yml to recognize these terminal membership labels:
    • PR-Author-In-NVIDIA-Org
    • PR-Author-Outside-NVIDIA-Org
    • PR-Author-Org-Check-Failure
  • keep Needs-Restricted-Paths-Review as the policy label for confirmed non-member PRs that touch cuda_bindings/ or cuda_python/
  • fail the workflow on operational problems (to cleanly avoid guessing)
  • only re-evaluate on labeled / unlabeled events when one of the membership-bot labels changes

Workflow behavior

For PRs that do not touch restricted paths, the guard exits green.

For PRs that touch restricted paths, the guard now works as follows:

  • if Needs-Restricted-Paths-Review is already present, exit quickly and leave it sticky for manual removal
  • if PR-Author-In-NVIDIA-Org is already present, exit quickly and pass
  • if PR-Author-Outside-NVIDIA-Org is already present, ensure Needs-Restricted-Paths-Review is present and finish green
  • if PR-Author-Org-Check-Failure is already present, fail with guidance to rerun later or apply a manual override label
  • otherwise, poll live PR labels for up to about 60 seconds waiting for a terminal bot result
  • if no terminal result appears within that window, fail
  • if both PR-Author-In-NVIDIA-Org and PR-Author-Outside-NVIDIA-Org are present at the same time, fail explicitly because the state is inconsistent

Why this shape

  • It separates the authoritative org-membership question from the repo-specific policy decision.
  • It avoids false positives from author_association.
  • It keeps the rescue path obvious in pathological cases:
    • maintainers can manually apply PR-Author-In-NVIDIA-Org
    • maintainers can manually apply PR-Author-Outside-NVIDIA-Org
    • maintainers can still manage Needs-Restricted-Paths-Review manually if needed
  • It avoids catch-22 behavior by keeping manual intervention possible when the bot or workflow is unavailable.

Scope boundary

This PR does not make Needs-Restricted-Paths-Review merge-blocking by itself.

That remains intentionally separate from the guard logic. The follow-on gate PR, #1896, handles the merge-blocking status check so the policy and enforcement pieces can be reviewed independently.

Testing note

Because Probot repo config is read from the default branch, the full end-to-end behavior with the deployed app cannot be exercised from this PR alone before merge.

To make the workflow logic testable in this PR:

  • the trigger is temporarily changed from pull_request_target to pull_request
  • cuda_bindings/pyproject.toml includes a temporary dummy line so the PR definitely touches a restricted path
  • PR labels can be manipulated manually to simulate the bot outcomes

Test plan

  • Open a PR from this branch and confirm the temporary pull_request trigger runs.
  • With no terminal bot label present, confirm the guard times out after about 60 seconds and fails.
  • Add PR-Author-In-NVIDIA-Org and confirm the guard succeeds quickly without adding Needs-Restricted-Paths-Review.
  • Add PR-Author-Outside-NVIDIA-Org and confirm the guard adds Needs-Restricted-Paths-Review and succeeds.
  • Add PR-Author-Org-Check-Failure and confirm the guard fails with rerun/manual-override guidance.
  • Add both PR-Author-In-NVIDIA-Org and PR-Author-Outside-NVIDIA-Org and confirm the guard fails with an explicit conflicting-label error.
  • Before merge, remove the dummy change and switch the workflow trigger back to pull_request_target.

rwgk added 2 commits April 13, 2026 16:50
@rwgk
CI: integrate restricted paths guard with org membership bot
1bd362a 
Consume explicit membership-bot labels so restricted-path PRs fail closed on bot errors or timeouts, short-circuit on trusted outcomes, and only require manual review for confirmed non-members.

Made-with: Cursor
@rwgk
CI: temporarily switch restricted paths guard to pull_request
6162ecf 
Exercise this branch's workflow definition in a PR before switching back to pull_request_target for the real rollout.

Made-with: Cursor
@rwgk rwgk added this to the cuda.bindings next milestone Apr 14, 2026
@rwgk rwgk self-assigned this Apr 14, 2026
@rwgk rwgk added P0 High priority - Must do! CI/CD CI/CD infrastructure labels Apr 14, 2026
@copy-pr-bot
Copy link
Copy Markdown
Contributor

copy-pr-bot bot commented Apr 14, 2026

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rwgk rwgk

Labels

CI/CD CI/CD infrastructure P0 High priority - Must do!

Projects

None yet

Milestone

cuda.bindings next

Development

Successfully merging this pull request may close these issues.

1 participant

@rwgk