From 1ae8ef556b9ee67bbd21732f71651cf0c6f45af9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Kova=C4=BE?= Date: Tue, 26 May 2026 11:08:21 +0200 Subject: [PATCH] chore(ci): drop inherited NVIDIA mirror plumbing required-ci-gates.yml posts five "Waiting for /ok to test mirror" pending statuses on every PR (Branch Checks, Helm Lint, Branch E2E Checks, GPU Test, Branch Kubernetes E2E). These never resolve on this fork because two pieces of upstream infrastructure are missing: - No `/ok to test ` issue-comment handler exists in our .github/workflows/. Upstream runs it as an external GitHub App that we cannot import. - No fork-side self-hosted runners are registered, so the worker workflows (branch-checks.yml, helm-lint.yml, branch-e2e.yml, test-gpu.yml, branch-kubernetes-e2e.yml) cannot execute even when manually dispatched: they target `linux-amd64-cpu8` / `linux-arm64-cpu8` and a private `ghcr.io/nvidia/openshell/ci` container image. e2e-label-help.yml is the partner workflow that posts a hint comment when a `test:e2e*` label is applied. Without the `/ok` handler the hint points at a command that does nothing on this fork. Delete both. The worker workflows stay in place: they are inert (unrunnable for the reasons above) and removing them would create a larger surface to merge back when upstream changes. Effect: PRs no longer show two perpetually-yellow checks. The fork's real CI signal (CodeQL, openlock-release, ci-image, etc.) is unaffected. --- .github/workflows/e2e-label-help.yml | 68 --------- .github/workflows/required-ci-gates.yml | 185 ------------------------ 2 files changed, 253 deletions(-) delete mode 100644 .github/workflows/e2e-label-help.yml delete mode 100644 .github/workflows/required-ci-gates.yml diff --git a/.github/workflows/e2e-label-help.yml b/.github/workflows/e2e-label-help.yml deleted file mode 100644 index e1a268803..000000000 --- a/.github/workflows/e2e-label-help.yml +++ /dev/null @@ -1,68 +0,0 @@ -name: E2E Label Help - -# When a `test:e2e*` label is applied, post a PR comment -# telling the maintainer the next manual step. We don't dispatch the workflow -# ourselves: a workflow_dispatch-triggered run does not surface in the PR's -# Checks tab, so we'd lose in-progress visibility. Instead we point the -# maintainer at either the existing run (re-run from the UI) or the -# `/ok to test ` command needed to refresh the mirror. -# -# Uses `pull_request_target` so forked PRs get a token capable of posting -# comments. The job never checks out PR code; it only calls the GitHub API. - -on: - pull_request_target: - types: [labeled] - -permissions: {} - -jobs: - hint: - name: Post next-step hint for E2E label - if: github.event.label.name == 'test:e2e' || github.event.label.name == 'test:e2e-gpu' || github.event.label.name == 'test:e2e-kubernetes' - runs-on: ubuntu-latest - permissions: - pull-requests: write - actions: read - contents: read - steps: - - name: Post comment - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - PR_NUMBER: ${{ github.event.pull_request.number }} - PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} - LABEL_NAME: ${{ github.event.label.name }} - shell: bash - run: | - set -euo pipefail - - case "$LABEL_NAME" in - test:e2e) workflow_file=branch-e2e.yml; workflow_name="Branch E2E Checks" ;; - test:e2e-gpu) workflow_file=test-gpu.yml; workflow_name="GPU Test" ;; - test:e2e-kubernetes) workflow_file=branch-kubernetes-e2e.yml; workflow_name="Branch Kubernetes E2E" ;; - *) echo "Unrecognized label $LABEL_NAME"; exit 1 ;; - esac - - mirror_ref="pull-request/$PR_NUMBER" - mirror_sha=$(gh api "repos/$GH_REPO/branches/$mirror_ref" --jq '.commit.sha' 2>/dev/null || echo "") - short_pr=${PR_HEAD_SHA:0:7} - - if [ -z "$mirror_sha" ]; then - body="Label \`$LABEL_NAME\` applied, but \`$mirror_ref\` does not exist yet. A maintainer needs to comment \`/ok to test $PR_HEAD_SHA\` to mirror this PR. Once the mirror exists, re-apply the label or re-run [$workflow_name](https://github.com/$GH_REPO/actions/workflows/$workflow_file) from the Actions tab." - elif [ "$mirror_sha" != "$PR_HEAD_SHA" ]; then - short_mirror=${mirror_sha:0:7} - body="Label \`$LABEL_NAME\` applied, but \`$mirror_ref\` is at \`$short_mirror\` while the PR head is \`$short_pr\`. A maintainer needs to comment \`/ok to test $PR_HEAD_SHA\` to refresh the mirror. Once the mirror catches up, re-run [$workflow_name](https://github.com/$GH_REPO/actions/workflows/$workflow_file) from the Actions tab." - else - run_id=$(gh api "repos/$GH_REPO/actions/workflows/$workflow_file/runs?head_sha=$PR_HEAD_SHA&event=push" \ - --jq '.workflow_runs | sort_by(.created_at) | reverse | .[0].id // empty') - if [ -n "$run_id" ]; then - instructions="Open [the existing run](https://github.com/$GH_REPO/actions/runs/$run_id) and click **Re-run all jobs** to execute with the label set." - else - workflow_link="[$workflow_name](https://github.com/$GH_REPO/actions/workflows/$workflow_file)" - instructions="Open $workflow_link, find the run for commit \`$short_pr\`, and click **Re-run all jobs** to execute with the label set." - fi - body="Label \`$LABEL_NAME\` applied for \`$short_pr\`. $instructions The matching required CI gate status on this PR will flip green automatically once the run finishes." - fi - - gh pr comment "$PR_NUMBER" --body "$body" diff --git a/.github/workflows/required-ci-gates.yml b/.github/workflows/required-ci-gates.yml deleted file mode 100644 index cba7a6b9a..000000000 --- a/.github/workflows/required-ci-gates.yml +++ /dev/null @@ -1,185 +0,0 @@ -name: Required CI Gates - -on: - pull_request_target: - types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled] - workflow_run: - workflows: - - Branch Checks - - Branch E2E Checks - - GPU Test - - Branch Kubernetes E2E - - Helm Lint - types: [completed] - -permissions: - actions: read - contents: read - pull-requests: read - statuses: write - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.workflow_run.head_sha || github.run_id }} - cancel-in-progress: true - -jobs: - publish: - name: Publish required CI gate statuses - runs-on: ubuntu-latest - steps: - - name: Evaluate required CI gates - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - EVENT_NAME: ${{ github.event_name }} - PR_NUMBER_FROM_EVENT: ${{ github.event.pull_request.number }} - PR_HEAD_SHA_FROM_EVENT: ${{ github.event.pull_request.head.sha }} - PR_LABELS_FROM_EVENT: ${{ toJSON(github.event.pull_request.labels.*.name) }} - WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_sha }} - WORKFLOW_RUN_EVENT: ${{ github.event.workflow_run.event }} - shell: bash - run: | - set -euo pipefail - - post_status() { - local context="$1" - local state="$2" - local description="$3" - local target_url="${4:-}" - - args=( - --method POST - "repos/$GH_REPO/statuses/$HEAD_SHA" - -f "state=$state" - -f "context=$context" - -f "description=$description" - ) - if [ -n "$target_url" ]; then - args+=(-f "target_url=$target_url") - fi - - echo "$context: $state - $description" - gh api "${args[@]}" >/dev/null - } - - has_label() { - local label="$1" - jq -e --arg label "$label" 'index($label) != null' <<< "$LABELS_JSON" >/dev/null - } - - resolve_pull_request_event() { - PR_NUMBER="$PR_NUMBER_FROM_EVENT" - HEAD_SHA="$PR_HEAD_SHA_FROM_EVENT" - LABELS_JSON=$(jq -c . <<< "$PR_LABELS_FROM_EVENT") - } - - resolve_workflow_run_event() { - if [ "$WORKFLOW_RUN_EVENT" != "push" ]; then - echo "Ignoring workflow_run from event '$WORKFLOW_RUN_EVENT'." - exit 0 - fi - - local associated_prs pr - associated_prs=$(gh api "repos/$GH_REPO/commits/$WORKFLOW_RUN_HEAD_SHA/pulls") - pr=$(jq -c 'map(select(.state == "open"))[0] // empty' <<< "$associated_prs") - if [ -z "$pr" ]; then - echo "No open PR associated with $WORKFLOW_RUN_HEAD_SHA; nothing to publish." - exit 0 - fi - - PR_NUMBER=$(jq -r '.number' <<< "$pr") - pr=$(gh api "repos/$GH_REPO/pulls/$PR_NUMBER") - HEAD_SHA=$(jq -r '.head.sha' <<< "$pr") - LABELS_JSON=$(gh api "repos/$GH_REPO/issues/$PR_NUMBER" --jq '[.labels[].name]') - } - - resolve_context() { - if [ "$EVENT_NAME" = "pull_request_target" ]; then - resolve_pull_request_event - elif [ "$EVENT_NAME" = "workflow_run" ]; then - resolve_workflow_run_event - else - echo "Unsupported event '$EVENT_NAME'." - exit 1 - fi - - PR_URL="https://github.com/$GH_REPO/pull/$PR_NUMBER" - MIRROR_REF="pull-request/$PR_NUMBER" - } - - verify_mirror() { - local context="$1" - local mirror_sha - - mirror_sha=$(gh api "repos/$GH_REPO/branches/$MIRROR_REF" --jq '.commit.sha' 2>/dev/null || true) - if [ -z "$mirror_sha" ]; then - post_status "$context" pending "Waiting for /ok to test mirror" "$PR_URL" - return 1 - fi - - if [ "$mirror_sha" != "$HEAD_SHA" ]; then - post_status "$context" pending "Waiting for /ok to test mirror" "$PR_URL" - return 1 - fi - - return 0 - } - - evaluate_workflow() { - local context="$1" - local workflow_file="$2" - local workflow_name="$3" - local required_label="${4:-}" - local workflow_url="https://github.com/$GH_REPO/actions/workflows/$workflow_file" - - if [ -n "$required_label" ] && ! has_label "$required_label"; then - post_status "$context" success "$required_label not applied" "$PR_URL" - return 0 - fi - - if ! verify_mirror "$context"; then - return 0 - fi - - local runs latest run_id status conclusion run_url real_success - runs=$(gh api "repos/$GH_REPO/actions/workflows/$workflow_file/runs?head_sha=$HEAD_SHA&event=push" --jq '.workflow_runs') - latest=$(jq -c --arg branch "$MIRROR_REF" '[.[] | select(.head_branch == $branch)] | sort_by(.created_at) | reverse | .[0] // empty' <<< "$runs") - - if [ -z "$latest" ]; then - post_status "$context" pending "Waiting for $workflow_name" "$workflow_url" - return 0 - fi - - run_id=$(jq -r '.id' <<< "$latest") - status=$(jq -r '.status' <<< "$latest") - conclusion=$(jq -r '.conclusion' <<< "$latest") - run_url=$(jq -r '.html_url' <<< "$latest") - - if [ "$status" != "completed" ]; then - post_status "$context" pending "$workflow_name is $status" "$run_url" - return 0 - fi - - if [ "$conclusion" != "success" ]; then - post_status "$context" failure "$workflow_name concluded $conclusion" "$run_url" - return 0 - fi - - real_success=$(gh api "repos/$GH_REPO/actions/runs/$run_id/jobs?per_page=100" \ - --jq '[.jobs[] | select(.conclusion == "success" and .name != "Resolve PR metadata")] | length') - - if [ "$real_success" -lt 1 ]; then - post_status "$context" failure "No real CI jobs ran" "$run_url" - return 0 - fi - - post_status "$context" success "$workflow_name passed" "$run_url" - } - - resolve_context - - evaluate_workflow "OpenShell / Branch Checks" "branch-checks.yml" "Branch Checks" - evaluate_workflow "OpenShell / E2E" "branch-e2e.yml" "Branch E2E Checks" "test:e2e" - evaluate_workflow "OpenShell / GPU E2E" "test-gpu.yml" "GPU Test" "test:e2e-gpu" - evaluate_workflow "OpenShell / Kubernetes E2E" "branch-kubernetes-e2e.yml" "Branch Kubernetes E2E" "test:e2e-kubernetes" - evaluate_workflow "OpenShell / Helm Lint" "helm-lint.yml" "Helm Lint"