Skip to content

ci: run self-hosted GPU tests on fork PRs (behind run approval) #363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
davide221 merged 1 commit into from
Jun 10, 2026
+8 −13
Merged

ci: run self-hosted GPU tests on fork PRs (behind run approval) #363

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 8 additions & 13 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,14 +115,12 @@ jobs:
# kernels for sm_86 but execute on GPU-less VMs, so the kernel never runs.
# This job lands on lucebox3 (RTX 3090) and actually executes it.
#
# SECURITY: a self-hosted runner must never execute untrusted fork code.
# This guard restricts the job to same-repo PRs (head repo == this repo)
# and manual dispatch, so fork PRs against this public repo skip it
# entirely and never run on the box. The ubuntu-latest jobs above still
# run for forks (safe, ephemeral GitHub VMs).
if: >-
github.event_name == 'workflow_dispatch' ||
github.event.pull_request.head.repo.full_name == github.repository
# SECURITY: fork PRs DO run here, but only after a maintainer approves the
# workflow run. The repo enforces approval_policy=all_external_contributors,
# so every push from an outside collaborator parks the run as
# action_required until a maintainer reviews the diff and approves it.
# That human checkpoint is the line of defense for the self-hosted box;
# do not weaken the approval policy while this job runs fork code.
# Gate only on the 1-minute workspace check, NOT the ~18-minute hosted
# CPU build: the GPU job compiles the same tree itself in ~2 minutes on
# real hardware, so serializing it behind the cloud build only delayed
Expand Down Expand Up @@ -190,11 +188,8 @@ jobs:
# faults on gfx1151); hipcc is not on the runner's minimal PATH, so it is
# invoked by absolute path.
#
# SECURITY: same fork guard as gpu-tests - never execute untrusted fork
# code on the self-hosted box. Fork PRs skip this job.
if: >-
github.event_name == 'workflow_dispatch' ||
github.event.pull_request.head.repo.full_name == github.repository
# SECURITY: same model as gpu-tests - fork PRs run only after a maintainer
# approves the workflow run (approval_policy=all_external_contributors).
# Gate only on the 1-minute workspace check, NOT the ~18-minute hosted
# CPU build: the GPU job compiles the same tree itself in ~2 minutes on
# real hardware, so serializing it behind the cloud build only delayed
Expand Down
Loading