From c64e0d6fb01564b8caa0c9508deb4e7b8afb052a Mon Sep 17 00:00:00 2001 From: "Ralf W. Grosse-Kunstleve" Date: Sun, 12 Apr 2026 15:09:11 -0700 Subject: [PATCH 1/3] [no-ci] CI: Add restricted-paths-review-gate.yml Add a dedicated workflow that fails when the Needs-Restricted-Paths-Review label is present. This gives branch protection a narrowly scoped merge gate for restricted-paths policy without making the broader PR metadata checks required. Made-with: Cursor --- .../restricted-paths-review-gate.yml | 81 +++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 .github/workflows/restricted-paths-review-gate.yml diff --git a/.github/workflows/restricted-paths-review-gate.yml b/.github/workflows/restricted-paths-review-gate.yml new file mode 100644 index 0000000000..16d3b0c1f4 --- /dev/null +++ b/.github/workflows/restricted-paths-review-gate.yml @@ -0,0 +1,81 @@ +# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-License-Identifier: Apache-2.0 + +name: "CI: Restricted Paths Review Gate" + +on: + # Keep this separate from pr-metadata-check.yml so only the + # Needs-Restricted-Paths-Review policy becomes merge-blocking. + pull_request_target: + types: + - opened + - synchronize + - reopened + - ready_for_review + - labeled + - unlabeled + +jobs: + restricted-paths-review-gate: + name: Restricted paths review gate + if: github.repository_owner == 'NVIDIA' + runs-on: ubuntu-latest + permissions: + pull-requests: read + steps: + - name: Check for merge-blocking restricted-paths label + env: + GH_TOKEN: ${{ github.token }} + PR_NUMBER: ${{ github.event.pull_request.number }} + PR_URL: ${{ github.event.pull_request.html_url }} + REPO: ${{ github.repository }} + REVIEW_LABEL: Needs-Restricted-Paths-Review + run: | + set -euo pipefail + + if ! LIVE_LABELS=$( + gh pr view "${PR_NUMBER}" --repo "${REPO}" \ + --json labels \ + --jq '[.labels[].name]' + ); then + echo "::error::Failed to inspect the current PR labels." + { + echo "## Restricted Paths Review Gate Failed" + echo "" + echo "- **Error**: Failed to inspect the current PR labels." + echo "" + echo "Please update the PR at: $PR_URL" + } >> "$GITHUB_STEP_SUMMARY" + exit 1 + fi + + CURRENT_LABELS=$(jq -r ' + if length == 0 then + "(none)" + else + join(", ") + end + ' <<<"$LIVE_LABELS") + + if jq -e --arg label "$REVIEW_LABEL" '.[] == $label' <<<"$LIVE_LABELS" >/dev/null; then + echo "::error::The $REVIEW_LABEL label is present. Remove it after restricted-paths review is complete." + { + echo "## Restricted Paths Review Gate Failed" + echo "" + echo "- **Blocking label**: \`$REVIEW_LABEL\`" + echo "- **Current labels**: $CURRENT_LABELS" + echo "- **Why this failed**: This label means the PR touched \`cuda_bindings/\` or \`cuda_python/\` without a trusted author signal." + echo "- **How to unblock merge**: A maintainer must review the restricted-paths policy decision and remove \`$REVIEW_LABEL\` manually when the PR is allowed to merge." + echo "" + echo "Please update the PR at: $PR_URL" + } >> "$GITHUB_STEP_SUMMARY" + exit 1 + fi + + { + echo "## Restricted Paths Review Gate Passed" + echo "" + echo "- **Blocking label absent**: \`$REVIEW_LABEL\`" + echo "- **Current labels**: $CURRENT_LABELS" + echo "- **Result**: This gate does not block merging." + } >> "$GITHUB_STEP_SUMMARY" From 2b94e27a90b16daeee1354f87353829de05844b8 Mon Sep 17 00:00:00 2001 From: "Ralf W. Grosse-Kunstleve" Date: Sun, 12 Apr 2026 15:26:39 -0700 Subject: [PATCH 2/3] [no-ci] CI: test restricted-paths-review-gate via pull_request Temporarily switch the new workflow to pull_request so PR #1896 can exercise the label-driven pass/fail behavior before the workflow exists on the base branch. This lets us validate the gate logic pre-merge and then switch back to pull_request_target for the final rollout. Test plan: 1. Temporarily switch the new workflow to `pull_request`. 2. Push to PR `#1896`. 3. Add the label and confirm the check goes red. 4. Remove the label and confirm the check goes green. 5. Switch it back to `pull_request_target` before merging. Made-with: Cursor --- .github/workflows/restricted-paths-review-gate.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/restricted-paths-review-gate.yml b/.github/workflows/restricted-paths-review-gate.yml index 16d3b0c1f4..3b67856854 100644 --- a/.github/workflows/restricted-paths-review-gate.yml +++ b/.github/workflows/restricted-paths-review-gate.yml @@ -4,9 +4,9 @@ name: "CI: Restricted Paths Review Gate" on: - # Keep this separate from pr-metadata-check.yml so only the - # Needs-Restricted-Paths-Review policy becomes merge-blocking. - pull_request_target: + # Temporary for PR-level testing before this workflow exists on the base + # branch. Switch back to pull_request_target before merging. + pull_request: types: - opened - synchronize From 9d3b66f06c3dc7b36e7d1c58b54e1ead534d5675 Mon Sep 17 00:00:00 2001 From: "Ralf W. Grosse-Kunstleve" Date: Sun, 12 Apr 2026 15:32:55 -0700 Subject: [PATCH 3/3] Revert "[no-ci] CI: test restricted-paths-review-gate via pull_request" This reverts commit 2b94e27a90b16daeee1354f87353829de05844b8. --- .github/workflows/restricted-paths-review-gate.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/restricted-paths-review-gate.yml b/.github/workflows/restricted-paths-review-gate.yml index 3b67856854..16d3b0c1f4 100644 --- a/.github/workflows/restricted-paths-review-gate.yml +++ b/.github/workflows/restricted-paths-review-gate.yml @@ -4,9 +4,9 @@ name: "CI: Restricted Paths Review Gate" on: - # Temporary for PR-level testing before this workflow exists on the base - # branch. Switch back to pull_request_target before merging. - pull_request: + # Keep this separate from pr-metadata-check.yml so only the + # Needs-Restricted-Paths-Review policy becomes merge-blocking. + pull_request_target: types: - opened - synchronize