Skip to content

[Feature]: Configure copy-pr-bot #4

Description

@mchmarny

Prerequisites

  • I searched existing issues

Feature Summary

https://docs.gha-runners.nvidia.com/platform/apps/copy-pr-bot/

Problem/Use Case

Currently, triggering CI workflows on pull requests from public forks poses a security risk, especially when those workflows require access to secrets or internal runners. Conversely, manually pulling down fork code to run tests locally increases the cost of entry for maintainers and slows down the review cycle.

Proposed Solution

To fully integrate this, we need to complete the following steps:

[ ] Allowlist Entry: Open a PR to the copy-pr-bot repository to add our organization to src/orgs.ts.

[ ] Configuration: Add .github/copy-pr-bot.yaml to our default branch.

[ ] Workflow Migration: Update existing GitHub Action YAMLs to trigger on push to pull-request/* branches instead of (or in addition to) standard pull_request events.

Success Criteria

  • Security: Prevents "pwn-request" attacks where malicious code attempts to exfiltrate secrets via CI logs.
  • Automation: Eliminates the "waste of time" involved in manually checking out fork code.
  • Standardization: Aligns us with the testing strategies used by high-scale NVIDIA and Open Source projects.

Alternatives Considered

No response

Component

CLI (eidos)

Priority

Important (would improve my workflow)

Compatibility / Breaking Changes

No response

Operational Considerations

No response

Are you willing to contribute?

Yes, I can open a PR

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Fields

No fields configured for Task.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions