[no-ci] Trust any collaborator in restricted-paths guard#2010
Open
rwgk wants to merge 6 commits intoNVIDIA:mainfrom
Open
[no-ci] Trust any collaborator in restricted-paths guard#2010rwgk wants to merge 6 commits intoNVIDIA:mainfrom
rwgk wants to merge 6 commits intoNVIDIA:mainfrom
Conversation
Restricted-paths review is only meant for authors outside the collaborator set, so read and triage access should count as trusted signals too. Co-authored-by: Cursor <cursoragent@cursor.com>
Make it easier to discover why Needs-Restricted-Paths-Review was applied by posting a short PR comment with a link to the workflow run summary whenever the label is newly added. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is for testing the collaborator permission check and must be reverted before merge: 1. Changes trigger from pull_request_target to pull_request so this branch's workflow definition runs instead of main's. 2. Adds a dummy change to cuda_bindings/pyproject.toml to trigger the restricted-paths detection. REVERT THIS COMMIT BEFORE MERGE. Made-with: Cursor
rwgk
added
bug
Contributor
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
github-actions
Bot
added
the
cuda.bindings
This commit is for testing the label-and-comment path and must be reverted before merge. It temporarily treats write access as untrusted so the current PR will exercise Needs-Restricted-Paths-Review assignment again. Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
Author
|
/ok to test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The main rationale for this change is that the restricted-paths guard is meant to distinguish collaborators from non-collaborators, not to distinguish write-capable collaborators from read- or triage-level collaborators.
In practice, the current workflow is stricter than that: it only trusts
admin,maintain, andwritefrom the collaborator-permission API. That produced a false positive on PR #1821, where the author is an org member and a repository collaborator, but the collaborator API returnedread, so touchingcuda_bindings/incorrectly causedNeeds-Restricted-Paths-Reviewto be applied.This change widens the trusted set to any collaborator permission level:
read,triage,write,maintain, oradmin.noneremains untrusted, and non-200|404API errors still fail the workflow instead of applying the label from an unknown state.While touching the same workflow, this branch also adds a small usability improvement: when
CI: Restricted Paths Guardnewly assignsNeeds-Restricted-Paths-Review, it posts a short PR comment with a direct link to the workflow run. The goal is to make it much easier for authors and reviewers to find the job Summary that explains why the label was applied, instead of having to hunt through the Actions UI.Tested successfully via the temporary/scratch PR #2011