[None][infra] Update CI allowlist 2025-09-16 #7773
Conversation
Signed-off-by: Yuanjing Xue <[email protected]>
📝 WalkthroughWalkthroughThe CI workflow at .github/workflows/blossom-ci.yml updates the Authorization job’s gating condition by adding seven GitHub usernames to the allowlist in the contains(fromJson(...), github.actor) check. No other steps, jobs, or logic were altered. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor Dev as GitHub Actor
participant GH as GitHub Actions
participant Auth as Authorization Job
participant Jobs as Downstream Jobs
Dev->>GH: Push/PR event
GH->>Auth: Start Authorization check
Auth->>Auth: contains(fromJson(allowlist), github.actor)?
alt Authorized
Auth-->>Jobs: Proceed
Jobs->>Jobs: Run remaining workflow
else Not Authorized
Auth-->>GH: Stop downstream execution
end
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
Suggested reviewers
✨ Finishing touches🧪 Generate unit tests
Tip 👮 Agentic pre-merge checks are now available in preview!Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.
Please see the documentation for more information. Example: reviews:
pre_merge_checks:
custom_checks:
- name: "Undocumented Breaking Changes"
mode: "warning"
instructions: |
Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).Please share your feedback with us on this Discord post. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment Pre-merge checks❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (4)
.github/workflows/blossom-ci.yml (4)
43-44: Deduplicate allowlist entries to avoid bloat and review noise.Detected duplicates: "heyuhhh" (appears twice) and "ixlmar" (appears twice). Please remove the extra occurrences. The condition still works, but duplicates add churn and risk of future merge conflicts.
39-44: Externalize the allowlist to a repo/org variable for maintainability.Define a JSON array variable (e.g., BLOSSOM_AUTH_USERS) and reference it here. This avoids massive diffs for every update and enables out‑of‑band changes via settings.
Apply pattern example:
jobs: Authorization: name: Authorization + env: + AUTH_USERS_JSON: ${{ vars.BLOSSOM_AUTH_USERS || '[]' }} runs-on: blossom @@ - startsWith(github.event.comment.body, '/bot kill')) && contains( - fromJson('["byshiue", "...", "richardhuo-nv"]'), - github.actor) + startsWith(github.event.comment.body, '/bot kill')) && + contains(fromJson(env.AUTH_USERS_JSON), github.actor)Ensure the repo/org variable is created before merging.
58-60: Upgrade and pin actions/checkout for supply‑chain hygiene.actions/checkout@v2 is outdated. Recommend v4 with SHA pinning (GitHub’s guidance) to reduce tampering risk.
Apply:
- uses: actions/checkout@v2 + uses: actions/checkout@v4 +# Optionally pin to a commit SHA for defense-in-depth: +# uses: actions/checkout@<commit-sha>
66-66: Pin blossom action to a tag or SHA.Using @main is mutable. Pin to a version tag or commit SHA to ensure reproducible runs.
- uses: NVIDIA/blossom-action@main + uses: NVIDIA/[email protected] +# or +# uses: NVIDIA/blossom-action@<commit-sha>
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/blossom-ci.yml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Pre-commit Check
🔇 Additional comments (1)
.github/workflows/blossom-ci.yml (1)
43-43: Verified: newly added GitHub handles exist and canonical casing matches.
contains() is case‑sensitive — confirmed the seven logins exist with canonical casings: yumin066, sychen52, xxi-nv, barneuman, xuanzic, yufeiwu-nv, richardhuo-nv.
yuanjingx87
changed the title
|
/bot skip --comment "no need to run CI" |
|
PR_Github #18828 [ skip ] triggered by Bot |
|
PR_Github #18828 [ skip ] completed with state |
Signed-off-by: Yuanjing Xue <[email protected]>
Signed-off-by: Yuanjing Xue <[email protected]>
Signed-off-by: Yuanjing Xue <[email protected]>
3 participants
Summary by CodeRabbit
Description
Test Coverage
PR Checklist
Please review the following before submitting your PR:
PR description clearly explains what and why. If using CodeRabbit's summary, please make sure it makes sense.
PR Follows TRT-LLM CODING GUIDELINES to the best of your knowledge.
Test cases are provided for new code paths (see test instructions)
Any new dependencies have been scanned for license and vulnerabilities
CODEOWNERS updated if ownership changes
Documentation updated as needed
The reviewers assigned automatically/manually are appropriate for the PR.
Please check this after reviewing the above items as appropriate for this PR.
GitHub Bot Help
/bot [-h] ['run', 'kill', 'skip', 'reuse-pipeline'] ...Provide a user friendly way for developers to interact with a Jenkins server.
Run
/bot [-h|--help]to print this help message.See details below for each supported subcommand.
run [--reuse-test (optional)pipeline-id --disable-fail-fast --skip-test --stage-list "A10-PyTorch-1, xxx" --gpu-type "A30, H100_PCIe" --test-backend "pytorch, cpp" --add-multi-gpu-test --only-multi-gpu-test --disable-multi-gpu-test --post-merge --extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx" --detailed-log --debug(experimental)]Launch build/test pipelines. All previously running jobs will be killed.
--reuse-test (optional)pipeline-id(OPTIONAL) : Allow the new pipeline to reuse build artifacts and skip successful test stages from a specified pipeline or the last pipeline if no pipeline-id is indicated. If the Git commit ID has changed, this option will be always ignored. The DEFAULT behavior of the bot is to reuse build artifacts and successful test results from the last pipeline.--disable-reuse-test(OPTIONAL) : Explicitly prevent the pipeline from reusing build artifacts and skipping successful test stages from a previous pipeline. Ensure that all builds and tests are run regardless of previous successes.--disable-fail-fast(OPTIONAL) : Disable fail fast on build/tests/infra failures.--skip-test(OPTIONAL) : Skip all test stages, but still run build stages, package stages and sanity check stages. Note: Does NOT update GitHub check status.--stage-list "A10-PyTorch-1, xxx"(OPTIONAL) : Only run the specified test stages. Examples: "A10-PyTorch-1, xxx". Note: Does NOT update GitHub check status.--gpu-type "A30, H100_PCIe"(OPTIONAL) : Only run the test stages on the specified GPU types. Examples: "A30, H100_PCIe". Note: Does NOT update GitHub check status.--test-backend "pytorch, cpp"(OPTIONAL) : Skip test stages which don't match the specified backends. Only support [pytorch, cpp, tensorrt, triton]. Examples: "pytorch, cpp" (does not run test stages with tensorrt or triton backend). Note: Does NOT update GitHub pipeline status.--only-multi-gpu-test(OPTIONAL) : Only run the multi-GPU tests. Note: Does NOT update GitHub check status.--disable-multi-gpu-test(OPTIONAL) : Disable the multi-GPU tests. Note: Does NOT update GitHub check status.--add-multi-gpu-test(OPTIONAL) : Force run the multi-GPU tests in addition to running L0 pre-merge pipeline.--post-merge(OPTIONAL) : Run the L0 post-merge pipeline instead of the ordinary L0 pre-merge pipeline.--extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx"(OPTIONAL) : Run the ordinary L0 pre-merge pipeline and specified test stages. Examples: --extra-stage "H100_PCIe-TensorRT-Post-Merge-1, xxx".--detailed-log(OPTIONAL) : Enable flushing out all logs to the Jenkins console. This will significantly increase the log volume and may slow down the job.--debug(OPTIONAL) : Experimental feature. Enable access to the CI container for debugging purpose. Note: Specify exactly one stage in thestage-listparameter to access the appropriate container environment. Note: Does NOT update GitHub check status.For guidance on mapping tests to stage names, see
docs/source/reference/ci-overview.mdand the
scripts/test_to_stage_mapping.pyhelper.kill
killKill all running builds associated with pull request.
skip
skip --comment COMMENTSkip testing for latest commit on pull request.
--comment "Reason for skipping build/test"is required. IMPORTANT NOTE: This is dangerous since lack of user care and validation can cause top of tree to break.reuse-pipeline
reuse-pipelineReuse a previous pipeline to validate current commit. This action will also kill all currently running builds associated with the pull request. IMPORTANT NOTE: This is dangerous since lack of user care and validation can cause top of tree to break.