cuda-python/.github/workflows/restricted-paths-review-gate.yml at 9d3b66f06c3dc7b36e7d1c58b54e1ead534d5675 · NVIDIA/cuda-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0

name: "CI: Restricted Paths Review Gate"

on:
  # Keep this separate from pr-metadata-check.yml so only the
  # Needs-Restricted-Paths-Review policy becomes merge-blocking.
  pull_request_target:
    types:
      - opened
      - synchronize
      - reopened
      - ready_for_review
      - labeled
      - unlabeled

jobs:
  restricted-paths-review-gate:
    name: Restricted paths review gate
    if: github.repository_owner == 'NVIDIA'
    runs-on: ubuntu-latest
    permissions:
      pull-requests: read
    steps:
      - name: Check for merge-blocking restricted-paths label
        env:
          GH_TOKEN: ${{ github.token }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          PR_URL: ${{ github.event.pull_request.html_url }}
          REPO: ${{ github.repository }}
          REVIEW_LABEL: Needs-Restricted-Paths-Review
        run: |
          set -euo pipefail

          if ! LIVE_LABELS=$(
            gh pr view "${PR_NUMBER}" --repo "${REPO}" \
              --json labels \
              --jq '[.labels[].name]'
          ); then
            echo "::error::Failed to inspect the current PR labels."
            {
              echo "## Restricted Paths Review Gate Failed"
              echo ""
              echo "- **Error**: Failed to inspect the current PR labels."
              echo ""
              echo "Please update the PR at: $PR_URL"
            } >> "$GITHUB_STEP_SUMMARY"
            exit 1
          fi

          CURRENT_LABELS=$(jq -r '
            if length == 0 then
              "(none)"
            else
              join(", ")
            end
          ' <<<"$LIVE_LABELS")

          if jq -e --arg label "$REVIEW_LABEL" '.[] == $label' <<<"$LIVE_LABELS" >/dev/null; then
            echo "::error::The $REVIEW_LABEL label is present. Remove it after restricted-paths review is complete."
            {
              echo "## Restricted Paths Review Gate Failed"
              echo ""
              echo "- **Blocking label**: \`$REVIEW_LABEL\`"
              echo "- **Current labels**: $CURRENT_LABELS"
              echo "- **Why this failed**: This label means the PR touched \`cuda_bindings/\` or \`cuda_python/\` without a trusted author signal."
              echo "- **How to unblock merge**: A maintainer must review the restricted-paths policy decision and remove \`$REVIEW_LABEL\` manually when the PR is allowed to merge."
              echo ""
              echo "Please update the PR at: $PR_URL"
            } >> "$GITHUB_STEP_SUMMARY"
            exit 1
          fi

          {
            echo "## Restricted Paths Review Gate Passed"
            echo ""
            echo "- **Blocking label absent**: \`$REVIEW_LABEL\`"
            echo "- **Current labels**: $CURRENT_LABELS"
            echo "- **Result**: This gate does not block merging."
          } >> "$GITHUB_STEP_SUMMARY"