-
Notifications
You must be signed in to change notification settings - Fork 288
290 lines (267 loc) · 12 KB
/
restricted-paths-guard.yml
File metadata and controls
290 lines (267 loc) · 12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
name: "CI: Restricted Paths Guard"
on:
# Run on drafts too so maintainers get early awareness on WIP PRs.
# Label updates on fork PRs require pull_request_target permissions.
pull_request_target:
types:
- opened
- synchronize
- reopened
- ready_for_review
jobs:
restricted-paths-guard:
name: Apply review label if needed
if: github.repository_owner == 'NVIDIA'
runs-on: ubuntu-latest
permissions:
contents: write # needed for collaborator permission check
pull-requests: write
steps:
- name: Inspect PR author signals for restricted paths
env:
# PR metadata inputs (the event payload's author_association can be
# stale for fork PRs, so restricted-path PRs query the live PR API).
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_URL: ${{ github.event.pull_request.html_url }}
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
# Workflow policy inputs
REVIEW_LABEL: Needs-Restricted-Paths-Review
# API request context/auth
GH_TOKEN: ${{ github.token }}
REPO: ${{ github.repository }}
run: |
set -euo pipefail
COLLABORATOR_PERMISSION="not checked"
COLLABORATOR_PERMISSION_API_ERROR=""
AUTHOR_ASSOCIATION="not checked"
AUTHOR_ASSOCIATION_API_ERROR=""
if ! MATCHING_RESTRICTED_PATHS=$(
gh api \
--paginate \
--jq '
.[]
| select(
(.filename | startswith("cuda_bindings/"))
or ((.previous_filename // "") | startswith("cuda_bindings/"))
or (.filename | startswith("cuda_python/"))
or ((.previous_filename // "") | startswith("cuda_python/"))
)
| if (.previous_filename // "") != "" then
"\(.previous_filename) -> \(.filename)"
else
.filename
end
' \
"repos/$REPO/pulls/$PR_NUMBER/files"
); then
echo "::error::Failed to inspect the PR file list."
{
echo "## Restricted Paths Guard Failed"
echo ""
echo "- **Error**: Failed to inspect the PR file list."
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
echo ""
echo "Please update the PR at: $PR_URL"
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
# Fetch live PR labels to avoid stale event payload (race condition
# when labels are changed shortly before the workflow runs).
if ! LIVE_LABELS=$(
gh pr view "${PR_NUMBER}" --repo "${REPO}" \
--json labels \
--jq '[.labels[].name]'
); then
echo "::error::Failed to inspect the current PR labels."
{
echo "## Restricted Paths Guard Failed"
echo ""
echo "- **Error**: Failed to inspect the current PR labels."
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
echo ""
echo "Please update the PR at: $PR_URL"
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
TOUCHES_RESTRICTED_PATHS=false
if [ -n "$MATCHING_RESTRICTED_PATHS" ]; then
TOUCHES_RESTRICTED_PATHS=true
fi
write_matching_restricted_paths() {
echo "- **Matched restricted paths**:"
echo '```text'
printf '%s\n' "$MATCHING_RESTRICTED_PATHS"
echo '```'
}
write_collaborator_permission_api_error() {
echo "- **Collaborator permission API error**:"
echo '```text'
printf '%s\n' "$COLLABORATOR_PERMISSION_API_ERROR"
echo '```'
}
write_author_association_api_error() {
echo "- **Author association API error**:"
echo '```text'
printf '%s\n' "$AUTHOR_ASSOCIATION_API_ERROR"
echo '```'
}
post_review_label_comment() {
local comment_body
printf -v comment_body '%s\n\n%s\n' \
"\`$REVIEW_LABEL\` was assigned by \`CI: Restricted Paths Guard\`." \
"For details, open [this workflow run]($RUN_URL) and click **Summary**."
if gh api "repos/$REPO/issues/$PR_NUMBER/comments" \
-f body="$comment_body" >/dev/null; then
COMMENT_ACTION="posted"
else
COMMENT_ACTION="failed (non-fatal)"
echo "::warning::Failed to post PR comment about newly added $REVIEW_LABEL."
fi
}
HAS_TRUSTED_SIGNAL=false
LABEL_ACTION="not needed (no restricted paths)"
TRUSTED_SIGNALS="(none)"
COMMENT_ACTION="not needed"
if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then
if AUTHOR_ASSOCIATION_RESPONSE=$(
gh api "repos/$REPO/pulls/$PR_NUMBER" \
--jq '.author_association // "NONE"' 2>&1
); then
AUTHOR_ASSOCIATION="$AUTHOR_ASSOCIATION_RESPONSE"
else
AUTHOR_ASSOCIATION="unknown"
AUTHOR_ASSOCIATION_API_ERROR="$AUTHOR_ASSOCIATION_RESPONSE"
echo "::error::Failed to inspect live author association for PR #$PR_NUMBER."
{
echo "## Restricted Paths Guard Failed"
echo ""
echo "- **Error**: Failed to inspect live author association."
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo ""
write_matching_restricted_paths
echo ""
write_author_association_api_error
echo ""
echo "Please retry this workflow. If the failure persists, inspect the author association API error above."
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
case "$AUTHOR_ASSOCIATION" in
MEMBER|OWNER)
HAS_TRUSTED_SIGNAL=true
LABEL_ACTION="not needed (live author association is a trusted signal)"
TRUSTED_SIGNALS="author_association:$AUTHOR_ASSOCIATION"
;;
*)
# COLLABORATOR can still be too broad for this policy; use the
# collaborator permission API below for repo-level trust.
;;
esac
# Distinguish a legitimate 404 "not a collaborator" response from
# actual API failures. The former is an expected untrusted case;
# the latter fails the workflow so it can be rerun later.
if [ "$HAS_TRUSTED_SIGNAL" = "false" ]; then
if COLLABORATOR_PERMISSION_RESPONSE=$(
gh api "repos/$REPO/collaborators/$PR_AUTHOR/permission" \
--jq '.permission' 2>&1
); then
COLLABORATOR_PERMISSION="$COLLABORATOR_PERMISSION_RESPONSE"
elif [[ "$COLLABORATOR_PERMISSION_RESPONSE" == *"(HTTP 404)"* ]]; then
COLLABORATOR_PERMISSION="none"
else
COLLABORATOR_PERMISSION="unknown"
COLLABORATOR_PERMISSION_API_ERROR="$COLLABORATOR_PERMISSION_RESPONSE"
echo "::error::Failed to inspect collaborator permission for $PR_AUTHOR."
{
echo "## Restricted Paths Guard Failed"
echo ""
echo "- **Error**: Failed to inspect collaborator permission."
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
echo ""
write_matching_restricted_paths
echo ""
write_collaborator_permission_api_error
echo ""
echo "Please retry this workflow. If the failure persists, inspect the collaborator permission API error above."
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
case "$COLLABORATOR_PERMISSION" in
admin|maintain|write|triage)
HAS_TRUSTED_SIGNAL=true
LABEL_ACTION="not needed (collaborator permission is a trusted signal)"
TRUSTED_SIGNALS="collaborator_permission:$COLLABORATOR_PERMISSION"
;;
*)
# read or none: not a trusted signal. In a public repo, read
# can be the effective permission for any GitHub user.
;;
esac
fi
fi
NEEDS_REVIEW_LABEL=false
if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ] && [ "$HAS_TRUSTED_SIGNAL" = "false" ]; then
NEEDS_REVIEW_LABEL=true
fi
LABEL_ALREADY_PRESENT=false
if jq -e --arg label "$REVIEW_LABEL" '.[] == $label' <<<"$LIVE_LABELS" >/dev/null; then
LABEL_ALREADY_PRESENT=true
fi
if [ "$NEEDS_REVIEW_LABEL" = "true" ]; then
if [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
LABEL_ACTION="already present"
elif ! gh pr edit "$PR_NUMBER" --repo "$REPO" --add-label "$REVIEW_LABEL"; then
echo "::error::Failed to add the $REVIEW_LABEL label."
{
echo "## Restricted Paths Guard Failed"
echo ""
echo "- **Error**: Failed to add the \`$REVIEW_LABEL\` label."
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
echo ""
write_matching_restricted_paths
echo ""
echo "Please update the PR at: $PR_URL"
} >> "$GITHUB_STEP_SUMMARY"
exit 1
else
LABEL_ACTION="added"
post_review_label_comment
fi
elif [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
LABEL_ACTION="left in place (manual removal required)"
fi
{
echo "## Restricted Paths Guard Completed"
echo ""
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo "- **Collaborator permission**: $COLLABORATOR_PERMISSION"
echo "- **Touches restricted paths**: $TOUCHES_RESTRICTED_PATHS"
echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
echo "- **Trusted signals**: $TRUSTED_SIGNALS"
echo "- **Label action**: $LABEL_ACTION"
echo "- **Comment action**: $COMMENT_ACTION"
if [ "$TOUCHES_RESTRICTED_PATHS" = "true" ]; then
echo ""
write_matching_restricted_paths
fi
if [ "$NEEDS_REVIEW_LABEL" = "true" ]; then
echo ""
echo "- **Manual follow-up**: No trusted signal was found, so \`$REVIEW_LABEL\` is required."
elif [ "$LABEL_ALREADY_PRESENT" = "true" ]; then
echo ""
echo "- **Manual follow-up**: Existing \`$REVIEW_LABEL\` was left in place intentionally because this workflow does not inspect every commit. Remove it manually after reviewing the PR for restricted-paths policy compliance."
fi
} >> "$GITHUB_STEP_SUMMARY"