[no-ci] CI: add dedicated merge gate for restricted-paths review

[rwgk]

Summary

Follow-on to PR #1878

Add a dedicated GitHub Actions workflow, restricted-paths-review-gate.yml, that fails when the Needs-Restricted-Paths-Review label is present on a PR.

This keeps the merge-blocking behavior narrowly scoped to the restricted-paths policy, instead of making the broader checks in pr-metadata-check.yml required.

Why a separate workflow

• pr-metadata-check.yml is not currently merge-blocking.
• Reusing pr-metadata-check.yml would mix two different policies:
  PR metadata hygiene and restricted-paths review.
• A dedicated gate gives us one required check with one clear meaning:
  if Needs-Restricted-Paths-Review is present, merging is blocked until a maintainer removes the label.

Behavior

• The existing restricted-paths-guard.yml workflow continues to assign Needs-Restricted-Paths-Review when an untrusted author touches cuda_bindings/ or cuda_python/.
• The new restricted-paths-review-gate.yml workflow reads the live PR labels and:
  • fails if Needs-Restricted-Paths-Review is present
  • passes otherwise
• This is implemented as a separate pull_request_target workflow so it can be used as a required status check in branch protection / rulesets.

Important rollout detail

This PR adds the workflow only. The check does not become merge-blocking until a repo admin adds the new check to the repository ruleset after this PR is merged.

Post-merge admin steps

1. Open or update a PR so the new workflow runs at least once from the base branch, and GitHub records the check context.
2. Go to Settings -> Rules -> Rulesets -> Prevent committing without PR.
3. Edit Required status checks.
4. Add the check named Restricted paths review gate.
5. Save the ruleset.
6. Verify on a PR with Needs-Restricted-Paths-Review: merging should be blocked while the label is present, and unblocked after a maintainer removes it.

Branch-scope note

The existing Prevent committing without PR ruleset applies to:

• main
• 12.9.x
• 11.8.x
• release/**/*

If the new gate should apply to all of those branches, editing that existing ruleset is the right approach.

If the new gate should apply only to main, the better follow-up is to create a separate ruleset scoped only to refs/heads/main and require Restricted paths review gate there.

---

Made with Cursor GPT-5.4 Extra High Fast

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[rwgk]

Smoke testing, as described in the message of commit 2b94e27:

Manually add Needs-Restricted-Paths-Review label

---

Summary of failed (as expected) workflow

---

Manually remove Needs-Restricted-Paths-Review label

---

Summary of successful workflow

[rwgk]

@aterrel I think the chance of something still slipping through the cracks is very small:

• The Needs-Restricted-Paths-Review label is sticky: it is only added automatically, never removed automatically.
• The automatic exemption is narrowly defined: the label is not added only when the PR author is a COLLABORATOR, MEMBER, or OWNER, and those trusted associations are tightly controlled by repository/organization administration.
• Only someone with repository triage-or-higher access can remove the label before merging, which is a fairly small group of people.