CI: Enforce assignee/label/milestone on PRs

[no-ci] pr-metadata-check: restrict cuda_bindings changes to NVIDIA organization members #483

Workflow file for this run

.github/workflows/pr-metadata-check.yml at f6c39d5

	# SPDX-FileCopyrightText: Copyright (c) 2024-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
	#
	# SPDX-License-Identifier: Apache-2.0

	name: "CI: Enforce PR metadata and cuda_bindings policy"

	on:
	pull_request_target:
	types:
	- opened
	- edited
	- synchronize
	- assigned
	- unassigned
	- labeled
	- unlabeled
	- reopened
	- ready_for_review

	jobs:
	check-metadata:
	name: PR has required metadata and valid cuda_bindings author
	if: github.repository_owner == 'NVIDIA'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: read
	steps:
	- name: Check PR metadata and cuda_bindings policy
	env:
	# PR metadata inputs
	ASSIGNEES: ${{ toJson(github.event.pull_request.assignees) }}
	AUTHOR_ASSOCIATION: ${{ github.event.pull_request.author_association \|\| 'NONE' }}
	LABELS: ${{ toJson(github.event.pull_request.labels) }}
	MILESTONE: ${{ github.event.pull_request.milestone && github.event.pull_request.milestone.title \|\| '' }}
	PR_AUTHOR: ${{ github.event.pull_request.user.login }}
	PR_NUMBER: ${{ github.event.pull_request.number }}
	PR_URL: ${{ github.event.pull_request.html_url }}

	# Gating booleans
	IS_BOT: ${{ github.actor == 'dependabot[bot]' \|\| github.actor == 'pre-commit-ci[bot]' \|\| github.actor == 'copy-pr-bot[bot]' }}
	IS_DRAFT: ${{ github.event.pull_request.draft }}

	# API request context/auth
	GH_TOKEN: ${{ github.token }}
	REPO: ${{ github.repository }}
	run: \|
	if [ "$IS_BOT" = "true" ] \|\| [ "$IS_DRAFT" = "true" ]; then
	echo "Skipping check for bot or draft PR."
	exit 0
	fi

	ERRORS=""

	ASSIGNEE_COUNT=$(echo "$ASSIGNEES" \| jq 'length')
	if [ "$ASSIGNEE_COUNT" -eq 0 ]; then
	ERRORS="${ERRORS}- Missing assignee: assign at least one person to this PR.\n"
	fi

	# Module labels identify which package the PR touches.
	# Cross-cutting labels exempt PRs from needing a module label.
	# Read label names line-by-line (jq outputs one per line) so
	# multi-word GitHub labels are not split by shell word-splitting.
	MODULE_LABELS="cuda.bindings cuda.core cuda.pathfinder"
	MODULE_EXEMPT_LABELS="CI/CD"
	HAS_MODULE=false
	while IFS= read -r label; do
	[ -n "$label" ] \|\| continue
	for mod in $MODULE_LABELS $MODULE_EXEMPT_LABELS; do
	if [ "$label" = "$mod" ]; then
	HAS_MODULE=true
	break 2
	fi
	done
	done < <(echo "$LABELS" \| jq -r '.[].name')

	if [ "$HAS_MODULE" = "false" ]; then
	ERRORS="${ERRORS}- Missing module label: add at least one of: \`cuda.bindings\`, \`cuda.core\`, \`cuda.pathfinder\` (or a cross-cutting label such as \`CI/CD\`).\n"
	fi

	# Type labels categorize the kind of change.
	TYPE_LABELS="bug enhancement feature documentation test example CI/CD packaging dependencies performance experiment RFC support P0 P1 P2"
	HAS_TYPE=false
	while IFS= read -r label; do
	[ -n "$label" ] \|\| continue
	for typ in $TYPE_LABELS; do
	if [ "$label" = "$typ" ]; then
	HAS_TYPE=true
	break 2
	fi
	done
	done < <(echo "$LABELS" \| jq -r '.[].name')

	if [ "$HAS_TYPE" = "false" ]; then
	ERRORS="${ERRORS}- Missing type label: add at least one of: \`bug\`, \`enhancement\`, \`feature\`, \`documentation\`, \`test\`, \`example\`, \`CI/CD\`, \`packaging\`, \`dependencies\`, \`performance\`, \`experiment\`, \`RFC\`, \`support\`, \`P0\`, \`P1\`, \`P2\`.\n"
	fi

	if [ -z "$MILESTONE" ]; then
	ERRORS="${ERRORS}- Missing milestone: assign a milestone to this PR.\n"
	fi

	# Block PRs with labels that indicate they are not ready to merge.
	# Match blocked label names exactly (case-insensitively); emit the
	# original spelling from the payload so error text matches GitHub.
	BLOCKED_LABELS=$(jq -r '
	(["blocked", "do not merge"]) as $blocking
	\| .[]
	\| .name as $n
	\| if ($blocking \| index($n \| ascii_downcase)) != null
	then $n
	else empty
	end
	' <<<"$LABELS")
	while IFS= read -r label; do
	[ -n "$label" ] \|\| continue
	ERRORS="${ERRORS}- Blocked label detected: label \`$label\` prevents merging. Remove it when the PR is ready.\n"
	done <<<"$BLOCKED_LABELS"

	# Only NVIDIA organization members may change code under cuda_bindings.
	if [ "$AUTHOR_ASSOCIATION" != "MEMBER" ] && [ "$AUTHOR_ASSOCIATION" != "OWNER" ]; then
	if ! TOUCHES_CUDA_BINDINGS=$(
	gh api \
	--paginate \
	--slurp \
	--jq '
	flatten
	\| any(
	.[];
	(.filename \| startswith("cuda_bindings/"))
	or ((.previous_filename // "") \| startswith("cuda_bindings/"))
	)
	' \
	"repos/$REPO/pulls/$PR_NUMBER/files"
	); then
	echo "::error::Failed to inspect the PR file list."
	exit 1
	fi

	if [ "$TOUCHES_CUDA_BINDINGS" = "true" ]; then
	ERRORS="${ERRORS}- cuda_bindings policy: See \`cuda_bindings/LICENSE\`. Only NVIDIA organization members may modify files under \`cuda_bindings/\` (PR author \`$PR_AUTHOR\` has association \`$AUTHOR_ASSOCIATION\`).\n"
	fi
	fi

	if [ -n "$ERRORS" ]; then
	echo "::error::This PR failed the required metadata/policy checks. See the job summary for details."
	{
	echo "## PR Requirements Check Failed"
	echo ""
	printf '%b' "$ERRORS"
	echo ""
	echo "Please update the PR at: $PR_URL"
	} >> "$GITHUB_STEP_SUMMARY"
	exit 1
	fi

	ASSIGNEE_LIST=$(echo "$ASSIGNEES" \| jq -r '.[].login' \| paste -sd ', ' -)
	LABEL_LIST=$(echo "$LABELS" \| jq -r '.[].name' \| paste -sd ', ' -)
	{
	echo "## PR Requirements Check Passed"
	echo ""
	echo "- Assignees: $ASSIGNEE_LIST"
	echo "- Labels: $LABEL_LIST"
	echo "- Milestone: $MILESTONE"
	echo "- Author association: $AUTHOR_ASSOCIATION"
	} >> "$GITHUB_STEP_SUMMARY"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[no-ci] pr-metadata-check: restrict cuda_bindings changes to NVIDIA organization members #483

Workflow file

[no-ci] pr-metadata-check: restrict cuda_bindings changes to NVIDIA organization members #483

Uh oh!

Workflow file for this run