chore(release-v2.6.0): sync latest develop changes#666
Merged
shubhadeepd merged 25 commits intoJun 3, 2026
Conversation
The previous design embedded the skill's full _summary.md (including Phase 1 fetch details, Phase 6 reviewer verdicts, Infrastructure Map, Active Versions Checked, NVBugs Audit Trail, etc.) into the GitHub Issue body. ~100 lines of skill-internal jargon for a daily glance. New design: 10-line body — status badge (✅ /⚠️ / ℹ️ derived from the **Counts:** line in _summary.md), date, scanned commit, GitLab pipeline link, and Full report (artifact) link. Per-CVE detail, reviewer verdicts, manifest diff, validation results live in the GitLab artifact — one click from the body. Also reads SCAN_JOB_URL from the dotenv emitted by cve-scan (see companion change on GitLab ci/nightly-cve), so the artifact link points at the scan job (where the artifact lives), not cve-post's own job URL. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: richa <ricsingh@nvidia.com>
If anyone accidentally closes #617, the next nightly run re-opens it so the rolling tracker can never be orphaned. gh issue reopen is idempotent — no-op when the Issue is already open, prints "Issue is already open" and exits 0. Errors are swallowed so this is purely best-effort defensive. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: richa <ricsingh@nvidia.com>
Move skill content from skill-source/.agents/skills/{rag-blueprint,rag-eval,
rag-perf}/ to skills/{rag-blueprint,rag-eval,rag-perf}/ at the repo root,
matching the agentskills.io canonical layout (Step 4 of the Skills Publishing
Onboarding Guide). The skill-source/ directory is removed entirely; audit
confirmed no internal or external tool hard-codes the old path.
Also:
- Move skill-source/README.md -> skills/README.md
- Move skill-source/validate_skill_api_versions.py -> scripts/validate_skill_versions.py
- Rename tests/unit/test_skill_source/ -> tests/unit/test_skills/
- Add BENCHMARK.md to each of the three skills (Harbor-based methodology)
- Add skills/PUBLISHING_COMPLIANCE.md as the single source of truth for the
remaining external coordination items (NVCARPS signing onboarding with a
2026-05-27 deadline for the Computex cutover, catalog PR draft, OSRB
checklist, NV-BASE runner install)
- Update all internal references across CLAUDE.md, AGENTS.md, README.md,
ci/run_skill_eval.sh, skill-eval/, .openclaw/, .github/skill-eval/AGENTS.md,
.github/workflows/skills-eval.yml, docs/release-notes.md
Companion change to be opened against NVIDIA/skills:components.d/rag-blueprint.yml
to update the path field from skill-source/.agents/skills/ to skills/.
Signed-off-by: shubhadeepd <shubhadeepd@local>
Re-add the Triage section to the Issue body so maintainers see the at-a-glance per-package breakdown without leaving GitHub. Rewrites the per-CVE relative markdown links (which break when clicked from GitHub) to absolute GitLab artifact URLs — clicking goes directly to the file in GitLab's artifact viewer. Extracts from "## Triage" through the next "## " heading, so the Counts + Result lines come along but the deeper sections (Phase 1 fetch details, Phase 6 reviewer verdicts, Infrastructure Map, etc.) stay in the artifact. Verified locally against both yesterday's 6-CVE artifact and a synthetic 0-CVE summary. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: richa <ricsingh@nvidia.com>
…6-20260527-102728 agentic-bugfix: NVBug 6229456
* Helm MIG (H100): promote embedding-VLM to a full GPU Reshape the H100 MIG layout so the embedding-VLM NIM gets a dedicated full H100 instead of a 3g.40gb slice, improving vision-tower throughput. GPU 0,1 — full devices → nim-llm (vLLM tp=2) GPU 2 — 1x 2g.20gb + 3x 1g.10gb + 1x 1g.20gb → OCR + (graphic, page, table) + rerank GPU 3 — full device → embedding-VLM (NEW) Rerank keeps its 1g.20gb slice (now on GPU 2). OCR drops from 3g.40gb to 2g.20gb to make room for rerank's slice on GPU 2 (no spare slots remain). MIG profile renamed to custom-h100-llm2full-embed1full-1x2g20-3x1g10-1x1g20 and docs (mig-deployment.md) updated to match the new layout and verification output. Signed-off-by: Nikhil Kulkarni <nikkulkarni@nvidia.com> * Helm MIG (H100): expand to 5-GPU layout to restore OCR slice Adding a 5th H100 dedicated to the reranker lets the embedding-VLM keep its full GPU (GPU 3) while restoring OCR to its original 3g.40gb slice on GPU 2. The previous 4-GPU layout had forced OCR down to 2g.20gb to fit rerank's 1g.20gb on GPU 2 (H100 MIG memory-slice budget of 8 was exhausted when packing OCR + 3 small NIMs + rerank on one GPU). GPU 0,1 — full devices -> nim-llm (vLLM tp=2) GPU 2 — 1x 3g.40gb + 4x 1g.10gb -> OCR + graphic/page/table (+ spare) GPU 3 — full device -> embedding-VLM GPU 4 — 1x 3g.40gb + 2x 1g.20gb -> rerank (+ spare 3g.40gb and 1g.20gb) MIG profile renamed to custom-h100-5gpu-llm2full-embed1full and docs/mig-deployment.md updated (layout description, kubectl labels, kubectl-view-allocations, and nvidia-smi -L verification output). Signed-off-by: Nikhil Kulkarni <nikkulkarni@nvidia.com> --------- Signed-off-by: Nikhil Kulkarni <nikkulkarni@nvidia.com>
Phase 3 of the nightly CVE pipeline. When the agentic-cve-fix skill produces workspace edits (non-empty cve-fix.patch), this flow lets a maintainer review the proposed diff inline on Issue #617, then click a single button to materialize the fix as a PR on develop. GitLab side (cve-post / ci/post-cve-report.sh): - Detect cve-fix.patch in the artifact root - Edit-or-create a single hidden-marker comment (<!-- cve-bot-patch -->) on the tracker Issue with the patch inline in a <details> block - Append "Review & Create PR" section to the body with: * Review link → #issuecomment-<id> anchor on the same Issue * Create PR link → workflow_dispatch URL of cve-create-pr.yml - 60 KB inline threshold; fall back to a GitLab artifact link when over GitHub side (.github/workflows/cve-create-pr.yml + script): - workflow_dispatch on blueprints-skills-eval-runner (verified via probe to reach github.com and gitlab-master.nvidia.com) - Read patch from the marker comment via gh api - git apply --3way on a fresh develop checkout - Build signed commit through Git Data API (gh api git/blobs, trees, commits, refs) — commits are auto-signed by github-actions[bot] - Idempotent: existing PR for cve-fix/nightly-<date> short-circuits No new tokens, secrets, or branches. GitLab GITHUB_PAT stays at Issues:write only; GitHub workflow uses the default GITHUB_TOKEN. Validated locally with shellcheck and 5 mock-gh integration tests (first run, second run / edit, empty patch, full PR creation, re-click idempotency). Signed-off-by: Richa Singh <ricsingh@nvidia.com> Signed-off-by: richa <ricsingh@nvidia.com>
The blueprints-skills-eval-runner does not ship with the gh CLI. Probe (run 26561466990) caught this — the workflow would have failed at the first gh api call with command-not-found. Install pattern: download pinned gh 2.62.0 tarball to RUNNER_TEMP/bin and add to GITHUB_PATH. Subsequent steps in the job see gh on PATH. Idempotent: if gh is later installed system-wide, command -v short- circuits the download. Workflow-scoped temp dir means no runner state pollution between jobs. Validated by probe v2 (run 26561674766): gh 2.62.0 installs and runs on the real runner. Signed-off-by: richa <ricsingh@nvidia.com>
…al-body Ci/CVE report minimal body
Skill commit f5bb788d (jarvis/ai_rules main, 2026-05-27) changed the Triage table link format from `(FILENAME.md)` to `(./FILENAME.md)`. The earlier link-rewrite regex `[^()/]+\.md` excluded `/` so it never matched the new format, leaving 8 broken relative links in today's Issue #617 body (pipeline 52917159 output). Update the regex to accept an optional `./` prefix: s|\((\.?/?)([^()/]+\.md)\)|(${URL_PREFIX}/\2)|g Group 2 captures just the bare filename, so the rewritten URL doesn't inherit the `./` segment. Mirror the same shape in the SCAN_JOB-absent fallback branch (which strips broken links rather than rewriting). Verified locally with three test cases: [a](a.md) -> rewritten [b](./b.md) -> rewritten [c](https://x.com/y) -> untouched (absolute URLs pass through) Branch dedicated to this fix so we can test against the live Issue artifact before merging. Signed-off-by: richa <ricsingh@nvidia.com>
NVIDIA-AI-Blueprints org policy blocks GHA workflows from calling
gh pr create via GITHUB_TOKEN ("createPullRequest" forbidden). The
permissions: block has no effect — the org-level setting overrides
repo-level. Switching to a service-account PAT is multi-day work.
Workaround: the branch + signed commit are already pushed by the
Git Data API path (which works under restrictive permissions). Build
a https://github.com/.../compare/develop...BRANCH?expand=1 URL with
title and body pre-filled via query params. The maintainer clicks
once, GitHub opens its native PR-creation page with everything
populated, they click "Create pull request" — PR exists.
Script changes (.github/scripts/cve-create-pr.sh):
- Replace gh pr create block with compare-URL emission
- URL-encode title + body via jq -sRr @uri (handles spaces, newlines,
backticks, &, #, etc.)
- 6 KB length cap with graceful body-drop fallback
- Write summary banner to GITHUB_STEP_SUMMARY with the URL as a
styled clickable link
- Export compare_url, branch_name, commit_sha to GITHUB_OUTPUT
- Empty-diff abort (NEW): if git apply leaves no workspace changes
(develop already has the fix), exit 0 with a clear banner instead
of failing the workflow
- Existing-PR branch now also writes a "View existing PR" banner to
the summary so re-triggers show the URL even after the previous
run's page closed
Workflow changes (.github/workflows/cve-create-pr.yml):
- Add issues:write to permissions block — needed for the new step
- Add "Notify Issue" step after the script step. Posts a comment on
the tracker Issue with the compare URL so anyone subscribed gets
a notification (the workflow Summary alone is easy to miss)
- Step uses id: create on the script run + reads its outputs
- Apostrophe-free heredoc body for bash 3.2 portability (apostrophes
inside $(cat <<EOF) misparse on bash 3.2)
Trade-off accepted: one extra human click per CVE fix (compare page's
"Create pull request" button). The PR is opened under the
maintainer's identity, which is actually a feature — clear audit
trail of human approval.
Validated with: shellcheck clean, YAML parse clean, bash 3.2
portability tested, hostile code review (caught the apostrophe
issue), runner reachability tested (probe v2 + smoke tests).
Signed-off-by: richa <ricsingh@nvidia.com>
…ewrite ci(cve): fix Triage links + compare-URL fallback for PR creation
* agentic-bugfix: NVBug 6229403 Signed-off-by: agentic-bug-fix <agentic-bug-fix@local> * Remove depricated changes from launchable notebook * Added min. disk space for docker as 150gb in brev launchable Signed-off-by: smasurekar <smasurekar@nvidia.com> --------- Signed-off-by: agentic-bug-fix <agentic-bug-fix@local> Signed-off-by: smasurekar <smasurekar@nvidia.com> Co-authored-by: agentic-bug-fix <agentic-bug-fix@local> Co-authored-by: Pranjal Doshi <pranjald@nvidia.com> Co-authored-by: smasurekar <smasurekar@nvidia.com>
Signed-off-by: nvskills-svc-account <svc-nvskills-signing@nvidia.com>
Remove the `gpus: [- product: "rtx6000_blackwell_sv"]` selector from nimOperator.nim-llm.model. The remaining engine/precision/tensorParallelism (vllm / fp8 / tp2) already matches profile a89dbe9e… on its own, and keeping the product selector was over-constraining model selection without adding correctness. Signed-off-by: Nikhil Kulkarni <nikkulkarni@nvidia.com>
When NV_RAG_CVE_BOT_APP_ID, NV_RAG_CVE_BOT_INSTALLATION_ID, and NV_RAG_CVE_BOT_PRIVATE_KEY are set, post-cve-report.sh now mints a short-lived (~9 min) installation token via RS256 JWT signing and uses it in place of GITHUB_PAT. This flips the actor on Issue #617 body edits and marker-comment writes from a personal user identity to the nv-rag-cve-bot App, removing personal-name attribution and enabling GitHub notifications to the maintainer. The implementation is additive: if any of the three App env vars are unset (local dev, pre-migration smoke runs), the script falls back to the existing GITHUB_PAT path. The rest of the script is unchanged — it consumes GITHUB_PAT uniformly, regardless of which auth mode produced the token. The companion GitLab .gitlab-ci.yml change (apk add python3 py3-cryptography in cve-post + cve-smoke-test) is already on ci/nightly-cve as commit 8edfa6e. Verified end-to-end against the live App (3902749) installed on this repo: JWT mint succeeds, token returns permissions=contents:write, issues:write, metadata:read, pull_requests:write scoped to this repo only; real write test on Issue #617 attributed to user.login='nv-rag-cve-bot[bot]', user.type='Bot'. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: richa <ricsingh@nvidia.com>
Replace the append-only "Notify Issue with compare URL" step with an edit-in-place rolling comment, tagged by <!-- cve-bot-compare-url -->. Mirrors the pattern already used in ci/post-cve-report.sh for the <!-- cve-bot-patch --> marker comment. Before: each successful workflow_dispatch click left a new comment on Issue #617 (one per branch per click). Same-day re-runs duplicated the comment; same-day re-runs with a force-updated branch also produced stale commit SHAs in earlier comments (the SHA no longer matched the branch tip). After 30 nightlies, 30+ comments accumulated. After: a single rolling comment is updated on every run. Same-day re-runs silently overwrite the previous compare-URL line; multi-day runs show only the latest branch (older branches are still in Git, recoverable via `git branch -r | grep cve-fix/nightly-`). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: richa <ricsingh@nvidia.com>
…-canonical-migration feat(skills): migrate to canonical skills/ path per publishing guide
ci(cve): GitHub App auth in cve-post + edit-in-place compare-URL comment
Plumb a per-NIM podAnnotations field from values.yaml through to
NIMService.spec.podAnnotations so users can attach pod-level
annotations to NIM workloads. Default is {} (omits the field), so
existing deployments render identically.
Primary motivator is Runai fractional GPU saving-mode, which requires
both gpu-fraction-style annotations on the pod AND fractional GPU
resources, e.g.:
nimOperator:
nim-llm:
podAnnotations:
gpu-fraction: "0.25"
gpu-fraction-num-devices: "1"
resources:
limits: { runai.com/gpu: 1 }
requests: { runai.com/gpu: 1 }
Templates touched: llm-nim, embedding-nim, reranking-nim, vlm-nim,
vlm-captioning-nim, vlm-embed-nim, vlm-reranker-nim. Each gains the
podAnnotations: {} default and a usage comment in values.yaml.
Signed-off-by: Nikhil Kulkarni <nikkulkarni@nvidia.com>
Signed-off-by: Vidushi Gupta <vidushig@nvidia.com>
Signed-off-by: Shubhadeep Das <shubhadeepd@nvidia.com> # Conflicts: # .github/workflows/cve-create-pr.yml # README.md # ci/post-cve-report.sh # docs/release-notes.md # docs/vlm.md
vidushig-nv
approved these changes
Jun 3, 2026
nv-pranjald
approved these changes
Jun 3, 2026
niyatisingal
approved these changes
Jun 3, 2026
shubhadeepd
added a commit
that referenced
this pull request
Jun 3, 2026
* ci: minimal Issue body — status + links, full report in artifact The previous design embedded the skill's full _summary.md (including Phase 1 fetch details, Phase 6 reviewer verdicts, Infrastructure Map, Active Versions Checked, NVBugs Audit Trail, etc.) into the GitHub Issue body. ~100 lines of skill-internal jargon for a daily glance. New design: 10-line body — status badge (✅ /⚠️ / ℹ️ derived from the **Counts:** line in _summary.md), date, scanned commit, GitLab pipeline link, and Full report (artifact) link. Per-CVE detail, reviewer verdicts, manifest diff, validation results live in the GitLab artifact — one click from the body. Also reads SCAN_JOB_URL from the dotenv emitted by cve-scan (see companion change on GitLab ci/nightly-cve), so the artifact link points at the scan job (where the artifact lives), not cve-post's own job URL. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: richa <ricsingh@nvidia.com> * ci: auto-reopen tracker Issue if closed before refreshing body If anyone accidentally closes #617, the next nightly run re-opens it so the rolling tracker can never be orphaned. gh issue reopen is idempotent — no-op when the Issue is already open, prints "Issue is already open" and exits 0. Errors are swallowed so this is purely best-effort defensive. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: richa <ricsingh@nvidia.com> * feat(skills): migrate to canonical skills/ path per publishing guide Move skill content from skill-source/.agents/skills/{rag-blueprint,rag-eval, rag-perf}/ to skills/{rag-blueprint,rag-eval,rag-perf}/ at the repo root, matching the agentskills.io canonical layout (Step 4 of the Skills Publishing Onboarding Guide). The skill-source/ directory is removed entirely; audit confirmed no internal or external tool hard-codes the old path. Also: - Move skill-source/README.md -> skills/README.md - Move skill-source/validate_skill_api_versions.py -> scripts/validate_skill_versions.py - Rename tests/unit/test_skill_source/ -> tests/unit/test_skills/ - Add BENCHMARK.md to each of the three skills (Harbor-based methodology) - Add skills/PUBLISHING_COMPLIANCE.md as the single source of truth for the remaining external coordination items (NVCARPS signing onboarding with a 2026-05-27 deadline for the Computex cutover, catalog PR draft, OSRB checklist, NV-BASE runner install) - Update all internal references across CLAUDE.md, AGENTS.md, README.md, ci/run_skill_eval.sh, skill-eval/, .openclaw/, .github/skill-eval/AGENTS.md, .github/workflows/skills-eval.yml, docs/release-notes.md Companion change to be opened against NVIDIA/skills:components.d/rag-blueprint.yml to update the path field from skill-source/.agents/skills/ to skills/. * agentic-bugfix: NVBug 6229456 Signed-off-by: shubhadeepd <shubhadeepd@local> * Fix: Reduce Otel batch size (#628) * ci: include Triage table with absolute artifact URLs Re-add the Triage section to the Issue body so maintainers see the at-a-glance per-package breakdown without leaving GitHub. Rewrites the per-CVE relative markdown links (which break when clicked from GitHub) to absolute GitLab artifact URLs — clicking goes directly to the file in GitLab's artifact viewer. Extracts from "## Triage" through the next "## " heading, so the Counts + Result lines come along but the deeper sections (Phase 1 fetch details, Phase 6 reviewer verdicts, Infrastructure Map, etc.) stay in the artifact. Verified locally against both yesterday's 6-CVE artifact and a synthetic 0-CVE summary. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: richa <ricsingh@nvidia.com> * Helm MIG (H100): promote embedding-VLM to a full GPU (#633) * Helm MIG (H100): promote embedding-VLM to a full GPU Reshape the H100 MIG layout so the embedding-VLM NIM gets a dedicated full H100 instead of a 3g.40gb slice, improving vision-tower throughput. GPU 0,1 — full devices → nim-llm (vLLM tp=2) GPU 2 — 1x 2g.20gb + 3x 1g.10gb + 1x 1g.20gb → OCR + (graphic, page, table) + rerank GPU 3 — full device → embedding-VLM (NEW) Rerank keeps its 1g.20gb slice (now on GPU 2). OCR drops from 3g.40gb to 2g.20gb to make room for rerank's slice on GPU 2 (no spare slots remain). MIG profile renamed to custom-h100-llm2full-embed1full-1x2g20-3x1g10-1x1g20 and docs (mig-deployment.md) updated to match the new layout and verification output. Signed-off-by: Nikhil Kulkarni <nikkulkarni@nvidia.com> * Helm MIG (H100): expand to 5-GPU layout to restore OCR slice Adding a 5th H100 dedicated to the reranker lets the embedding-VLM keep its full GPU (GPU 3) while restoring OCR to its original 3g.40gb slice on GPU 2. The previous 4-GPU layout had forced OCR down to 2g.20gb to fit rerank's 1g.20gb on GPU 2 (H100 MIG memory-slice budget of 8 was exhausted when packing OCR + 3 small NIMs + rerank on one GPU). GPU 0,1 — full devices -> nim-llm (vLLM tp=2) GPU 2 — 1x 3g.40gb + 4x 1g.10gb -> OCR + graphic/page/table (+ spare) GPU 3 — full device -> embedding-VLM GPU 4 — 1x 3g.40gb + 2x 1g.20gb -> rerank (+ spare 3g.40gb and 1g.20gb) MIG profile renamed to custom-h100-5gpu-llm2full-embed1full and docs/mig-deployment.md updated (layout description, kubectl labels, kubectl-view-allocations, and nvidia-smi -L verification output). Signed-off-by: Nikhil Kulkarni <nikkulkarni@nvidia.com> --------- Signed-off-by: Nikhil Kulkarni <nikkulkarni@nvidia.com> * ci(cve): add Review & Create-PR flow to nightly tracker Issue Phase 3 of the nightly CVE pipeline. When the agentic-cve-fix skill produces workspace edits (non-empty cve-fix.patch), this flow lets a maintainer review the proposed diff inline on Issue #617, then click a single button to materialize the fix as a PR on develop. GitLab side (cve-post / ci/post-cve-report.sh): - Detect cve-fix.patch in the artifact root - Edit-or-create a single hidden-marker comment (<!-- cve-bot-patch -->) on the tracker Issue with the patch inline in a <details> block - Append "Review & Create PR" section to the body with: * Review link → #issuecomment-<id> anchor on the same Issue * Create PR link → workflow_dispatch URL of cve-create-pr.yml - 60 KB inline threshold; fall back to a GitLab artifact link when over GitHub side (.github/workflows/cve-create-pr.yml + script): - workflow_dispatch on blueprints-skills-eval-runner (verified via probe to reach github.com and gitlab-master.nvidia.com) - Read patch from the marker comment via gh api - git apply --3way on a fresh develop checkout - Build signed commit through Git Data API (gh api git/blobs, trees, commits, refs) — commits are auto-signed by github-actions[bot] - Idempotent: existing PR for cve-fix/nightly-<date> short-circuits No new tokens, secrets, or branches. GitLab GITHUB_PAT stays at Issues:write only; GitHub workflow uses the default GITHUB_TOKEN. Validated locally with shellcheck and 5 mock-gh integration tests (first run, second run / edit, empty patch, full PR creation, re-click idempotency). Signed-off-by: Richa Singh <ricsingh@nvidia.com> Signed-off-by: richa <ricsingh@nvidia.com> * ci(cve): install gh CLI on runner before Git Data API calls The blueprints-skills-eval-runner does not ship with the gh CLI. Probe (run 26561466990) caught this — the workflow would have failed at the first gh api call with command-not-found. Install pattern: download pinned gh 2.62.0 tarball to RUNNER_TEMP/bin and add to GITHUB_PATH. Subsequent steps in the job see gh on PATH. Idempotent: if gh is later installed system-wide, command -v short- circuits the download. Workflow-scoped temp dir means no runner state pollution between jobs. Validated by probe v2 (run 26561674766): gh 2.62.0 installs and runs on the real runner. Signed-off-by: richa <ricsingh@nvidia.com> * skill maintainence: block PRs where changed skill has no eval/ directory * ci(cve-post): rewrite ./FILENAME.md Triage links too Skill commit f5bb788d (jarvis/ai_rules main, 2026-05-27) changed the Triage table link format from `(FILENAME.md)` to `(./FILENAME.md)`. The earlier link-rewrite regex `[^()/]+\.md` excluded `/` so it never matched the new format, leaving 8 broken relative links in today's Issue #617 body (pipeline 52917159 output). Update the regex to accept an optional `./` prefix: s|\((\.?/?)([^()/]+\.md)\)|(${URL_PREFIX}/\2)|g Group 2 captures just the bare filename, so the rewritten URL doesn't inherit the `./` segment. Mirror the same shape in the SCAN_JOB-absent fallback branch (which strips broken links rather than rewriting). Verified locally with three test cases: [a](a.md) -> rewritten [b](./b.md) -> rewritten [c](https://x.com/y) -> untouched (absolute URLs pass through) Branch dedicated to this fix so we can test against the live Issue artifact before merging. Signed-off-by: richa <ricsingh@nvidia.com> * ci(cve-pr): switch from gh pr create to compare-URL fallback NVIDIA-AI-Blueprints org policy blocks GHA workflows from calling gh pr create via GITHUB_TOKEN ("createPullRequest" forbidden). The permissions: block has no effect — the org-level setting overrides repo-level. Switching to a service-account PAT is multi-day work. Workaround: the branch + signed commit are already pushed by the Git Data API path (which works under restrictive permissions). Build a https://github.com/.../compare/develop...BRANCH?expand=1 URL with title and body pre-filled via query params. The maintainer clicks once, GitHub opens its native PR-creation page with everything populated, they click "Create pull request" — PR exists. Script changes (.github/scripts/cve-create-pr.sh): - Replace gh pr create block with compare-URL emission - URL-encode title + body via jq -sRr @uri (handles spaces, newlines, backticks, &, #, etc.) - 6 KB length cap with graceful body-drop fallback - Write summary banner to GITHUB_STEP_SUMMARY with the URL as a styled clickable link - Export compare_url, branch_name, commit_sha to GITHUB_OUTPUT - Empty-diff abort (NEW): if git apply leaves no workspace changes (develop already has the fix), exit 0 with a clear banner instead of failing the workflow - Existing-PR branch now also writes a "View existing PR" banner to the summary so re-triggers show the URL even after the previous run's page closed Workflow changes (.github/workflows/cve-create-pr.yml): - Add issues:write to permissions block — needed for the new step - Add "Notify Issue" step after the script step. Posts a comment on the tracker Issue with the compare URL so anyone subscribed gets a notification (the workflow Summary alone is easy to miss) - Step uses id: create on the script run + reads its outputs - Apostrophe-free heredoc body for bash 3.2 portability (apostrophes inside $(cat <<EOF) misparse on bash 3.2) Trade-off accepted: one extra human click per CVE fix (compare page's "Create pull request" button). The PR is opened under the maintainer's identity, which is actually a feature — clear audit trail of human approval. Validated with: shellcheck clean, YAML parse clean, bash 3.2 portability tested, hostile code review (caught the apostrophe issue), runner reachability tested (probe v2 + smoke tests). Signed-off-by: richa <ricsingh@nvidia.com> * agentic-bugfix: NVBug 6229403 | Brev launchable fix (#630) * agentic-bugfix: NVBug 6229403 Signed-off-by: agentic-bug-fix <agentic-bug-fix@local> * Remove depricated changes from launchable notebook * Added min. disk space for docker as 150gb in brev launchable Signed-off-by: smasurekar <smasurekar@nvidia.com> --------- Signed-off-by: agentic-bug-fix <agentic-bug-fix@local> Signed-off-by: smasurekar <smasurekar@nvidia.com> Co-authored-by: agentic-bug-fix <agentic-bug-fix@local> Co-authored-by: Pranjal Doshi <pranjald@nvidia.com> Co-authored-by: smasurekar <smasurekar@nvidia.com> * Attach NVSkills validation signatures Signed-off-by: nvskills-svc-account <svc-nvskills-signing@nvidia.com> * Helm MIG (RTX 6000): drop nim-llm gpus product selector (#648) Remove the `gpus: [- product: "rtx6000_blackwell_sv"]` selector from nimOperator.nim-llm.model. The remaining engine/precision/tensorParallelism (vllm / fp8 / tp2) already matches profile a89dbe9e… on its own, and keeping the product selector was over-constraining model selection without adding correctness. Signed-off-by: Nikhil Kulkarni <nikkulkarni@nvidia.com> * ci(cve): mint GitHub App installation token in cve-post script When NV_RAG_CVE_BOT_APP_ID, NV_RAG_CVE_BOT_INSTALLATION_ID, and NV_RAG_CVE_BOT_PRIVATE_KEY are set, post-cve-report.sh now mints a short-lived (~9 min) installation token via RS256 JWT signing and uses it in place of GITHUB_PAT. This flips the actor on Issue #617 body edits and marker-comment writes from a personal user identity to the nv-rag-cve-bot App, removing personal-name attribution and enabling GitHub notifications to the maintainer. The implementation is additive: if any of the three App env vars are unset (local dev, pre-migration smoke runs), the script falls back to the existing GITHUB_PAT path. The rest of the script is unchanged — it consumes GITHUB_PAT uniformly, regardless of which auth mode produced the token. The companion GitLab .gitlab-ci.yml change (apk add python3 py3-cryptography in cve-post + cve-smoke-test) is already on ci/nightly-cve as commit 8edfa6e. Verified end-to-end against the live App (3902749) installed on this repo: JWT mint succeeds, token returns permissions=contents:write, issues:write, metadata:read, pull_requests:write scoped to this repo only; real write test on Issue #617 attributed to user.login='nv-rag-cve-bot[bot]', user.type='Bot'. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: richa <ricsingh@nvidia.com> * ci(cve): edit-in-place compare-URL comment via HTML marker Replace the append-only "Notify Issue with compare URL" step with an edit-in-place rolling comment, tagged by <!-- cve-bot-compare-url -->. Mirrors the pattern already used in ci/post-cve-report.sh for the <!-- cve-bot-patch --> marker comment. Before: each successful workflow_dispatch click left a new comment on Issue #617 (one per branch per click). Same-day re-runs duplicated the comment; same-day re-runs with a force-updated branch also produced stale commit SHAs in earlier comments (the SHA no longer matched the branch tip). After 30 nightlies, 30+ comments accumulated. After: a single rolling comment is updated on every run. Same-day re-runs silently overwrite the previous compare-URL line; multi-day runs show only the latest branch (older branches are still in Git, recoverable via `git branch -r | grep cve-fix/nightly-`). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: richa <ricsingh@nvidia.com> * Helm: expose podAnnotations on all NIMService templates (#645) Plumb a per-NIM podAnnotations field from values.yaml through to NIMService.spec.podAnnotations so users can attach pod-level annotations to NIM workloads. Default is {} (omits the field), so existing deployments render identically. Primary motivator is Runai fractional GPU saving-mode, which requires both gpu-fraction-style annotations on the pod AND fractional GPU resources, e.g.: nimOperator: nim-llm: podAnnotations: gpu-fraction: "0.25" gpu-fraction-num-devices: "1" resources: limits: { runai.com/gpu: 1 } requests: { runai.com/gpu: 1 } Templates touched: llm-nim, embedding-nim, reranking-nim, vlm-nim, vlm-captioning-nim, vlm-embed-nim, vlm-reranker-nim. Each gains the podAnnotations: {} default and a usage comment in values.yaml. Signed-off-by: Nikhil Kulkarni <nikkulkarni@nvidia.com> * ci: add ci/deploy/compose to pre-checkout cleanup for root-owned volumes Signed-off-by: Vidushi Gupta <vidushig@nvidia.com> --------- Signed-off-by: richa <ricsingh@nvidia.com> Signed-off-by: shubhadeepd <shubhadeepd@local> Signed-off-by: Nikhil Kulkarni <nikkulkarni@nvidia.com> Signed-off-by: Richa Singh <ricsingh@nvidia.com> Signed-off-by: agentic-bug-fix <agentic-bug-fix@local> Signed-off-by: smasurekar <smasurekar@nvidia.com> Signed-off-by: nvskills-svc-account <svc-nvskills-signing@nvidia.com> Signed-off-by: Vidushi Gupta <vidushig@nvidia.com> Co-authored-by: richa <ricsingh@nvidia.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Pranjal Doshi <pranjald@nvidia.com> Co-authored-by: shubhadeepd <shubhadeepd@local> Co-authored-by: anngu-2xx3 <anngu@nvidia.com> Co-authored-by: nv-pranjald <150428320+nv-pranjald@users.noreply.github.com> Co-authored-by: Nikhil Kulkarni <nikkulkarni@nvidia.com> Co-authored-by: Vidushi Gupta <vidushig@nvidia.com> Co-authored-by: sarath-nalluri <72062105+sarath-nalluri@users.noreply.github.com> Co-authored-by: agentic-bug-fix <agentic-bug-fix@local> Co-authored-by: smasurekar <smasurekar@nvidia.com> Co-authored-by: nvskills-svc-account <svc-nvskills-signing@nvidia.com> (cherry picked from commit c47aa2b) Signed-off-by: Shubhadeep Das <shubhadeepd@nvidia.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Syncs the latest origin/develop changes into release-v2.6.0 via a merge commit on a release-based side branch.
This brings over the canonical skills/ tree migration, related skill evaluation updates, CVE workflow/comment handling updates, and associated documentation updates while preserving release-v2.6.0-specific release notes and docs adjustments.
Conflict resolution notes
Verification