Attach NVSkills validation signatures #1963
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: Copyright (c) 2025-2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved. | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: Check UI Container Source | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| - "pull-request/[0-9]+" | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ui-container-source-${{ github.ref }} | |
| cancel-in-progress: true | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| check: | |
| name: Check vss-agent-ui tag source | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| steps: | |
| - name: Checkout source | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| fetch-depth: 0 | |
| # Validate the gate helper itself — a regression here would silently | |
| # block every PR or skip a genuinely-drifted container, so fail loudly. | |
| - name: Unit-test the gate helper | |
| run: python3 .github/scripts/test_source_check_only_nonbuild.py | |
| # Docs/tests-only PRs never change what enters the UI image — the build | |
| # context honors services/ui/.dockerignore, which excludes **/*.md and | |
| # test/spec files — yet they change the services/ui tree SHA and would | |
| # trip the gate below. Detect that case and skip the SHA comparison. The | |
| # job still runs and reports success, so the required status stays green. | |
| # Durable fix: scope source_tree_sha to build inputs. | |
| - name: Detect docs/tests-only change | |
| id: filter | |
| continue-on-error: true # fail safe: a helper error must not block PRs | |
| run: | | |
| # Any failure or non-"true" result falls through to the full check. | |
| if ! skip=$(python3 .github/scripts/source_check_only_nonbuild.py --image-name vss-agent-ui); then | |
| echo "filter helper failed; running the full source check." >&2 | |
| skip=false | |
| fi | |
| [ "$skip" = "true" ] || skip=false | |
| echo "skip=$skip" >> "$GITHUB_OUTPUT" | |
| # Primary path reads com.nvidia.vss.source_tree_sha from the image's | |
| # OCI manifest annotations (stamped by ci-vss-oss at build time) via the | |
| # OCI Distribution HTTP API. NGC_CLI_API_KEY is needed to pull the | |
| # manifest from nvcr.io/nvidia; without it the registry returns 401 | |
| # and the script falls back to git-SHA resolution. | |
| - name: Check vss-agent-ui tag matches services/ui | |
| if: steps.filter.outputs.skip != 'true' | |
| env: | |
| NGC_CLI_API_KEY: ${{ secrets.NGC_CLI_API_KEY }} | |
| run: python3 .github/scripts/check_container_tag_source.py --image-name vss-agent-ui |