ci: enable copy-pr-bot and add helm chart validation

[saturley-hall]

Resolves OPS-6320.

Summary

• Enable the org-level copy-pr-bot GitHub App by adding .github/copy-pr-bot.yaml. The bot mirrors signed PR commits (fork or internal) onto a canonical pull-request/<id> branch in this repo.
• Switch ci.yml, codeql.yml, copyright-checks.yml, and trigger_ci.yml from pull_request: triggers to push: on pull-request/* so all PR CI runs against the trusted mirror branch. lint-pr-title.yml stays on pull_request: because it needs PR-title metadata.
• Add a new helm-chart job to ci.yml that lints the chart with every values file variant, renders templates via helm template, packages the chart, and uploads Chart.yaml, rendered manifests, the .tgz, and a deduplicated images.txt as a helm-chart-dependencies artifact for future SBOM/CVE compliance work to consume.

Test plan

• Confirm copy-pr-bot mirrors this PR to pull-request/<N> and posts the mirror branch name.
• Confirm ci, codeql, copyright-checks, and trigger_ci workflows trigger on the push to pull-request/<N> and pass.
• Confirm lint-pr-title still runs on the original pull_request event.
• Inspect the helm-chart-dependencies artifact: contains Chart.yaml, rendered/*.rendered.yaml for all 5 values files, package/modelexpress-0.3.0.tgz, and images.txt listing nvcr.io/nvidia/ai-dynamo/modelexpress-server:0.3.0, modelexpress:test, ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.35.

Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enabled copy PR bot functionality
  • Updated CI workflow triggers for main, release/, and pull-request/ branches
  • Added Helm chart linting and packaging automation
  • Updated CodeQL and copyright checks workflow configurations

[coderabbitai]

Walkthrough

This PR updates GitHub Actions workflow configurations to consolidate branch trigger patterns across multiple workflows, adds a new Helm chart validation job to the CI pipeline, and enables the copy PR bot configuration.

Changes

GitHub Actions Workflow Infrastructure

Layer / File(s)	Summary
Branch Trigger Consolidation Across Workflows .github/workflows/ci.yml, .github/workflows/codeql.yml, .github/workflows/copyright-checks.yml, .github/workflows/trigger_ci.yml	Workflow on: sections are updated to standardize branch patterns: push events trigger on main, release/*, and pull-request/* branches, replacing prior pull_request triggers and removing the develop pattern reference.
Helm Chart Validation Job .github/workflows/ci.yml	A new helm-chart job is added that installs Helm v3.14.4, builds dependencies, lints charts against default and custom values files, renders templates into helm-artifacts/rendered/, packages the chart into helm-artifacts/package/, extracts unique container image references into helm-artifacts/images.txt, and uploads the artifacts directory.
Copy PR Bot Configuration .github/copy-pr-bot.yaml	The copy PR bot configuration explicitly enables the bot by setting enabled: true.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit bounces through workflows with glee,
Branch patterns aligned, now pull-request they see,
Helm charts validated in pipelines so grand,
The bot copy-PR works across the land! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: enabling copy-pr-bot and adding helm chart validation, matching the PR's primary objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

19-20: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix the concurrency configuration for push-based PR workflow.

The concurrency block checks github.event_name == 'pull_request', but this workflow no longer triggers on pull_request events. The condition will always be false for push events to pull-request/* branches, which means:

• Each run gets a unique concurrency group (based on run_id)
• Previous runs won't be auto-cancelled
• The intended cancellation logic for PRs is broken

For push events to pull-request/* branches, extract the PR number from the branch name.

🔧 Proposed fix

 concurrency:
-  group: ${{ github.event_name == 'pull_request' && format('{0}-{1}', github.workflow, github.event.pull_request.number) || format('{0}-{1}', github.workflow, github.run_id) }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: ${{ startsWith(github.ref, 'refs/heads/pull-request/') && format('{0}-pr-{1}', github.workflow, github.ref) || format('{0}-{1}', github.workflow, github.run_id) }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/heads/pull-request/') }}

This groups runs by the full pull-request/* branch ref and enables cancellation for those branches.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 19 - 20, The concurrency group is
using github.event_name == 'pull_request' which is always false for
push-triggered runs on pull-request/* branches, so change the concurrency.group
expression to handle both PR events and push-to-pull-request branches: detect
either github.event_name == 'pull_request' or startsWith(github.ref,
'refs/heads/pull-request/'), and when it's a push to pull-request/* use the
branch ref (e.g., github.ref) or extract the PR number from github.ref (split on
'/' and take the last segment) to form a stable group key; keep
cancel-in-progress true for the same condition so previous runs on the same
pull-request branch are cancelled.

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

251-253: 💤 Low value

Image extraction pattern may miss non-standard YAML formatting.

The grep/sed pipeline assumes a simple image: <value> format. It may not capture images defined using YAML anchors, multiline strings, or complex quoting. Since this builds an informational artifact rather than critical functionality, the risk is low.

Consider using a YAML-aware tool like yq for more robust extraction:

Alternative approach using yq

-        grep -hE '^\s*image:\s*' helm-artifacts/rendered/*.rendered.yaml \
-          | sed -E 's/^[[:space:]]*image:[[:space:]]*"?([^"]+)"?[[:space:]]*$/\1/' \
-          | sort -u > helm-artifacts/images.txt
+        yq eval '.. | select(has("image")) | .image' helm-artifacts/rendered/*.rendered.yaml \
+          | sort -u > helm-artifacts/images.txt

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 251 - 253, The current grep/sed
pipeline that pulls "image:" values from helm-artifacts/rendered/*.rendered.yaml
is fragile and can miss images defined via YAML anchors, multiline strings, or
complex quoting; replace that pipeline with a YAML-aware extraction using yq:
parse all rendered YAML documents under helm-artifacts/rendered/*.rendered.yaml,
recursively select all image keys (including within nested objects and arrays),
collapse/flatten the results, deduplicate (sort -u) and write the output to
helm-artifacts/images.txt so anchors, multiline values and varied quoting are
handled correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/copy-pr-bot.yaml:
- Line 1: Add explicit optional config fields to make sync behavior clear: keep
enabled: true and add auto_sync_draft: false and auto_sync_ready: true (or your
chosen explicit values) so the intent is not left to defaults; update the
.github/copy-pr-bot.yaml YAML to include these keys alongside enabled and leave
signature verification out since the app handles it.

---

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 19-20: The concurrency group is using github.event_name ==
'pull_request' which is always false for push-triggered runs on pull-request/*
branches, so change the concurrency.group expression to handle both PR events
and push-to-pull-request branches: detect either github.event_name ==
'pull_request' or startsWith(github.ref, 'refs/heads/pull-request/'), and when
it's a push to pull-request/* use the branch ref (e.g., github.ref) or extract
the PR number from github.ref (split on '/' and take the last segment) to form a
stable group key; keep cancel-in-progress true for the same condition so
previous runs on the same pull-request branch are cancelled.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 251-253: The current grep/sed pipeline that pulls "image:" values
from helm-artifacts/rendered/*.rendered.yaml is fragile and can miss images
defined via YAML anchors, multiline strings, or complex quoting; replace that
pipeline with a YAML-aware extraction using yq: parse all rendered YAML
documents under helm-artifacts/rendered/*.rendered.yaml, recursively select all
image keys (including within nested objects and arrays), collapse/flatten the
results, deduplicate (sort -u) and write the output to helm-artifacts/images.txt
so anchors, multiline values and varied quoting are handled correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2d2798a5-1e35-4e6f-9883-5e3c9e520ea2

📥 Commits

Reviewing files that changed from the base of the PR and between 8820619 and 7c53306.

📒 Files selected for processing (5)

• .github/copy-pr-bot.yaml
• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/copyright-checks.yml
• .github/workflows/trigger_ci.yml

[zhengluo-nv]

Is this ready for review?