You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CI.md
+7-4Lines changed: 7 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,9 @@ For local test commands see [TESTING.md](TESTING.md). For PR conventions see [CO
6
6
7
7
## Overview
8
8
9
-
E2E tests run on self-hosted runners (`build-arm64`, GPU runners). To keep untrusted PR code off those runners we use NVIDIA's copy-pr-bot, which mirrors trusted PR commits to internal `pull-request/<N>` branches in this repository. The gated workflows trigger on pushes to those branches, not on the original PR.
9
+
PR CI that runs on NVIDIA self-hosted runners uses NVIDIA's copy-pr-bot. The bot mirrors trusted PR commits to internal `pull-request/<N>` branches in this repository. The gated workflows trigger on pushes to those branches, not on the original PR.
10
+
11
+
`Branch Checks` run automatically after copy-pr-bot mirrors the PR. E2E suites are opt-in because they are more expensive and publish temporary images.
10
12
11
13
Two opt-in labels enable the suites:
12
14
@@ -63,11 +65,11 @@ Prerequisites:
63
65
Flow:
64
66
65
67
1. Open the PR. copy-pr-bot mirrors it to `pull-request/<N>` automatically.
66
-
2. The first push of `pull-request/<N>`runs `Branch E2E Checks`, but it skips the build/E2E jobs because no label is set yet. The PR's `E2E Gate` check passes as a no-op (no label, no requirement).
67
-
3. A maintainer applies `test:e2e` and/or `test:e2e-gpu`. `E2E Label Help` posts a comment with a link to the existing `Branch E2E Checks` run.
68
+
2. The mirror push runs `Branch Checks` automatically. The first `Branch E2E Checks` / `GPU Test` run only resolves metadata and skips expensive jobs unless the matching label is already set.
69
+
3. A maintainer applies `test:e2e` and/or `test:e2e-gpu`. `E2E Label Help` posts a comment with a link to the existing gated workflow run.
68
70
4. The maintainer opens that link and clicks **Re-run all jobs**. This time `pr_metadata` sees the label and the build/E2E jobs run.
69
71
5. When the run finishes, the `E2E Gate` check on the PR flips to green automatically.
70
-
6. New commits push to the mirror automatically and re-trigger `Branch E2E Checks`. Because the label is still set, those runs execute the build/E2E jobs without manual re-run.
72
+
6. New commits push to the mirror automatically and re-trigger `Branch Checks` plus any labeled E2E/GPU workflows.
71
73
72
74
### Forked PR
73
75
@@ -102,6 +104,7 @@ The bot's full administrator documentation is internal to NVIDIA. The only comma
102
104
103
105
| File | Role |
104
106
|---|---|
107
+
|`.github/workflows/branch-checks.yml`| Required non-E2E PR checks. Triggers on `push: pull-request/[0-9]+`. |
105
108
|`.github/workflows/branch-e2e.yml`| Non-GPU E2E. Triggers on `push: pull-request/[0-9]+`. |
106
109
|`.github/workflows/test-gpu.yml`| GPU E2E. Triggers on `push: pull-request/[0-9]+`. |
107
110
|`.github/actions/pr-gate/action.yml`| Composite action that resolves PR metadata and verifies the required label is set. |
Copy file name to clipboardExpand all lines: architecture/ci-e2e.md
+11-7Lines changed: 11 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ This document describes the architecture of the E2E CI flow: every workflow invo
6
6
7
7
Three independent goals shape the design:
8
8
9
-
1.**Self-hosted runner safety.**E2E runs on `build-arm64` and on GPU runners. GitHub's [security hardening guide](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners) states bluntly: "Self-hosted runners should almost never be used for public repositories on GitHub, because any user can open pull requests against the repository and compromise the environment." Our workaround is the same one used elsewhere in NVIDIA's GHA infrastructure: copy-pr-bot mirrors trusted PRs into `pull-request/<N>` branches inside this repository, and the self-hosted workflows trigger on `push` to those mirror branches rather than on `pull_request`.
9
+
1.**Self-hosted runner safety.**Required PR checks, E2E, and GPU tests run on NVIDIA self-hosted runners. GitHub's [security hardening guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners) states bluntly: "Self-hosted runners should almost never be used for public repositories on GitHub, because any user can open pull requests against the repository and compromise the environment." Our workaround is the same one used elsewhere in NVIDIA's GHA infrastructure: copy-pr-bot mirrors trusted PRs into `pull-request/<N>` branches inside this repository, and the self-hosted workflows trigger on `push` to those mirror branches rather than on `pull_request`.
10
10
2.**Label as a hard merge gate.** When a PR carries `test:e2e` (or `test:e2e-gpu`), the corresponding suite *must* have actually executed and passed for the PR head SHA. The label has to be enforcing, not advisory: it blocks merge unless the suite ran with the label set.
11
11
3.**Per-job least privilege on the GitHub token.** Each workflow declares `permissions: {}` at the top, and each job declares only what it needs. This follows the hardening pattern described at <https://astral.sh/blog/open-source-security-at-astral>.
12
12
@@ -17,20 +17,21 @@ These three goals do not compose cleanly: the safety goal forces `push: pull-req
17
17
| File | Trigger | Role |
18
18
|---|---|---|
19
19
|`.github/copy-pr-bot.yaml`| (config) | Tells copy-pr-bot to mirror trusted PRs into `pull-request/<N>` branches. Pre-existed. |
20
-
|`.github/workflows/branch-e2e.yml`|`push: pull-request/[0-9]+` + `workflow_dispatch`| Runs non-GPU E2E on `build-arm64`. |
20
+
|`.github/workflows/branch-checks.yml`|`push: pull-request/[0-9]+` + `workflow_dispatch`| Runs required branch checks on `linux-amd64-cpu8` and `linux-arm64-cpu8`. |
21
+
|`.github/workflows/branch-e2e.yml`|`push: pull-request/[0-9]+` + `workflow_dispatch`| Runs non-GPU E2E on `linux-arm64-cpu8`. |
|`.github/actions/pr-gate/action.yml`| (composite) | Resolves PR metadata for a `pull-request/<N>` push and decides whether the run should proceed. Label enforcement is optional, so non-required shadows can validate mirror metadata without introducing another PR label. |
24
25
|`.github/workflows/e2e-gate.yml`|`pull_request` + `workflow_run`| Posts the required `E2E Gate` check on the PR. Re-evaluates after the gated workflow completes. |
25
26
|`.github/workflows/e2e-gate-check.yml`|`workflow_call`| Reusable gate logic shared by E2E and GPU E2E. |
26
27
|`.github/workflows/e2e-label-help.yml`|`pull_request_target: [labeled]`| Posts a PR comment when a `test:e2e*` label is applied, telling the maintainer the next manual step (re-run an existing run, or `/ok to test <SHA>` to refresh the mirror). Does *not* dispatch the workflow itself - see "Why we don't auto-dispatch" below. |
27
28
|`.github/workflows/e2e-test.yml`, `e2e-gpu-test.yaml`, `docker-build.yml`|`workflow_call`| Reusable worker workflows. Unchanged by this design - called from the gated workflows and from release workflows. |
28
29
29
-
## OS-49 shadow runner coverage
30
+
## OS-49 runner migration
30
31
31
-
OS-49 Phase 5 adds non-required shadow workflows for the non-release workflows being prepared for shared-runner cutover. They all use `workflow_dispatch` for manual bake runs and `push: pull-request/[0-9]+` for copy-pr-bot mirrored PRs.
32
+
OS-49 Phase 5 added non-required shadow workflows for the non-release workflows being prepared for shared-runner cutover. Phase 6 promotes the validated shared-runner path into the real non-release workflows.
32
33
33
-
`shadow-branch-checks.yml`and `shadow-ci-image.yml` use `pr-gate` without a required label. That still verifies the mirror SHA matches the source PR head SHA, but does not require a new GitHub label for every ordinary CI shadow run. `shadow-branch-e2e.yml` keeps the existing `test:e2e` gate because it publishes temporary images and runs the expensive E2E suite. It shadows the top-level `branch-e2e.yml`workflow, which already exercises the reusable `e2e-test.yml` worker path, so Phase 5 does not keep a second direct `e2e-test.yml` shadow workflow.
34
+
`branch-checks.yml`uses `pr-gate` without a required label. That still verifies the mirror SHA matches the source PR head SHA, but does not require a new GitHub label for ordinary required checks. `branch-e2e.yml` keeps the existing `test:e2e` gate because it publishes temporary images and runs the expensive E2E suite. `ci-image.yml`now builds amd64 and arm64 CI images natively on shared CPU runners and merges the multi-arch manifest after both per-arch images are pushed.
34
35
35
36
## Trigger taxonomy
36
37
@@ -147,10 +148,13 @@ Labels persist as PR metadata and survive re-runs and force-pushes. Comment-base
147
148
148
149
## Permission posture
149
150
150
-
Every workflow declares `permissions: {}` at the top. Per-job grants are the minimum needed:
151
+
The gated E2E workflows declare `permissions: {}` at the top. Branch checks and CI image publishing use the minimum workflow/job grants needed for checkout, package pulls, and package pushes.
0 commit comments