chore: add copy-pr-bot (#52)

Signed-off-by: Aaron Gonzales <aagonzales@nvidia.com>

Author: binaryaaron

.github/actions/detect-changes/action.yml

@@ -0,0 +1,42 @@
+# Copyright (c) 2024-2026, NVIDIA CORPORATION.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "Detect Changes"
+description: >
+  Detect which file categories changed using dorny/paths-filter.
+  Outputs boolean flags that downstream jobs use to decide whether to run.
+
+outputs:
+  src:
+    description: "'true' if any file under src/ changed"
+    value: ${{ steps.filter.outputs.src }}
+  test:
+    description: "'true' if any file under test/ changed"
+    value: ${{ steps.filter.outputs.test }}
+
+runs:
+  using: "composite"
+  steps:
+    # Requires actions/checkout to have been run first so that
+    # (a) this action.yml can be found, and
+    # (b) dorny/paths-filter can diff against git history on push events.
+    - name: Detect changed paths
+      id: filter
+      uses: dorny/paths-filter@v3
+      with:
+        filters: |
+          src:
+            - 'src/**'
+          test:
+            - 'test/**'

.github/copy-pr-bot.yaml

@@ -0,0 +1,13 @@
+# copy-pr-bot configuration
+# See: https://docs.gha-runners.nvidia.com/platform/apps/copy-pr-bot/
+#
+# This bot automates the pull request testing strategy required for NVIDIA's
+# self-hosted runners. Trusted PRs are automatically copied to pull-request/*
+# branches, which trigger CI workflows via push events.
+#
+# - auto_sync_draft: false  → Draft PRs won't auto-trigger CI (saves GPU resources)
+# - auto_sync_ready: true   → Ready-for-review PRs auto-trigger CI
+
+enabled: true
+auto_sync_draft: false
+auto_sync_ready: true

.github/workflows/README.md

@@ -5,54 +5,75 @@ This directory contains GitHub Actions workflows for CI/CD automation.
 ## Workflows Overview
 
 
-| Workflow                                           | Trigger             | Description                                           |
-| -------------------------------------------------- | ------------------- | ----------------------------------------------------- |
-| [ci.yml](ci.yml)                                   | Push to `main`, PRs | Lint, format check, and tests with coverage           |
-| [conventional-commit.yml](conventional-commit.yml) | PRs                 | Validates PR titles follow conventional commit format |
-| [copyright-check.yml](copyright-check.yml)         | PRs                 | Validates NVIDIA copyright headers on Python files    |
-| [dco-assistant.yml](dco-assistant.yml)             | PRs, Comments       | Manages DCO signing via PR comments                   |
-| [release.yml](release.yml)                         | Manual dispatch     | Builds and publishes package to PyPI                  |
-| [secrets-detector.yml](secrets-detector.yml)       | PRs                 | Scans for accidentally committed secrets              |
+| Workflow                                           | Trigger                               | Description                                          |
+| -------------------------------------------------- | ------------------------------------- | ---------------------------------------------------- |
+| [ci-checks.yml](ci-checks.yml)                     | Push to `main`, PRs, manual           | Format, lint, typecheck, and unit tests (CPU)        |
+| [gpu-tests.yml](gpu-tests.yml)                     | Push to `main`/`pull-request/*`, manual | GPU E2E tests (A100)                               |
+| [conventional-commit.yml](conventional-commit.yml) | PRs                                   | Validates PR titles follow conventional commit format |
+| [copyright-check.yml](copyright-check.yml)         | Push to `main`/`pull-request/*`        | Validates NVIDIA copyright headers on Python files   |
+| [docs.yml](docs.yml)                               | Push to `main` (docs paths)           | Builds and deploys documentation to GitHub Pages     |
+| [release.yml](release.yml)                         | Manual dispatch                       | Builds and publishes package to PyPI                 |
+| [secrets-detector.yml](secrets-detector.yml)       | PRs                                   | Scans for accidentally committed secrets             |
 
 
+## Pull Request Testing (copy-pr-bot)
+
+GPU tests (`gpu-tests.yml`) run on NVIDIA self-hosted runners, which block `pull_request`-triggered jobs. They use the [copy-pr-bot](https://docs.gha-runners.nvidia.com/platform/apps/copy-pr-bot/) pattern instead:
+
+1. When a PR is opened by a trusted user with trusted changes, `copy-pr-bot` automatically copies the code to a `pull-request/<number>` branch
+2. The push to `pull-request/<number>` triggers the GPU workflow
+3. Untrusted PRs require a vetter to comment `/ok to test <SHA>` before GPU tests run
+4. Draft PRs do **not** auto-sync (`auto_sync_draft: false`), saving GPU resources
+
+Configuration: [`.github/copy-pr-bot.yaml`](../copy-pr-bot.yaml)
+
+CPU checks (`ci-checks.yml`) run on GitHub-hosted `ubuntu-latest` runners and use standard `pull_request` triggers.
+
 ## Workflow Diagram
 
 ```mermaid
 flowchart LR
     subgraph triggers [Triggers]
         push[Push to main]
-        pr[Pull Request]
-        comment[PR Comment]
+        cpb[copy-pr-bot push to pull-request/*]
+        pr[Pull Request event]
         manual[Manual Dispatch]
     end
 
-    subgraph ci [CI Workflow]
+    subgraph ci [CI Checks - GitHub-hosted runners]
+        changes_ci[Detect Changes]
+        format[Format]
         lint[Lint]
-        format[Format Check]
         typecheck[Typecheck]
-        test[Unit Tests]
-        test --> coverage[Coverage Report]
+        unit[Unit Tests]
+        ci_status[CI Status]
+        changes_ci --> format & lint & typecheck & unit
+        format & lint & typecheck & unit --> ci_status
+    end
+
+    subgraph gpu [GPU Tests - on-prem runners]
+        changes_gpu[Detect Changes]
+        e2e[GPU E2E Tests]
+        gpu_status[GPU CI Status]
+        changes_gpu --> e2e --> gpu_status
     end
 
     subgraph compliance [Compliance Workflows]
-        dco[DCO Assistant]
         conventional[Conventional Commit]
         secrets[Secrets Detector]
         copyright[Copyright Check]
     end
 
     subgraph release [Release Workflow]
         buildWheel[Build Wheel]
-        bumpVersion[Bump Version]
         publishPyPI[Publish to PyPI]
         ghRelease[GitHub Release]
         slackNotify[Slack Notification]
     end
 
-    push --> ci
-    pr --> ci
-    pr --> compliance
-    comment --> dco
+    push --> ci & gpu
+    cpb --> gpu & copyright
+    pr --> ci & conventional & secrets
     manual --> release
 
     buildWheel --> publishPyPI --> ghRelease --> slackNotify
@@ -63,17 +84,37 @@ flowchart LR
     release -.->|reuses| FW-CI-templates
 ```
 
-## CI Workflow
+## CI Checks Workflow
+
+The `ci-checks.yml` workflow runs on every push to `main` and on pull requests:
+
+- **Detect Changes**: Uses `dorny/paths-filter` to skip jobs when only non-source files change
+- **Format**: Verifies code formatting with `ruff format --check`
+- **Lint**: Runs `ruff check` linting
+- **Typecheck**: Runs `ty` type checks
+- **Unit Tests**: Runs pytest with coverage
+- **CI Status**: Aggregation job -- single required check for branch protection
+
+All jobs run on `ubuntu-latest` (GitHub-hosted).
+
+## GPU Tests Workflow
+
+The `gpu-tests.yml` workflow runs on pushes to `main` and `pull-request/*` branches (via copy-pr-bot):
+
+- **GPU E2E Tests**: Runs end-to-end tests on `linux-amd64-gpu-a100-latest-1` (A100) with a 60-minute job timeout and 45-minute step timeout
+- **GPU CI Status**: Aggregation job -- single required check for branch protection
 
-The main CI workflow runs on every push to `main` and on pull requests:
+### Runners
 
-- **Lint**: Runs `ruff check` and `ty` type checks
-- **Format Check**: Verifies code formatting with `ruff format --check`
-- **Test**: Runs pytest with coverage across Python 3.11. more to come.
+| Workflow | Job | Runner Label | Type |
+| --- | --- | --- | --- |
+| CI Checks | All jobs | `ubuntu-latest` | GitHub-hosted |
+| GPU Tests | GPU E2E Tests | `linux-amd64-gpu-a100-latest-1` | NVIDIA self-hosted GPU (A100) |
+| GPU Tests | Detect Changes, GPU CI Status | `linux-amd64-cpu4` | NVIDIA self-hosted CPU (4-core) |
 
 ### Coverage
 
-Coverage reports are uploaded as artifacts.
+Coverage reports are uploaded as artifacts from both workflows.
 
 ## Compliance Workflows
 

.github/workflows/ci-checks.yml

@@ -44,21 +44,14 @@ jobs:
     permissions:
       contents: read
       pull-requests: read
-    # Set job outputs to values from filter step
     outputs:
-      src: ${{ steps.filter.outputs.src }}
-      test: ${{ steps.filter.outputs.test }}
+      src: ${{ steps.changes.outputs.src }}
+      test: ${{ steps.changes.outputs.test }}
     steps:
       - uses: actions/checkout@v4
-        if: github.event_name == 'push'
-      - uses: dorny/paths-filter@v3
-        id: filter
-        with:
-          filters: |
-            src:
-              - 'src/**'
-            test:
-              - 'test/**'
+      - name: Detect changes
+        id: changes
+        uses: ./.github/actions/detect-changes
 
   format:
     name: Format
@@ -172,45 +165,28 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: false
 
-  gpu-e2e-test:
-    name: GPU E2E Tests - (Python ${{ matrix.python-version }})
-    needs: changes
-    if: ${{ needs.changes.outputs.src == 'true' || needs.changes.outputs.test == 'true' || github.event_name == 'workflow_dispatch' }}
-    runs-on: linux-amd64-gpu-a100-latest-1
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: ["3.11"]
+  # ---------------------------------------------------------------------------
+  # Single required status check for branch protection.
+  # Aggregates results from all upstream jobs so that skipped jobs (due to
+  # path filtering) don't block merge.
+  # ---------------------------------------------------------------------------
+  ci-status:
+    name: CI Status
+    if: always() && !cancelled()
+    needs: [changes, format, lint, typecheck, unit-test]
+    runs-on: ubuntu-latest
     steps:
-      - name: checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Python environment
-        id: setup
-        uses: ./.github/actions/setup-python-env
-        with:
-          python-version: ${{ matrix.python-version }}
-          bootstrap-tools: "true"
-
-      - name: Run unit tests with coverage
+      - name: Check job results
         run: |
-          make bootstrap-nss cu128
-          make test-e2e
-
-      - name: Upload coverage report
-        uses: actions/upload-artifact@v4
-        if: matrix.python-version == '3.11'
-        with:
-          name: coverage-report
-          path: coverage.xml
-          retention-days: 30
-
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v5
-        if: matrix.python-version == '3.11'
-        with:
-          files: coverage.xml
-          token: ${{ secrets.CODECOV_TOKEN }}
-          fail_ci_if_error: false
+          echo "changes:   ${{ needs.changes.result }}"
+          echo "format:    ${{ needs.format.result }}"
+          echo "lint:      ${{ needs.lint.result }}"
+          echo "typecheck: ${{ needs.typecheck.result }}"
+          echo "unit-test: ${{ needs.unit-test.result }}"
+
+          if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]]; then
+            echo "::error::One or more CI jobs failed"
+            exit 1
+          fi
+
+          echo "All CI jobs passed (or were skipped)."