Skip to content

Add nvskills ci workflow #1246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
rgsl888prabhu wants to merge 5 commits into from
Closed

Add nvskills ci workflow #1246

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
020119c
ci: add NVSkills CI request workflow
rgsl888prabhu May 19, 2026
8c9f714
ci: document /nvskills-ci trigger
rgsl888prabhu May 19, 2026
da38fb2
Update request-nvskills-ci.yml
rgsl888prabhu May 19, 2026
0039e70
ci: realign zizmor allowlist with NVIDIA/skills reusable workflow
rgsl888prabhu May 19, 2026
c97e6dc
skill: add SPDX license header to cuopt-developer
rgsl888prabhu May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/pr.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,7 @@ jobs:
- '!.github/workflows/inactivity_reminder.yaml'
- '!.github/workflows/issue_automation.yaml'
- '!.github/workflows/nightly.yaml'
- '!.github/workflows/request-nvskills-ci.yml'
- '!.github/workflows/test.yaml'
- '!.github/workflows/test_images.yaml'
- '!.github/workflows/trigger-breaking-change-alert.yaml'
Expand Down Expand Up @@ -208,6 +209,7 @@ jobs:
- '!.github/workflows/inactivity_reminder.yaml'
- '!.github/workflows/issue_automation.yaml'
- '!.github/workflows/nightly.yaml'
- '!.github/workflows/request-nvskills-ci.yml'
- '!.github/workflows/test.yaml'
- '!.github/workflows/test_images.yaml'
- '!.github/workflows/trigger-breaking-change-alert.yaml'
Expand Down Expand Up @@ -272,6 +274,7 @@ jobs:
- '!.github/workflows/inactivity_reminder.yaml'
- '!.github/workflows/issue_automation.yaml'
- '!.github/workflows/nightly.yaml'
- '!.github/workflows/request-nvskills-ci.yml'
- '!.github/workflows/test.yaml'
- '!.github/workflows/test_images.yaml'
- '!.github/workflows/trigger-breaking-change-alert.yaml'
Expand Down Expand Up @@ -333,6 +336,7 @@ jobs:
- '!.github/workflows/inactivity_reminder.yaml'
- '!.github/workflows/issue_automation.yaml'
- '!.github/workflows/nightly.yaml'
- '!.github/workflows/request-nvskills-ci.yml'
- '!.github/workflows/test.yaml'
- '!.github/workflows/test_images.yaml'
- '!.github/workflows/trigger-breaking-change-alert.yaml'
Expand Down
29 changes: 29 additions & 0 deletions .github/workflows/request-nvskills-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# SPDX-FileCopyrightText: Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0

# Triggered when a maintainer/admin comments `/nvskills-ci` on a PR
# touching skills/. The bot pushes a signature commit that must remain
# in the PR before merge. Fork-based PRs are not supported.

name: Request NVSkills CI

on:
issue_comment:
types: [created]
push:

jobs:
request:
if: >
(github.event_name == 'issue_comment' &&
github.event.issue.pull_request &&
startsWith(github.event.comment.body, '/nvskills-ci')) ||
(github.event_name == 'push' &&
github.actor == (vars.NVSKILLS_SIGNATURE_PUSH_ACTOR || 'nv-nvskill-ci[bot]') &&
startsWith(github.event.head_commit.message, vars.NVSKILLS_SIGNATURE_COMMIT_TITLE || 'Attach NVSkills validation signatures'))
Comment on lines +17 to +23
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add commenter authorization to the issue_comment trigger path.

The condition currently accepts any PR comment starting with /nvskills-ci, but it does not enforce maintainer/admin permissions as described in the header comment. That allows unauthorized users to trigger this workflow.

Suggested fix 
     if: >
       (github.event_name == 'issue_comment' &&
         github.event.issue.pull_request &&
-        startsWith(github.event.comment.body, '/nvskills-ci')) ||
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
+        startsWith(github.event.comment.body, '/nvskills-ci')) ||
       (github.event_name == 'push' &&
         github.actor == (vars.NVSKILLS_SIGNATURE_PUSH_ACTOR || 'nv-nvskill-ci[bot]') &&
         startsWith(github.event.head_commit.message, vars.NVSKILLS_SIGNATURE_COMMIT_TITLE || 'Attach NVSkills validation signatures'))
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: >
(github.event_name == 'issue_comment' &&
github.event.issue.pull_request &&
startsWith(github.event.comment.body, '/nvskills-ci')) ||
(github.event_name == 'push' &&
github.actor == (vars.NVSKILLS_SIGNATURE_PUSH_ACTOR || 'nv-nvskill-ci[bot]') &&
startsWith(github.event.head_commit.message, vars.NVSKILLS_SIGNATURE_COMMIT_TITLE || 'Attach NVSkills validation signatures'))
if: >
(github.event_name == 'issue_comment' &&
github.event.issue.pull_request &&
contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) &&
startsWith(github.event.comment.body, '/nvskills-ci')) ||
(github.event_name == 'push' &&
github.actor == (vars.NVSKILLS_SIGNATURE_PUSH_ACTOR || 'nv-nvskill-ci[bot]') &&
startsWith(github.event.head_commit.message, vars.NVSKILLS_SIGNATURE_COMMIT_TITLE || 'Attach NVSkills validation signatures'))
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/request-nvskills-ci.yml around lines 17 - 23, The issue is
that the issue_comment branch accepts any PR comment starting with /nvskills-ci
without checking commenter permissions; update the if condition so the
issue_comment path also requires the commenter to be a repo maintainer/admin by
adding a check on github.event.comment.author_association (e.g. require it to be
one of OWNER, MEMBER, MAINTAINER, or COLLABORATOR) alongside the existing
startsWith(github.event.comment.body, '/nvskills-ci') and
github.event.issue.pull_request tests; locate the condition containing
startsWith(github.event.comment.body, '/nvskills-ci') and add the
author_association membership check to restrict who can trigger the workflow.

permissions:
contents: read
pull-requests: read
uses: NVIDIA/skills/.github/workflows/team-request.yml@main
secrets:
NVSKILLS_CI_DISPATCH_TOKEN: ${{ secrets.NVSKILLS_CI_DISPATCH_TOKEN }}
1 change: 1 addition & 0 deletions .github/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,5 @@ rules:
# rapidsai/shared-workflows and rapidsai/shared-actions
"rapidsai/shared-workflows/*": any
"rapidsai/shared-actions/*": any
"NVIDIA/skills/*": any
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/zizmor.yml | head -20

Repository: NVIDIA/cuopt

Length of output: 466

🏁 Script executed:

# Get full context of the zizmor.yml file
wc -l .github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 78

🏁 Script executed:

# Search for any references to NVIDIA/skills in the codebase
rg "NVIDIA/skills" --type yaml --type yml

Repository: NVIDIA/cuopt

Length of output: 84

🏁 Script executed:

# Check git history to understand what changed
git diff HEAD~1 .github/zizmor.yml 2>/dev/null || git log --oneline -5 .github/zizmor.yml 2>/dev/null

Repository: NVIDIA/cuopt

Length of output: 114

🏁 Script executed:

# Search for NVIDIA/skills usage in workflow files
rg "NVIDIA/skills" .github/workflows/

Repository: NVIDIA/cuopt

Length of output: 162

🏁 Script executed:

# Get the diff for this file to see what changed
git diff -- .github/zizmor.yml || git show HEAD:.github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 38

🏁 Script executed:

# List all workflow files to understand the context
find .github/workflows -type f -name "*.yml" -o -name "*.yaml"

Repository: NVIDIA/cuopt

Length of output: 587

🏁 Script executed:

# Check if there are multiple NVIDIA/skills workflows referenced
rg "uses:.*NVIDIA/skills" .github/ -A 2

Repository: NVIDIA/cuopt

Length of output: 335

🏁 Script executed:

# Check git status to see if this file is modified in current PR
git status .github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 122

🏁 Script executed:

# Get the actual diff for the PR
git diff .github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 38

🏁 Script executed:

# Check the git log to see when this line was added
git log -p --all -- .github/zizmor.yml | grep -A 5 -B 5 "NVIDIA/skills" | head -30

Repository: NVIDIA/cuopt

Length of output: 38

🏁 Script executed:

# Check the complete git history to understand when this line was introduced
git log --all --oneline .github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 200

🏁 Script executed:

# Check if maybe this is a new file in the PR
git show HEAD:.github/zizmor.yml 2>/dev/null | head -15

Repository: NVIDIA/cuopt

Length of output: 396

🏁 Script executed:

# Let's check all branches to see the change context
git branch -a

Repository: NVIDIA/cuopt

Length of output: 154

🏁 Script executed:

# Search for any other NVIDIA references that might justify the wildcard
rg "NVIDIA/" .github/workflows/ | grep -v "^Binary"

Repository: NVIDIA/cuopt

Length of output: 314

🏁 Script executed:

# Check if this line was added in the recent commit
git show 73c9903:.github/zizmor.yml | grep -A 3 -B 3 "NVIDIA/skills"

Repository: NVIDIA/cuopt

Length of output: 38

🏁 Script executed:

# Check the parent commit to see if it existed before
git show 73c9903^:.github/zizmor.yml 2>/dev/null | grep "NVIDIA/skills" || echo "Line did not exist in parent"

Repository: NVIDIA/cuopt

Length of output: 85

🏁 Script executed:

# Verify the exact change in that commit
git show 73c9903 -- .github/zizmor.yml | head -50

Repository: NVIDIA/cuopt

Length of output: 1330

🏁 Script executed:

# Double-check what commit is currently at HEAD
git log -1 --oneline

Repository: NVIDIA/cuopt

Length of output: 114

🏁 Script executed:

# Check if there were changes to zizmor.yml after the initial commit
git log --all --oneline -- .github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 200

🏁 Script executed:

# Verify the current state is different from the initial commit
git diff 73c9903 HEAD -- .github/zizmor.yml

Repository: NVIDIA/cuopt

Length of output: 418

Scope the unpinned exception to the exact NVIDIA/skills workflow path.

The policy "NVIDIA/skills/*": any is broader than needed—only NVIDIA/skills/.github/workflows/team-request.yml is imported. Narrow this to the specific workflow to enforce least privilege and prevent future unpinned imports from other paths in that repository.

Suggested fix 
-        "NVIDIA/skills/*": any
+        "NVIDIA/skills/.github/workflows/team-request.yml": any
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"NVIDIA/skills/*": any
"NVIDIA/skills/.github/workflows/team-request.yml": any
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/zizmor.yml at line 9, Replace the broad repository pattern
"NVIDIA/skills/*": any with a precise workflow path that matches the imported
file; update the policy entry to
"NVIDIA/skills/.github/workflows/team-request.yml": any so the allowance only
covers the exact workflow used (locate the key "NVIDIA/skills/*" in
.github/zizmor.yml and change it to the full path
"NVIDIA/skills/.github/workflows/team-request.yml").

"*": hash-pin
6 changes: 6 additions & 0 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,12 @@ contributing to. Start with _Step 3_ from above, commenting on the issue to let
others know you are working on it. If you have any questions related to the
implementation of the issue, ask them in the issue instead of the PR.

### NVSkills CI for skill changes

PRs that change content under `skills/` must be validated by NVSkills CI before merge. A maintainer or admin comments `/nvskills-ci` on the PR; the `nv-nvskill-ci[bot]` pushes a signature commit (`Attach NVSkills validation signatures`) that must remain in the PR. Re-comment `/nvskills-ci` after any further pushes to re-sign.

NVSkills CI requires the PR to originate from a branch in `NVIDIA/cuopt`; fork-based PRs are not supported.

## Setting up your build environment

The following instructions are for developers and contributors to NVIDIA cuOpt development. These
Expand Down
5 changes: 5 additions & 0 deletions skills/cuopt-developer/SKILL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@ description: Modify, build, test, debug, and contribute to NVIDIA cuOpt (C++/CUD

# cuOpt Developer Skill

<!--
SPDX-FileCopyrightText: Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
SPDX-License-Identifier: Apache-2.0
-->

Contribute to the NVIDIA cuOpt codebase. This skill is for modifying cuOpt itself, not for using it.

**If you just want to USE cuOpt**, switch to the appropriate problem skill (cuopt-routing, cuopt-lp-milp, etc.)
Expand Down
Loading