From 5cda75fe46e5578f5726073418627d7e96ebdfde Mon Sep 17 00:00:00 2001 From: "Ralf W. Grosse-Kunstleve" Date: Sun, 31 May 2026 11:27:20 -0700 Subject: [PATCH 1/5] CI: clarify restricted paths review comment Explain why external contributors cannot modify cuda_bindings and how to split out changes that are eligible for review. --- .github/workflows/restricted-paths-guard.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/restricted-paths-guard.yml b/.github/workflows/restricted-paths-guard.yml index 468a404e70..696b47bae7 100644 --- a/.github/workflows/restricted-paths-guard.yml +++ b/.github/workflows/restricted-paths-guard.yml @@ -127,9 +127,12 @@ jobs: post_review_label_comment() { local comment_body - printf -v comment_body '%s\n\n%s\n' \ + printf -v comment_body '%s\n\n%s\n\n%s\n\n%s\n\n%s\n' \ "\`$REVIEW_LABEL\` was assigned by \`CI: Restricted Paths Guard\`." \ - "For details, open [this workflow run]($RUN_URL) and click **Summary**." + "For details, open [this workflow run]($RUN_URL) and click **Summary**." \ + "For external contributors: thank you for your interest in improving CUDA Python. The \`cuda_bindings/\` package is distributed under the [NVIDIA Software License](https://github.com/NVIDIA/cuda-python/blob/main/cuda_bindings/LICENSE), which does not allow us to accept external contributions to files under \`cuda_bindings/\` in this repository." \ + "Please close this PR. If your changes also include updates outside \`cuda_bindings/\`, please open a new PR containing only those changes so we can review them separately under the applicable license." \ + "If you are an NVIDIA employee and believe this label was applied in error, no action is needed; a maintainer will review and remove the label if appropriate." if gh api "repos/$REPO/issues/$PR_NUMBER/comments" \ -f body="$comment_body" >/dev/null; then From 7316b311713065f444133aa2d076b340ad6f1a44 Mon Sep 17 00:00:00 2001 From: "Ralf W. Grosse-Kunstleve" Date: Sun, 31 May 2026 11:40:01 -0700 Subject: [PATCH 2/5] CI: add dry-run mode for restricted paths guard writes Keep production behavior unchanged while allowing temporary pull_request tests to exercise the review-label and comment paths without requiring write permissions. --- .github/workflows/restricted-paths-guard.yml | 28 +++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/.github/workflows/restricted-paths-guard.yml b/.github/workflows/restricted-paths-guard.yml index 696b47bae7..f628deb99a 100644 --- a/.github/workflows/restricted-paths-guard.yml +++ b/.github/workflows/restricted-paths-guard.yml @@ -33,6 +33,7 @@ jobs: # Workflow policy inputs REVIEW_LABEL: Needs-Restricted-Paths-Review + DRY_RUN_REVIEW_LABEL_WRITES: false # API request context/auth GH_TOKEN: ${{ github.token }} @@ -125,14 +126,25 @@ jobs: echo '```' } - post_review_label_comment() { - local comment_body - printf -v comment_body '%s\n\n%s\n\n%s\n\n%s\n\n%s\n' \ + build_review_label_comment() { + printf '%s\n\n%s\n\n%s\n\n%s\n\n%s\n' \ "\`$REVIEW_LABEL\` was assigned by \`CI: Restricted Paths Guard\`." \ "For details, open [this workflow run]($RUN_URL) and click **Summary**." \ "For external contributors: thank you for your interest in improving CUDA Python. The \`cuda_bindings/\` package is distributed under the [NVIDIA Software License](https://github.com/NVIDIA/cuda-python/blob/main/cuda_bindings/LICENSE), which does not allow us to accept external contributions to files under \`cuda_bindings/\` in this repository." \ "Please close this PR. If your changes also include updates outside \`cuda_bindings/\`, please open a new PR containing only those changes so we can review them separately under the applicable license." \ "If you are an NVIDIA employee and believe this label was applied in error, no action is needed; a maintainer will review and remove the label if appropriate." + } + + write_review_label_comment_dry_run() { + echo "- **Dry-run comment body**:" + echo '```markdown' + build_review_label_comment + echo '```' + } + + post_review_label_comment() { + local comment_body + comment_body=$(build_review_label_comment) if gh api "repos/$REPO/issues/$PR_NUMBER/comments" \ -f body="$comment_body" >/dev/null; then @@ -245,6 +257,16 @@ jobs: if [ "$NEEDS_REVIEW_LABEL" = "true" ]; then if [ "$LABEL_ALREADY_PRESENT" = "true" ]; then LABEL_ACTION="already present" + elif [ "$DRY_RUN_REVIEW_LABEL_WRITES" = "true" ]; then + LABEL_ACTION="would add (dry run)" + COMMENT_ACTION="would post (dry run)" + { + echo "## Restricted Paths Guard Dry Run" + echo "" + echo "- **Would add label**: \`$REVIEW_LABEL\`" + echo "" + write_review_label_comment_dry_run + } >> "$GITHUB_STEP_SUMMARY" elif ! gh pr edit "$PR_NUMBER" --repo "$REPO" --add-label "$REVIEW_LABEL"; then echo "::error::Failed to add the $REVIEW_LABEL label." { From 21e902177c61dafbb5da73513f0a441a08ae91da Mon Sep 17 00:00:00 2001 From: "Ralf W. Grosse-Kunstleve" Date: Sun, 31 May 2026 11:53:09 -0700 Subject: [PATCH 3/5] CI: document restricted paths guard dry-run recipe Give future agents a precise temporary testing recipe that avoids depending on the tester's GitHub identity or write permissions. --- .github/workflows/restricted-paths-guard.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/restricted-paths-guard.yml b/.github/workflows/restricted-paths-guard.yml index f628deb99a..e559c89136 100644 --- a/.github/workflows/restricted-paths-guard.yml +++ b/.github/workflows/restricted-paths-guard.yml @@ -33,6 +33,17 @@ jobs: # Workflow policy inputs REVIEW_LABEL: Needs-Restricted-Paths-Review + # Temporary testing recipe for agents: + # 1. Change pull_request_target to pull_request. + # 2. Set DRY_RUN_REVIEW_LABEL_WRITES to true. + # 3. Add a dummy comment or whitespace-only change in + # cuda_bindings/README.md to trigger restricted-path detection + # without affecting build/package behavior. + # 4. Replace both trusted case patterns below with DRY_RUN_NEVER_MATCH + # so the test does not depend on the tester's GitHub identity: + # MEMBER|OWNER and admin|maintain|write|triage. + # 5. Commit these changes as a temporary dry-run test commit and revert + # that commit before merge. DRY_RUN_REVIEW_LABEL_WRITES: false # API request context/auth From 327707a2df02deb75edfa7708c691bb57ed16aa0 Mon Sep 17 00:00:00 2001 From: "Ralf W. Grosse-Kunstleve" Date: Sun, 31 May 2026 12:02:57 -0700 Subject: [PATCH 4/5] TEMPORARY: Exercise restricted paths guard dry run Switch the guard to pull_request, force trusted checks to miss, and add a harmless cuda_bindings README trigger so the dry-run label/comment summary path can be tested. --- .github/workflows/restricted-paths-guard.yml | 8 ++++---- cuda_bindings/README.md | 2 ++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/restricted-paths-guard.yml b/.github/workflows/restricted-paths-guard.yml index e559c89136..3721af5635 100644 --- a/.github/workflows/restricted-paths-guard.yml +++ b/.github/workflows/restricted-paths-guard.yml @@ -6,7 +6,7 @@ name: "CI: Restricted Paths Guard" on: # Run on drafts too so maintainers get early awareness on WIP PRs. # Label updates on fork PRs require pull_request_target permissions. - pull_request_target: + pull_request: types: - opened - synchronize @@ -44,7 +44,7 @@ jobs: # MEMBER|OWNER and admin|maintain|write|triage. # 5. Commit these changes as a temporary dry-run test commit and revert # that commit before merge. - DRY_RUN_REVIEW_LABEL_WRITES: false + DRY_RUN_REVIEW_LABEL_WRITES: true # API request context/auth GH_TOKEN: ${{ github.token }} @@ -198,7 +198,7 @@ jobs: fi case "$AUTHOR_ASSOCIATION" in - MEMBER|OWNER) + DRY_RUN_NEVER_MATCH) HAS_TRUSTED_SIGNAL=true LABEL_ACTION="not needed (live author association is a trusted signal)" TRUSTED_SIGNALS="author_association:$AUTHOR_ASSOCIATION" @@ -242,7 +242,7 @@ jobs: fi case "$COLLABORATOR_PERMISSION" in - admin|maintain|write|triage) + DRY_RUN_NEVER_MATCH) HAS_TRUSTED_SIGNAL=true LABEL_ACTION="not needed (collaborator permission is a trusted signal)" TRUSTED_SIGNALS="collaborator_permission:$COLLABORATOR_PERMISSION" diff --git a/cuda_bindings/README.md b/cuda_bindings/README.md index cc6a8948db..1b5a69ca05 100644 --- a/cuda_bindings/README.md +++ b/cuda_bindings/README.md @@ -1,5 +1,7 @@ # `cuda.bindings`: Low-level CUDA interfaces + + `cuda.bindings` is a standard set of low-level interfaces, providing full coverage of and access to the CUDA host APIs from Python. Checkout the [Overview page](https://nvidia.github.io/cuda-python/cuda-bindings/latest/overview.html) for the workflow and performance results. ## Installing From 3121046f7b3050bccc306ab287f813bb7704ed64 Mon Sep 17 00:00:00 2001 From: "Ralf W. Grosse-Kunstleve" Date: Sun, 31 May 2026 12:09:16 -0700 Subject: [PATCH 5/5] Revert "TEMPORARY: Exercise restricted paths guard dry run" This reverts commit 327707a2df02deb75edfa7708c691bb57ed16aa0. --- .github/workflows/restricted-paths-guard.yml | 8 ++++---- cuda_bindings/README.md | 2 -- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/restricted-paths-guard.yml b/.github/workflows/restricted-paths-guard.yml index 3721af5635..e559c89136 100644 --- a/.github/workflows/restricted-paths-guard.yml +++ b/.github/workflows/restricted-paths-guard.yml @@ -6,7 +6,7 @@ name: "CI: Restricted Paths Guard" on: # Run on drafts too so maintainers get early awareness on WIP PRs. # Label updates on fork PRs require pull_request_target permissions. - pull_request: + pull_request_target: types: - opened - synchronize @@ -44,7 +44,7 @@ jobs: # MEMBER|OWNER and admin|maintain|write|triage. # 5. Commit these changes as a temporary dry-run test commit and revert # that commit before merge. - DRY_RUN_REVIEW_LABEL_WRITES: true + DRY_RUN_REVIEW_LABEL_WRITES: false # API request context/auth GH_TOKEN: ${{ github.token }} @@ -198,7 +198,7 @@ jobs: fi case "$AUTHOR_ASSOCIATION" in - DRY_RUN_NEVER_MATCH) + MEMBER|OWNER) HAS_TRUSTED_SIGNAL=true LABEL_ACTION="not needed (live author association is a trusted signal)" TRUSTED_SIGNALS="author_association:$AUTHOR_ASSOCIATION" @@ -242,7 +242,7 @@ jobs: fi case "$COLLABORATOR_PERMISSION" in - DRY_RUN_NEVER_MATCH) + admin|maintain|write|triage) HAS_TRUSTED_SIGNAL=true LABEL_ACTION="not needed (collaborator permission is a trusted signal)" TRUSTED_SIGNALS="collaborator_permission:$COLLABORATOR_PERMISSION" diff --git a/cuda_bindings/README.md b/cuda_bindings/README.md index 1b5a69ca05..cc6a8948db 100644 --- a/cuda_bindings/README.md +++ b/cuda_bindings/README.md @@ -1,7 +1,5 @@ # `cuda.bindings`: Low-level CUDA interfaces - - `cuda.bindings` is a standard set of low-level interfaces, providing full coverage of and access to the CUDA host APIs from Python. Checkout the [Overview page](https://nvidia.github.io/cuda-python/cuda-bindings/latest/overview.html) for the workflow and performance results. ## Installing