99 - release/*
1010 tags :
1111 - ciflow/nightly/*
12- pull_request :
1312 pull_request_target :
14- types : [labeled]
13+ types : [opened, synchronize, reopened, labeled]
1514 workflow_dispatch :
1615
1716concurrency :
1817 group : ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.sha }}
1918 cancel-in-progress : true
2019
2120jobs :
22- gate :
23- runs-on : ubuntu-latest
24- outputs :
25- run-cadence : ${{ steps.decide.outputs.run }}
26- steps :
27- - id : decide
28- env :
29- EVENT : ${{ github.event_name }}
30- IS_FORK : ${{ github.event.pull_request.head.repo.full_name != github.repository }}
31- HAS_CLA : ${{ contains(github.event.pull_request.labels.*.name, 'CLA Signed') }}
32- HAS_EXPORT : ${{ contains(github.event.pull_request.labels.*.name, 'meta-exported') }}
33- run : |
34- run=false
35- case "${EVENT}" in
36- push|schedule|workflow_dispatch)
37- run=true
38- ;;
39- pull_request)
40- [ "${IS_FORK}" = "false" ] && run=true
41- ;;
42- pull_request_target)
43- if [ "${IS_FORK}" = "true" ] && [ "${HAS_CLA}" = "true" ] && [ "${HAS_EXPORT}" = "true" ]; then
44- run=true
45- fi
46- ;;
47- esac
48- echo "run=${run}" >> "${GITHUB_OUTPUT}"
49-
21+ # Everything runs via pull_request_target so cpu and all Xtensa backends run
22+ # with credentials (OIDC) and post a single graph tied to the PR head. Jobs run
23+ # when:
24+ # - push / schedule / workflow_dispatch, OR
25+ # - a pull_request_target that is same-repo (trusted), OR a fork labeled both
26+ # CLA Signed + meta-exported (Meta export -- the only trusted fork case).
27+ # pull_request_target always uses main's copy of this workflow, so edits here
28+ # only take effect after landing. The run condition is inlined per job (GitHub
29+ # Actions has no YAML anchors and env is unavailable in job-level if).
5030 cpu-build :
51- if : github.event_name != 'pull_request_target'
31+ if : >-
32+ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' ||
33+ (github.event_name == 'pull_request_target' && (github.event.pull_request.head.repo.full_name == github.repository ||
34+ (contains(github.event.pull_request.labels.*.name, 'CLA Signed') && contains(github.event.pull_request.labels.*.name, 'meta-exported'))))
5235uses : pytorch/test-infra/.github/workflows/linux_job_v2.yml@main
5336 permissions :
5437 id-token : write
5841 runner : linux.2xlarge
5942 docker-image : ci-image:executorch-ubuntu-22.04-clang12
6043 submodules : recursive
61- ref : ${{ github.event_name == 'pull_request ' && github.event.pull_request.head.sha || github.sha }}
44+ ref : ${{ github.event_name == 'pull_request_target ' && github.event.pull_request.head.sha || github.sha }}
6245 timeout : 90
6346 upload-artifact : cadence-runner-build
6447 script : |
@@ -75,36 +58,43 @@ jobs:
7558
7659cpu-test :
7760 needs : cpu-build
78- if : github.event_name != 'pull_request_target'
61+ if : >-
62+ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' ||
63+ (github.event_name == 'pull_request_target' && (github.event.pull_request.head.repo.full_name == github.repository ||
64+ (contains(github.event.pull_request.labels.*.name, 'CLA Signed') && contains(github.event.pull_request.labels.*.name, 'meta-exported'))))
7965permissions :
8066 id-token : write
8167 contents : read
8268 uses : ./.github/workflows/_test_cadence.yml
8369 with :
84- ref : ${{ github.event_name == 'pull_request ' && github.event.pull_request.head.sha || github.sha }}
70+ ref : ${{ github.event_name == 'pull_request_target ' && github.event.pull_request.head.sha || github.sha }}
8571
8672 # Cross-compile cadence_executor_runner for each Cadence Xtensa core, one job
8773 # per backend so they show as separate lines (no matrix grouping). Shared logic
8874 # lives in _xtensa_build.yml. fusion_g3 is omitted until the upstream fusion_g3
8975 # <-> nnlib-FusionG3 API skew is fixed (its runner does not link).
9076 hifi-build :
91- needs : gate
92- if : needs.gate.outputs.run-cadence == 'true'
77+ if : >-
78+ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' ||
79+ (github.event_name == 'pull_request_target' && (github.event.pull_request.head.repo.full_name == github.repository ||
80+ (contains(github.event.pull_request.labels.*.name, 'CLA Signed') && contains(github.event.pull_request.labels.*.name, 'meta-exported'))))
9381permissions :
9482 id-token : write
9583 contents : read
9684 uses : ./.github/workflows/_xtensa_build.yml
9785 with :
9886 backend : hifi4
99- ref : ${{ ( github.event_name == 'pull_request' || github.event_name == ' pull_request_target') && github.event.pull_request.head.sha || github.sha }}
87+ ref : ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
10088
10189 vision-build :
102- needs : gate
103- if : needs.gate.outputs.run-cadence == 'true'
90+ if : >-
91+ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' ||
92+ (github.event_name == 'pull_request_target' && (github.event.pull_request.head.repo.full_name == github.repository ||
93+ (contains(github.event.pull_request.labels.*.name, 'CLA Signed') && contains(github.event.pull_request.labels.*.name, 'meta-exported'))))
10494permissions :
10595 id-token : write
10696 contents : read
10797 uses : ./.github/workflows/_xtensa_build.yml
10898 with :
10999 backend : vision
110- ref : ${{ ( github.event_name == 'pull_request' || github.event_name == ' pull_request_target') && github.event.pull_request.head.sha || github.sha }}
100+ ref : ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
0 commit comments