Add nvskills ci workflow

[rgsl888prabhu]

Description

Issue

Checklist

• I am familiar with the Contributing Guidelines.
• Testing
  • New or existing tests cover these changes
  • Added tests
  • Created an issue to follow-up
  • NA
• Documentation
  • The documentation is up to date with these changes
  • Added new documentation
  • NA

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[rgsl888prabhu]

/nvskills-ci

[rgsl888prabhu]

/nvskills-ci

[rgsl888prabhu]

/nvskills-ci

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces NVSkills CI integration to validate skill-directory changes. A new GitHub Actions workflow accepts /nvskills-ci slash commands and bot-signed commits, delegating orchestration to an external workflow. CI filtering prevents the new workflow from triggering unrelated builds, security policies permit the external action calls, and contributor guidance documents the requirement for skill PRs.

Changes

NVSkills CI Integration

Layer / File(s)	Summary
NVSkills CI workflow and external integration .github/workflows/request-nvskills-ci.yml, .github/zizmor.yml	Introduces request-nvskills-ci workflow triggered on issue comments (/nvskills-ci) and bot-signed pushes, delegating to NVIDIA/skills/.github/workflows/team-request.yml@main with dispatch token. Permits unpinned NVIDIA/skills/* references in security policy exceptions.
CI job filtering for workflow changes .github/workflows/pr.yaml	Excludes request-nvskills-ci.yml from triggering build_docs, test_cpp, test_python_conda, and test_python_wheels to prevent redundant CI runs when only the workflow definition changes.
Documentation and metadata updates CONTRIBUTING.md, skills/cuopt-developer/SKILL.md	Documents NVSkills CI requirement for PRs modifying skills/ content, including trigger method, bot signature persistence, re-trigger on subsequent pushes, and repository-branch constraints. Adds SPDX copyright and Apache-2.0 license header to skill markdown.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• NVIDIA/cuopt#1224: Both PRs edit skills/cuopt-developer/SKILL.md at different checkpoints in the skill development flow.

Suggested labels

non-breaking, improvement

Suggested reviewers

• mlubin
• Iroy30
• tmckayus

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding an NVSkills CI workflow. It directly corresponds to the primary purpose of the PR.
Description check	✅ Passed	The description is a template with unchecked items and minimal content. However, the PR objectives and commit history provide sufficient context about the changeset, making the description marginally acceptable as it relates to the workflow addition.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-nvskills-ci-workflow

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/request-nvskills-ci.yml:
- Around line 17-23: The issue is that the issue_comment branch accepts any PR
comment starting with /nvskills-ci without checking commenter permissions;
update the if condition so the issue_comment path also requires the commenter to
be a repo maintainer/admin by adding a check on
github.event.comment.author_association (e.g. require it to be one of OWNER,
MEMBER, MAINTAINER, or COLLABORATOR) alongside the existing
startsWith(github.event.comment.body, '/nvskills-ci') and
github.event.issue.pull_request tests; locate the condition containing
startsWith(github.event.comment.body, '/nvskills-ci') and add the
author_association membership check to restrict who can trigger the workflow.

In @.github/zizmor.yml:
- Line 9: Replace the broad repository pattern "NVIDIA/skills/*": any with a
precise workflow path that matches the imported file; update the policy entry to
"NVIDIA/skills/.github/workflows/team-request.yml": any so the allowance only
covers the exact workflow used (locate the key "NVIDIA/skills/*" in
.github/zizmor.yml and change it to the full path
"NVIDIA/skills/.github/workflows/team-request.yml").

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c9414a27-c59c-4089-b2bc-76529cc28071

📥 Commits

Reviewing files that changed from the base of the PR and between b145cc3 and c97e6dc.

📒 Files selected for processing (5)

• .github/workflows/pr.yaml
• .github/workflows/request-nvskills-ci.yml
• .github/zizmor.yml
• CONTRIBUTING.md
• skills/cuopt-developer/SKILL.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add commenter authorization to the issue_comment trigger path.

The condition currently accepts any PR comment starting with /nvskills-ci, but it does not enforce maintainer/admin permissions as described in the header comment. That allows unauthorized users to trigger this workflow.

Suggested fix

     if: >
       (github.event_name == 'issue_comment' &&
         github.event.issue.pull_request &&
-        startsWith(github.event.comment.body, '/nvskills-ci')) ||
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
+        startsWith(github.event.comment.body, '/nvskills-ci')) ||
       (github.event_name == 'push' &&
         github.actor == (vars.NVSKILLS_SIGNATURE_PUSH_ACTOR || 'nv-nvskill-ci[bot]') &&
         startsWith(github.event.head_commit.message, vars.NVSKILLS_SIGNATURE_COMMIT_TITLE || 'Attach NVSkills validation signatures'))

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if: >
	(github.event_name == 'issue_comment' &&
	github.event.issue.pull_request &&
	startsWith(github.event.comment.body, '/nvskills-ci')) ||
	(github.event_name == 'push' &&
	github.actor == (vars.NVSKILLS_SIGNATURE_PUSH_ACTOR || 'nv-nvskill-ci[bot]') &&
	startsWith(github.event.head_commit.message, vars.NVSKILLS_SIGNATURE_COMMIT_TITLE || 'Attach NVSkills validation signatures'))
	if: >
	(github.event_name == 'issue_comment' &&
	github.event.issue.pull_request &&
	contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
	startsWith(github.event.comment.body, '/nvskills-ci')) ||
	(github.event_name == 'push' &&
	github.actor == (vars.NVSKILLS_SIGNATURE_PUSH_ACTOR || 'nv-nvskill-ci[bot]') &&
	startsWith(github.event.head_commit.message, vars.NVSKILLS_SIGNATURE_COMMIT_TITLE || 'Attach NVSkills validation signatures'))

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/request-nvskills-ci.yml around lines 17 - 23, The issue is
that the issue_comment branch accepts any PR comment starting with /nvskills-ci
without checking commenter permissions; update the if condition so the
issue_comment path also requires the commenter to be a repo maintainer/admin by
adding a check on github.event.comment.author_association (e.g. require it to be
one of OWNER, MEMBER, MAINTAINER, or COLLABORATOR) alongside the existing
startsWith(github.event.comment.body, '/nvskills-ci') and
github.event.issue.pull_request tests; locate the condition containing
startsWith(github.event.comment.body, '/nvskills-ci') and add the
author_association membership check to restrict who can trigger the workflow.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/zizmor.yml | head -20

Repository: NVIDIA/cuopt

Length of output: 466

---

🏁 Script executed:

# Get full context of the zizmor.yml file
wc -l .github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 78

---

🏁 Script executed:

# Search for any references to NVIDIA/skills in the codebase
rg "NVIDIA/skills" --type yaml --type yml

Repository: NVIDIA/cuopt

Length of output: 84

---

🏁 Script executed:

# Check git history to understand what changed
git diff HEAD~1 .github/zizmor.yml 2>/dev/null || git log --oneline -5 .github/zizmor.yml 2>/dev/null

Repository: NVIDIA/cuopt

Length of output: 114

---

🏁 Script executed:

# Search for NVIDIA/skills usage in workflow files
rg "NVIDIA/skills" .github/workflows/

Repository: NVIDIA/cuopt

Length of output: 162

---

🏁 Script executed:

# Get the diff for this file to see what changed
git diff -- .github/zizmor.yml || git show HEAD:.github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 38

---

🏁 Script executed:

# List all workflow files to understand the context
find .github/workflows -type f -name "*.yml" -o -name "*.yaml"

Repository: NVIDIA/cuopt

Length of output: 587

---

🏁 Script executed:

# Check if there are multiple NVIDIA/skills workflows referenced
rg "uses:.*NVIDIA/skills" .github/ -A 2

Repository: NVIDIA/cuopt

Length of output: 335

---

🏁 Script executed:

# Check git status to see if this file is modified in current PR
git status .github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 122

---

🏁 Script executed:

# Get the actual diff for the PR
git diff .github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 38

---

🏁 Script executed:

# Check the git log to see when this line was added
git log -p --all -- .github/zizmor.yml | grep -A 5 -B 5 "NVIDIA/skills" | head -30

Repository: NVIDIA/cuopt

Length of output: 38

---

🏁 Script executed:

# Check the complete git history to understand when this line was introduced
git log --all --oneline .github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 200

---

🏁 Script executed:

# Check if maybe this is a new file in the PR
git show HEAD:.github/zizmor.yml 2>/dev/null | head -15

Repository: NVIDIA/cuopt

Length of output: 396

---

🏁 Script executed:

# Let's check all branches to see the change context
git branch -a

Repository: NVIDIA/cuopt

Length of output: 154

---

🏁 Script executed:

# Search for any other NVIDIA references that might justify the wildcard
rg "NVIDIA/" .github/workflows/ | grep -v "^Binary"

Repository: NVIDIA/cuopt

Length of output: 314

---

🏁 Script executed:

# Check if this line was added in the recent commit
git show 73c9903:.github/zizmor.yml | grep -A 3 -B 3 "NVIDIA/skills"

Repository: NVIDIA/cuopt

Length of output: 38

---

🏁 Script executed:

# Check the parent commit to see if it existed before
git show 73c9903^:.github/zizmor.yml 2>/dev/null | grep "NVIDIA/skills" || echo "Line did not exist in parent"

Repository: NVIDIA/cuopt

Length of output: 85

---

🏁 Script executed:

# Verify the exact change in that commit
git show 73c9903 -- .github/zizmor.yml | head -50

Repository: NVIDIA/cuopt

Length of output: 1330

---

🏁 Script executed:

# Double-check what commit is currently at HEAD
git log -1 --oneline

Repository: NVIDIA/cuopt

Length of output: 114

---

🏁 Script executed:

# Check if there were changes to zizmor.yml after the initial commit
git log --all --oneline -- .github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 200

---

🏁 Script executed:

# Verify the current state is different from the initial commit
git diff 73c9903 HEAD -- .github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 418

---

Scope the unpinned exception to the exact NVIDIA/skills workflow path.

The policy "NVIDIA/skills/*": any is broader than needed—only NVIDIA/skills/.github/workflows/team-request.yml is imported. Narrow this to the specific workflow to enforce least privilege and prevent future unpinned imports from other paths in that repository.

Suggested fix

-        "NVIDIA/skills/*": any
+        "NVIDIA/skills/.github/workflows/team-request.yml": any

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"NVIDIA/skills/*": any
	"NVIDIA/skills/.github/workflows/team-request.yml": any

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/zizmor.yml at line 9, Replace the broad repository pattern
"NVIDIA/skills/*": any with a precise workflow path that matches the imported
file; update the policy entry to
"NVIDIA/skills/.github/workflows/team-request.yml": any so the allowance only
covers the exact workflow used (locate the key "NVIDIA/skills/*" in
.github/zizmor.yml and change it to the full path
"NVIDIA/skills/.github/workflows/team-request.yml").