ci: add NVSkills CI request workflow

[rgsl888prabhu]

Adds the NVSkills CI request workflow (upstream template) so PRs touching skills/ can be validated and signed by the central pipeline.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[rgsl888prabhu]

/nvskills-ci

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 17c05c0e-0e4e-4594-898d-cecce0383fa5

📥 Commits

Reviewing files that changed from the base of the PR and between 3c805a7 and c3d9da2.

📒 Files selected for processing (1)

• .github/workflows/pr.yaml

---

📝 Walkthrough

Walkthrough

Adds a Request NVSkills CI workflow and related repo updates: a reusable-dispatch workflow for maintainer-triggered signing, a zizmor exception for NVIDIA/skills/*, excludes the new workflow from PR changed-file triggers, and documents the signing process for changes under skills/.

Changes

NVSkills CI Integration

Layer / File(s)	Summary
NVSkills CI Workflow and Security Policy .github/workflows/request-nvskills-ci.yml, .github/zizmor.yml	New Request NVSkills CI workflow triggers on /nvskills-ci comment or signature push, dispatches to NVIDIA/skills reusable workflow with a secret token, and adds NVIDIA/skills/* to the unpinned-uses allowlist.
PR Workflow Job Filtering .github/workflows/pr.yaml	Excludes .github/workflows/request-nvskills-ci.yml from the build_docs, test_cpp, test_python_conda, and test_python_wheels changed-files groups so edits to the request workflow do not trigger those CI groups.
Contributor Guidance for Skill Changes CONTRIBUTING.md, skills/cuopt-developer/SKILL.md	Documents NVSkills CI requirements for PRs that modify skills/ (maintainer /nvskills-ci command, signature commit retention and re-signing rules, and branch-origin restriction); includes a trivial blank-line adjustment in a skill file.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/cuopt#1249: Related workflow change preventing metadata-only skill updates from triggering heavy CI groups.

Suggested reviewers

• tmckayus
• Iroy30
• mlubin

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: add NVSkills CI request workflow' directly and clearly describes the main change—adding a new GitHub Actions workflow for NVSkills CI requests.
Description check	✅ Passed	The description explains that the PR adds the NVSkills CI request workflow so PRs touching skills/ can be validated and signed, which is directly related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/request-nvskills-ci.yml:
- Around line 17-23: The issue is that the workflow allows any PR commenter to
trigger the /nvskills-ci path; update the if expression so the issue_comment
branch also checks github.event.comment.author_association and only permits
trusted roles (e.g. OWNER, MEMBER, COLLABORATOR, or a specific role you choose).
Concretely, modify the existing condition around
startsWith(github.event.comment.body, '/nvskills-ci') to also require
(github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR') so only those
associations can dispatch using NVSKILLS_CI_DISPATCH_TOKEN.

In @.github/zizmor.yml:
- Line 9: Replace the overly broad exemption "NVIDIA/skills/*" with the exact
reusable workflow reference this PR uses (i.e., the full reusable-workflow path
and pin, such as "NVIDIA/skills/<workflow-file>.yml@<tag-or-sha>"); update the
entry in the whitelist so it matches that specific workflow filename and pinned
ref instead of the wildcard to avoid allowing other unpinned actions from the
NVIDIA/skills namespace.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4ee63533-14ad-4e45-af8c-f3857e8b1fe1

📥 Commits

Reviewing files that changed from the base of the PR and between b145cc3 and 2581535.

📒 Files selected for processing (5)

• .github/workflows/pr.yaml
• .github/workflows/request-nvskills-ci.yml
• .github/zizmor.yml
• CONTRIBUTING.md
• skills/cuopt-developer/SKILL.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Scope the unpinned exemption to the exact reusable workflow path.

Line 9 is overly broad (NVIDIA/skills/*). Restrict this to the specific workflow reference used by this PR to avoid unintentionally permitting other unpinned actions from that namespace.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/zizmor.yml at line 9, Replace the overly broad exemption
"NVIDIA/skills/*" with the exact reusable workflow reference this PR uses (i.e.,
the full reusable-workflow path and pin, such as
"NVIDIA/skills/<workflow-file>.yml@<tag-or-sha>"); update the entry in the
whitelist so it matches that specific workflow filename and pinned ref instead
of the wildcard to avoid allowing other unpinned actions from the NVIDIA/skills
namespace.

[rgsl888prabhu]

This matches with other repos

[coderabbitai]

@rgsl888prabhu, understood! The NVIDIA/skills/* wildcard entry is indeed consistent with the existing exemptions in the same file (rapidsai/shared-workflows/* and rapidsai/shared-actions/*), which follow the same pattern. Thanks for the clarification.

---

✏️ Learnings added

Learnt from: rgsl888prabhu
Repo: NVIDIA/cuopt PR: 1243
File: .github/zizmor.yml:9-9
Timestamp: 2026-05-20T16:01:22.437Z
Learning: In the NVIDIA/cuopt repository, the `.github/zizmor.yml` unpinned-uses policy intentionally uses wildcard exemptions (e.g., `"NVIDIA/skills/*": any`, `"rapidsai/shared-workflows/*": any`, `"rapidsai/shared-actions/*": any`) to match the convention used across other repos. Do not flag these wildcard entries as overly broad — they are deliberate and consistent.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.