From 4aaf0db8d7d0435e11ca103f7cb7c98cf8e49245 Mon Sep 17 00:00:00 2001 From: Bettina Heim Date: Wed, 16 Oct 2024 17:26:29 +0200 Subject: [PATCH] Workflow changes to facilitate maintenance (#2269) * repo variable to configure image for integration testing Signed-off-by: Bettina Heim * no need for a separate cudaq_nvqc_deploy_image setting Signed-off-by: Bettina Heim * use bot credentials to delete branches Signed-off-by: Bettina Heim * Revert "no need for a separate cudaq_nvqc_deploy_image setting" This reverts commit 59ff2a9942ee639b42dc43b5316f42ad330711a3. * allow to override deploy image specifically Signed-off-by: Bettina Heim * DCO Remediation Commit for Bettina Heim I, Bettina Heim , hereby add my Signed-off-by to this commit: 8a907da38f17e3ef5cd7402d3f51223a019ca95e Signed-off-by: Bettina Heim * dummy commit to test CI Signed-off-by: Bettina Heim * dummy commit to test CI Signed-off-by: Bettina Heim * dummy commit to test CI Signed-off-by: Bettina Heim * making it more fork friendly * Update integration_tests.yml DCO Remediation Commit for Bettina Heim I, Bettina Heim , hereby add my Signed-off-by to this commit: 2661a1144d2c3f2a1553f696fd77b83300b77f72 Signed-off-by: Bettina Heim * adding codeql workflow for advanced configuratino Signed-off-by: Bettina Heim * adding some permissions Signed-off-by: Bettina Heim * changes needed for merge queue Signed-off-by: Bettina Heim * exclude sphinx templates from spellcheck Signed-off-by: Bettina Heim * fix wildcard pattern Signed-off-by: Bettina Heim * workflow update to exclude templates from spellcheck Signed-off-by: Bettina Heim --------- Signed-off-by: Bettina Heim --- .github/workflows/ci.yml | 5 +- .github/workflows/clean_up.yml | 2 +- .github/workflows/codeql.yml | 81 +++++++++++++++++++ .../workflows/config/spellcheck_config.yml | 3 +- .github/workflows/dco_merge_queue.yml | 17 ++++ .github/workflows/gh_registry.yml | 1 - .github/workflows/integration_tests.yml | 17 ++-- .github/workflows/nvqc_regression_tests.yml | 8 +- .github/workflows/publishing.yml | 2 + .github/workflows/repo_checks.yml | 5 +- 10 files changed, 120 insertions(+), 21 deletions(-) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dco_merge_queue.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c2bba1fddd2..d94617a3b27 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,10 @@ on: push: branches: - "pull-request/[0-9]+" - + merge_group: + types: + - checks_requested + name: CI # do not change name without updating workflow_run triggers concurrency: diff --git a/.github/workflows/clean_up.yml b/.github/workflows/clean_up.yml index 1d154c9f281..9bc2dbc77e2 100644 --- a/.github/workflows/clean_up.yml +++ b/.github/workflows/clean_up.yml @@ -42,7 +42,7 @@ jobs: /repos/nvidia/cuda-quantum/git/refs/heads/$branch done env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.REPO_BOT_ACCESS_TOKEN || github.token }} draft_releases: name: Delete draft release diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000000..338801009ce --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,81 @@ +# This workflow is used to override the set of languages analyzed, +# and to provide custom queries or build logic. + +name: "CodeQL Advanced" + +on: + push: + branches: + - 'main' + - 'releases/*' + - 'experimental/*' + - 'features/*' + pull_request: + branches: + - 'main' + - 'releases/*' + - 'experimental/*' + - 'features/*' + schedule: + - cron: '37 9 * * 2' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: 'ubuntu-latest' + permissions: + security-events: write + # read permissions below are only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # For analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + - language: c-cpp + build-mode: none # Consider setting this to manual and providing a build command to get more accurate scanning + - language: python + build-mode: none + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/config/spellcheck_config.yml b/.github/workflows/config/spellcheck_config.yml index e52e7b22d84..24642537f3e 100644 --- a/.github/workflows/config/spellcheck_config.yml +++ b/.github/workflows/config/spellcheck_config.yml @@ -45,7 +45,8 @@ matrix: - name: rst sources: - - '**/*.rst' + - '**/*.rst|!docs/sphinx/_templates/**/*.rst' + glob_flags: N|G|B expect_match: false aspell: lang: en diff --git a/.github/workflows/dco_merge_queue.yml b/.github/workflows/dco_merge_queue.yml new file mode 100644 index 00000000000..531b516eb05 --- /dev/null +++ b/.github/workflows/dco_merge_queue.yml @@ -0,0 +1,17 @@ +on: + # Do not add any triggers here! + merge_group: + types: + - checks_requested + +name: DCO (merge queue) + +permissions: {} # no permissions needed. + +jobs: + DCO: + runs-on: ubuntu-latest + steps: + - run: + echo "Enable merge_queue check to pass." + echo "No checks were performed; these checks were already performed during PR workflows." \ No newline at end of file diff --git a/.github/workflows/gh_registry.yml b/.github/workflows/gh_registry.yml index da51650fbf2..eca25851bf6 100644 --- a/.github/workflows/gh_registry.yml +++ b/.github/workflows/gh_registry.yml @@ -8,7 +8,6 @@ name: Update GHCR jobs: ghcr_config: name: Read GHCR config - if: github.event_name == 'workflow_dispatch' || vars.enabled_workflows == 'all' runs-on: ubuntu-latest permissions: contents: read diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml index f2ef1ada4cf..a3056c056f4 100644 --- a/.github/workflows/integration_tests.yml +++ b/.github/workflows/integration_tests.yml @@ -34,7 +34,7 @@ on: cudaq_test_image: type: string required: false - default: 'nvcr.io/nvidia/nightly/cuda-quantum:latest' # If changed, update env defaults, too + default: '' # picked up from repo variable if not provided description: 'CUDA Quantum image to run the tests in. Default to the latest CUDA Quantum nightly image' commit_sha: type: string @@ -43,7 +43,7 @@ on: cudaq_nvqc_deploy_image: type: string required: false - default: 'nvcr.io/nvidia/nightly/cuda-quantum:latest' # If changed, update env defaults, too + default: '' # same as cudaq_test_image if not provided description: 'CUDA Quantum image to use for NVQC deployment to NVCF. Default to the latest CUDA Quantum nightly image' workflow_id: type: string @@ -52,7 +52,6 @@ on: python_version: type: choice required: true - default: '3.10' # If changed, update env defaults, too description: 'Python version to run wheel test' options: - '3.8' @@ -70,10 +69,6 @@ env: NVQC_FUNCTION_ID: 3bfa0342-7d2a-4f1b-8e81-b6608d28ca7d # :::: NGC_NVQC_DEPLOYMENT_SPEC: GFN:L40S:gl40s_1.br25_2xlarge:1:1 - # If vars below are changed, it is recommended to also update the - # workflow_dispatch defaults above so they stay in sync. - cudaq_test_image: nvcr.io/nvidia/nightly/cuda-quantum:latest - cudaq_nvqc_deploy_image: nvcr.io/nvidia/nightly/cuda-quantum:latest python_version: '3.10' jobs: @@ -84,11 +79,13 @@ jobs: runs-on: ubuntu-latest outputs: cudaq_test_image: ${{ steps.vars.outputs.cudaq_test_image }} + cudaq_nvqc_deploy_image: ${{ steps.vars.outputs.cudaq_nvqc_deploy_image }} steps: - name: Set variables id: vars run: | - echo "cudaq_test_image=${{ inputs.cudaq_test_image || env.cudaq_test_image }}" >> $GITHUB_OUTPUT + echo "cudaq_test_image=${{ inputs.cudaq_test_image || vars.cudaq_test_image }}" >> $GITHUB_OUTPUT + echo "cudaq_nvqc_deploy_image=${{ inputs.cudaq_nvqc_deploy_image || vars.cudaq_test_image }}" >> $GITHUB_OUTPUT metadata: name: Retrieve commit info @@ -112,7 +109,7 @@ jobs: build_nvqc_image: name: Build NVQC deployment image runs-on: ubuntu-latest - needs: metadata + needs: [setup, metadata] environment: ghcr-deployment if: (inputs.target == 'nvqc' || github.event_name == 'schedule' || inputs.target == 'nightly') steps: @@ -153,7 +150,7 @@ jobs: context: . file: ./docker/release/cudaq.nvqc.Dockerfile build-args: | - base_image=${{ inputs.cudaq_nvqc_deploy_image || env.cudaq_nvqc_deploy_image }} + base_image=${{ needs.setup.outputs.cudaq_nvqc_deploy_image }} tags: nvcr.io/${{ env.NGC_QUANTUM_ORG }}/${{ env.NGC_QUANTUM_TEAM }}/cuda-quantum:nightly platforms: linux/amd64 provenance: false diff --git a/.github/workflows/nvqc_regression_tests.yml b/.github/workflows/nvqc_regression_tests.yml index 10cab6a0779..857343501cc 100644 --- a/.github/workflows/nvqc_regression_tests.yml +++ b/.github/workflows/nvqc_regression_tests.yml @@ -12,7 +12,7 @@ on: cudaq_test_image: type: string required: false - default: 'nvcr.io/nvidia/nightly/cuda-quantum:latest' # If changed, update env defaults, too + default: '' # picked up from repo variable if not provided description: 'CUDA Quantum image to run the tests in. Default to the latest CUDA Quantum nightly image' commit_sha: type: string @@ -25,7 +25,6 @@ on: python_version: type: choice required: true - default: '3.10' # If changed, update env defaults, too description: 'Python version to run wheel test' options: - '3.8' @@ -37,9 +36,6 @@ on: - cron: 0 3 * * * env: - # If vars below are changed, it is recommended to also update the - # workflow_dispatch defaults above so they stay in sync. - cudaq_test_image: nvcr.io/nvidia/nightly/cuda-quantum:latest python_version: '3.10' jobs: @@ -54,7 +50,7 @@ jobs: - name: Set variables id: vars run: | - echo "cudaq_test_image=${{ inputs.cudaq_test_image || env.cudaq_test_image }}" >> $GITHUB_OUTPUT + echo "cudaq_test_image=${{ inputs.cudaq_test_image || vars.cudaq_test_image }}" >> $GITHUB_OUTPUT metadata: name: Retrieve commit info diff --git a/.github/workflows/publishing.yml b/.github/workflows/publishing.yml index 695529c3bc4..72d23b70622 100644 --- a/.github/workflows/publishing.yml +++ b/.github/workflows/publishing.yml @@ -235,6 +235,8 @@ jobs: for info_file in ${{ join(fromJson(steps.artifacts.outputs.installers).info_files, ' ') }}; do delete_staging_branch $info_file '${{ steps.artifacts.outputs.installers }}' done + env: + GH_TOKEN: ${{ secrets.REPO_BOT_ACCESS_TOKEN }} - name: Retrieve id: assets_retrieval diff --git a/.github/workflows/repo_checks.yml b/.github/workflows/repo_checks.yml index f5d92d5b1f8..d5f4d324c54 100644 --- a/.github/workflows/repo_checks.yml +++ b/.github/workflows/repo_checks.yml @@ -1,6 +1,9 @@ on: workflow_dispatch: pull_request: + merge_group: + types: + - checks_requested name: "Basic content checks" @@ -85,7 +88,7 @@ jobs: create_output cxx_examples 'docs/sphinx/examples/**/*.cpp' create_output python '*.py :!:python/tests :!:test :!:targettests :!:tpls :!:docs/sphinx/conf.py' create_output markdown '*.md :!:tpls' - create_output rst '*.rst :!:tpls' + create_output rst '*.rst :!:tpls :!:docs/sphinx/_templates/**/*.rst' echo "json=$(echo $json)" >> $GITHUB_OUTPUT formatting: