Skip to content

refactor(ci): make /ok-to-test's unprivileged status explicit via privileged_ci input#1064

Merged
mchmarny merged 2 commits into
NVIDIA:mainfrom
fallintoplace:fix/ok-to-test-untrusted-perms
May 28, 2026
Merged

refactor(ci): make /ok-to-test's unprivileged status explicit via privileged_ci input#1064
mchmarny merged 2 commits into
NVIDIA:mainfrom
fallintoplace:fix/ok-to-test-untrusted-perms

Conversation

@fallintoplace

@fallintoplace fallintoplace commented May 27, 2026

Copy link
Copy Markdown
Contributor

This keeps the /ok-to-test fork path unprivileged, but makes that intent explicit in the reusable workflow instead of relying on implicit permission loss and step-level soft degradation.

Context:

What changed:

  • add a privileged_ci input to qualification.yaml with a default of true
  • skip cli-e2e and security-scan when privileged_ci is false
  • set privileged_ci: false in ok-to-test.yaml
  • document that skipping security-scan under the unprivileged fork path is intentional so fork-derived SARIF is never uploaded under the base repo identity

Why this is better than the minimum-diff fix alone:

  • the /ok-to-test call site now says what it means
  • cli-e2e and security-scan are cleanly skipped instead of half-degrading under issue_comment context
  • the same input can be reused by any future unprivileged caller of qualification.yaml

Validation:

  • actionlint -color -shellcheck= .github/workflows/qualification.yaml .github/workflows/ok-to-test.yaml
  • Ruby YAML.load_file parse of both edited workflow files

@fallintoplace fallintoplace requested a review from a team as a code owner May 27, 2026 19:02
@copy-pr-bot

copy-pr-bot Bot commented May 27, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@github-actions

Copy link
Copy Markdown
Contributor

Welcome to AICR, @fallintoplace! Thanks for your first pull request.

Before review, please ensure:

  • All commits are signed off per the DCO
  • CI checks pass (tests, lint, security scan)
  • The PR description explains the why behind your changes

A maintainer will review this soon.

@coderabbitai

coderabbitai Bot commented May 27, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 26bd9962-2405-4793-b695-ac05c9d5437c

📥 Commits

Reviewing files that changed from the base of the PR and between 03cdaec and 0f76096.

📒 Files selected for processing (2)
  • .github/workflows/ok-to-test.yaml
  • .github/workflows/qualification.yaml

📝 Walkthrough

Walkthrough

This PR adds a privileged_ci boolean input parameter to the qualification workflow that gates execution of jobs requiring elevated permissions (cli-e2e and security-scan). The ok-to-test workflow now invokes qualification with privileged_ci: false for untrusted PR checkouts, ensuring sensitive operations are skipped. Documentation comments in ok-to-test are updated to clarify this design.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

  • NVIDIA/aicr#1067: Also modifies CI workflow wiring to avoid running privileged/elevated jobs for the /ok-to-testqualification.yaml path.

Suggested labels

area/security

Suggested reviewers

  • lockwobr
🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: adding a privileged_ci input to make /ok-to-test's unprivileged status explicit in the workflow, which aligns with the changeset modifications to qualification.yaml and ok-to-test.yaml.
Description check ✅ Passed The description is directly related to the changeset, explaining the purpose of the privileged_ci input, which jobs it gates, and why this approach is better than the previous fix.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@mchmarny mchmarny self-assigned this May 28, 2026

@mchmarny mchmarny left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the careful write-up on #1063 and for following through with a fix — really appreciate it. The analysis in the issue was spot-on and is what made the security fix easy to land quickly.

Quick context: we merged the minimum-diff fix in #1067 yesterday to close the immediate gap (dropped id-token: write and security-events: write from ok-to-test.yaml's call to qualification.yaml). That's why this branch is now showing dirty against main.

That said, the privileged_ci toggle here is a meaningfully cleaner answer than the implicit-degradation we landed in #1067 — explicit > implicit, no half-coverage from the cli-e2e fork-gate quirk, and the pattern is reusable for any future unprivileged-context invocation. I'd like to keep this PR open and merge it as a refactor on top.

Could you rescope to just the still-net-new parts? After rebasing onto current main:

  • qualification.yaml: add the privileged_ci input (default true, preserves behavior for merge-gate / on-push / on-tag callers) and the if: inputs.privileged_ci gates on cli-e2e and security-scan. Same as you have today.
  • ok-to-test.yaml: only add privileged_ci: false to the with: block. The permissions block is already cleaned up by #1067 — nothing to do there.
  • PR title/description: reframe as refactor(ci): make /ok-to-test's unprivileged status explicit via privileged_ci input. References #1063 / #1067 for context.

One small naming consideration in my inline review — privileged_ci is fine, but trusted_source or trusted_workflow more accurately captures what the flag governs (the trust level of the checked-out ref). Take it or leave it.

Thanks again for the contribution.

Comment thread .github/workflows/ok-to-test.yaml Outdated
Comment thread .github/workflows/qualification.yaml
Comment thread .github/workflows/qualification.yaml
@fallintoplace fallintoplace force-pushed the fix/ok-to-test-untrusted-perms branch from 03cdaec to 0f76096 Compare May 28, 2026 12:33
@fallintoplace fallintoplace changed the title fix(ci): make /ok-to-test fork runs unprivileged refactor(ci): make /ok-to-test's unprivileged status explicit via privileged_ci input May 28, 2026
@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

Actionable comments posted: 0

@mchmarny mchmarny assigned fallintoplace and unassigned mchmarny May 28, 2026
@mchmarny mchmarny enabled auto-merge (squash) May 28, 2026 22:31
@mchmarny mchmarny merged commit 7295c04 into NVIDIA:main May 28, 2026
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants