Route Falcor CI through dedicated runner

[jkiviluoto-nv]

Summary:

• Route the Falcor CI job through a dedicated self-hosted runner label.
• Invoke a runner-local external CI relay command from that labeled runner.
• Keep external CI implementation details on the runner image instead of in the public workflow.

Validation:

• actionlint .github/workflows/ci-falcor-test.yml .github/workflows/ci.yml
• shellcheck on the relay workflow Bash step
• git diff --check HEAD~1..HEAD

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d628d9b4-0ca0-4e46-8b67-c31d04455209

📥 Commits

Reviewing files that changed from the base of the PR and between 052d6d1 and 3014e9f.

📒 Files selected for processing (2)

• .github/workflows/ci-falcor-test.yml
• .github/workflows/ci.yml

💤 Files with no reviewable changes (1)

• .github/workflows/ci.yml

---

📝 Walkthrough

Walkthrough

The PR adds the falcor-bridge self-hosted runner label, switches the Falcor test workflow to that runner with a single external CI invocation, and quotes the ci.yml filter step’s fetch, diff, and output paths.

Changes

Falcor CI bridge

Layer / File(s)	Summary
Runner label and permissions .github/actionlint.yaml, .github/workflows/ci-falcor-test.yml	actionlint allows falcor-bridge, and the Falcor workflow keeps only actions: read in its permissions block.
Falcor job on bridge runner .github/workflows/ci-falcor-test.yml	test-falcor moves from the Windows falcor runner to falcor-bridge and replaces the Windows setup/test sequence with one external CI step exporting GITHUB_TOKEN and SLANG_CI_ARTIFACT_NAME.

CI filter quoting

Layer / File(s)	Summary
Diff and output quoting .github/workflows/ci.yml	The filter step quotes github.base_ref, the ${BASE}...HEAD range, and "$GITHUB_OUTPUT" while preserving the same changed-file check.

Suggested reviewers

• bmillsNV

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly matches the main change: routing Falcor CI through a dedicated runner.
Description check	✅ Passed	The description is directly related to the workflow and runner changes in the pull request.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e898b82b-177d-4280-bfef-da8f71b46c0a

📥 Commits

Reviewing files that changed from the base of the PR and between a7fbf1a and bca317e.

📒 Files selected for processing (3)

• .github/actionlint.yaml
• .github/workflows/ci-falcor-test.yml
• .github/workflows/ci.yml

[coderabbitai]

Actionable comments posted: 3

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6dae6e12-80cd-4dd0-a616-d931291d5717

📥 Commits

Reviewing files that changed from the base of the PR and between 5822d45 and 052d6d1.

📒 Files selected for processing (3)

• .github/scripts/relay-external-ci.py
• .github/workflows/ci-falcor-test.yml
• .github/workflows/ci.yml

[coderabbitai]

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Set the relay timeout below the 100-minute job timeout.

The called script defaults to 7200 seconds, but this job times out after 100 minutes. Without an override, GitHub can terminate the job before the relay reports a controlled timeout.

Proposed fix

           EXTERNAL_CI_TOKEN: ${{ secrets.FALCOR_CI_TOKEN }}
           EXTERNAL_CI_VARIABLES_JSON: ${{ secrets.FALCOR_CI_VARIABLES_JSON }}
           EXTERNAL_CI_ARTIFACT_NAME: slang-tests-windows-x86_64-cl-release
+          EXTERNAL_CI_TIMEOUT_SECONDS: "5400"
         run: |
           set -euo pipefail
           python3 .github/scripts/relay-external-ci.py

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Run external CI
	env:
	GITHUB_TOKEN: ${{ github.token }}
	EXTERNAL_CI_API_BASE_URL: ${{ secrets.FALCOR_CI_API_BASE_URL }}
	EXTERNAL_CI_PROJECT: ${{ secrets.FALCOR_CI_PROJECT }}
	EXTERNAL_CI_REF: ${{ secrets.FALCOR_CI_REF }}
	EXTERNAL_CI_TOKEN: ${{ secrets.FALCOR_CI_TOKEN }}
	EXTERNAL_CI_VARIABLES_JSON: ${{ secrets.FALCOR_CI_VARIABLES_JSON }}
	EXTERNAL_CI_ARTIFACT_NAME: slang-tests-windows-x86_64-cl-release
	run: |
	set -euo pipefail
	cd FalcorBin/tests
	python ./testing/run_image_tests.py --config windows-vs2022-Release --run-only
	python3 .github/scripts/relay-external-ci.py
	- name: Run external CI
	env:
	GITHUB_TOKEN: ${{ github.token }}
	EXTERNAL_CI_API_BASE_URL: ${{ secrets.FALCOR_CI_API_BASE_URL }}
	EXTERNAL_CI_PROJECT: ${{ secrets.FALCOR_CI_PROJECT }}
	EXTERNAL_CI_REF: ${{ secrets.FALCOR_CI_REF }}
	EXTERNAL_CI_TOKEN: ${{ secrets.FALCOR_CI_TOKEN }}
	EXTERNAL_CI_VARIABLES_JSON: ${{ secrets.FALCOR_CI_VARIABLES_JSON }}
	EXTERNAL_CI_ARTIFACT_NAME: slang-tests-windows-x86_64-cl-release
	EXTERNAL_CI_TIMEOUT_SECONDS: "5400"
	run: |
	set -euo pipefail
	python3 .github/scripts/relay-external-ci.py

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pass github.base_ref through env before using it in Bash.

Lines 27-28 still expand the GitHub expression directly into the shell script. Move it into an environment variable and quote that variable in Bash.

Proposed fix

       - id: filter
+        env:
+          BASE_REF: ${{ github.base_ref }}
         run: |
           # This step prevents subsequent steps from running if only documentation was changed
           if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            git fetch origin "${{ github.base_ref }}"
-            BASE=origin/${{ github.base_ref }}
+            git fetch origin "$BASE_REF"
+            BASE="origin/${BASE_REF}"
           else
             BASE=HEAD^1
           fi

As per path instructions, .github/workflows/** changes require verifying correct trigger conditions and proper secret handling.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	git fetch origin "${{ github.base_ref }}"
	BASE=origin/${{ github.base_ref }}
	else
	BASE=HEAD^1
	fi
	shouldRun=true
	if files="$(git diff --name-only $BASE...HEAD)"; then
	if files="$(git diff --name-only "${BASE}...HEAD")"; then
	- id: filter
	env:
	BASE_REF: ${{ github.base_ref }}
	run: |
	# This step prevents subsequent steps from running if only documentation was changed
	if [[ "${{ github.event_name }}" == "pull_request" ]]; then
	git fetch origin "$BASE_REF"
	BASE="origin/${BASE_REF}"
	else
	BASE=HEAD^1
	fi
	shouldRun=true
	if files="$(git diff --name-only "${BASE}...HEAD")"; then

🧰 Tools

🪛 zizmor (1.26.1)

[error] 27-27: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

---

[error] 28-28: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

Sources: Path instructions, Linters/SAST tools

[nv-slang-bot]

Heads-up from CI-health monitoring (not a review): the test-falcor / Test (Falcor) job here ran for 24h0m1s and hit GitHub's hard job-duration ceiling — the run was cancelled, not failed on a test assertion. That signature is a job queued but never picked up by a runner, which is consistent with the dedicated Falcor runner label this PR introduces not yet being provisioned/registered for that label. A plain rerun would re-hang the same way, so it's worth confirming the dedicated runner is online and listening for the new label before retrying.