Adding a wrapper workflow to call the deploy tests

pvijayakrish · pvijayakrish · commit be0d9b0c94f9 · 2025-11-20T00:44:27.000-08:00
Signed-off-by: pvijayakrish &lt;pvijayakrish@nvidia.com&gt;
diff --git a/.github/workflows/container-validation-backends.yml b/.github/workflows/container-validation-backends.yml
@@ -9,13 +9,13 @@ on:
       - main
       - "pull-request/[0-9]+"
       - release/*.*.*
-  workflow_dispatch:
+  workflow_call:
     inputs:
       run_deploy_operator:
         description: 'Run deploy operator and deployment tests'
         required: false
-        default: false
         type: boolean
+        default: false
 
 concurrency:
     # The group name is a ternary operation. If the ref_name is 'main',
@@ -25,9 +25,13 @@ concurrency:
     group: docker-build-test-${{ github.ref_name == 'main' && github.run_id || github.ref_name }}
     cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
+env_anchor: &secure_env
+  environment: ${{ github.event_name == 'workflow_call' && 'protected-deploy' || '' }}
+
 jobs:
   changed-files:
     runs-on: ubuntu-latest
+    <<: *secure_env
     outputs:
       has_code_changes: ${{ steps.filter.outputs.has_code_changes }}
     steps:
@@ -41,6 +45,7 @@ jobs:
 
   backend-status-check:
     runs-on: ubuntu-latest
+    <<: *secure_env
     needs: [vllm, sglang, trtllm, operator]
     if: always()
     steps:
@@ -51,6 +56,7 @@ jobs:
   operator:
     needs: changed-files
     if: needs.changed-files.outputs.has_code_changes == 'true'
+    <<: *secure_env
     strategy:
       fail-fast: false
       matrix:
@@ -131,6 +137,7 @@ jobs:
   vllm:
     needs: changed-files
     if: needs.changed-files.outputs.has_code_changes == 'true'
+    <<: *secure_env
     strategy:
       fail-fast: false
       matrix:
@@ -200,6 +207,7 @@ jobs:
   sglang:
     needs: changed-files
     if: needs.changed-files.outputs.has_code_changes == 'true'
+    <<: *secure_env
     strategy:
       fail-fast: false
       matrix:
@@ -267,6 +275,7 @@ jobs:
   trtllm:
     needs: changed-files
     if: needs.changed-files.outputs.has_code_changes == 'true'
+    <<: *secure_env
     strategy:
       fail-fast: false
       matrix:
@@ -334,6 +343,7 @@ jobs:
   deploy-test-fault-tolerance:
     runs-on: cpu-amd-m5-2xlarge
     if: needs.changed-files.outputs.has_code_changes == 'true'
+    <<: *secure_env
     needs: [changed-files, operator, vllm, trtllm, sglang]
     permissions:
       contents: read
@@ -477,6 +487,7 @@ jobs:
   # Upload metrics for this workflow and all its jobs
   upload-workflow-metrics:
     name: Upload Workflow Metrics
+    <<: *secure_env
     runs-on: gitlab
     if: always()  # Always run, even if other jobs fail
     needs: [backend-status-check]  # Wait for the status check which waits for all build jobs
@@ -528,6 +539,7 @@ jobs:
     runs-on: cpu-amd-m5-2xlarge
     # TODO: Uncomment this when we have a way to test the deploy-operator job in CI.
     #if: needs.changed-files.outputs.has_code_changes == 'true'
+    <<: *secure_env
     if: inputs.run_deploy_operator
     needs: [changed-files, operator, vllm, sglang, trtllm]
     env:
@@ -607,6 +619,7 @@ jobs:
     # TODO: Uncomment this when we have a way to test the deploy-test-vllm job in CI.
     #if: needs.changed-files.outputs.has_code_changes == 'true'
     if: inputs.run_deploy_operator
+    <<: *secure_env
     needs: [changed-files, deploy-operator, vllm]
     permissions:
       contents: read
@@ -763,6 +776,7 @@ jobs:
     # TODO: Uncomment this when we have a way to test the deploy-test-sglang job in CI.
     #if: needs.changed-files.outputs.has_code_changes == 'true'
     if: inputs.run_deploy_operator
+    <<: *secure_env
     needs: [changed-files, deploy-operator, sglang]
     permissions:
       contents: read
@@ -786,6 +800,7 @@ jobs:
     # TODO: Uncomment this when we have a way to test the deploy-test-trtllm job in CI.
     #if: needs.changed-files.outputs.has_code_changes == 'true'
     if: inputs.run_deploy_operator
+    <<: *secure_env
     needs: [changed-files, deploy-operator, trtllm]
     permissions:
       contents: read
@@ -811,6 +826,7 @@ jobs:
     # TODO: Uncomment the below if statement when we have a way to test the cleanup job in CI.
     # if: always()
     if: inputs.run_deploy_operator
+    <<: *secure_env
     needs: [changed-files, deploy-operator, deploy-test-trtllm, deploy-test-sglang, deploy-test-vllm]
     steps:
     - name: Output Node Name
diff --git a/.github/workflows/trigger-secure-deploy.yml b/.github/workflows/trigger-secure-deploy.yml
@@ -0,0 +1,75 @@
+name: Trigger Secure Deploy
+
+on:
+  workflow_dispatch:
+    inputs:
+      run_deploy_operator:
+        description: 'Run deploy operator and deployment tests'
+        required: false
+        default: false
+        type: boolean
+      target_branch:
+        description: 'Branch to run deploy tests on'
+        required: false
+        default: 'main'
+        type: string
+
+jobs:
+  validate-access:
+    runs-on: ubuntu-latest
+    outputs:
+      authorized: ${{ steps.check.outputs.authorized }}
+    steps:
+      - name: Check User Authorization
+        id: check
+        run: |
+          # Allow NVIDIA employees and approved bots
+          allowed_actors=(
+            "nvidia-employee1"
+            "nvidia-employee2"
+            "copy-pr-bot"  # Allow the copy PR bot
+            "nvidia-bot"   # Allow other NVIDIA bots
+          )
+
+          # Block external contributors
+          blocked_patterns=(
+            "external-"
+            "contributor-"
+            "guest-"
+          )
+
+          actor="${{ github.actor }}"
+
+          # Check if actor is explicitly allowed
+          for allowed in "${allowed_actors[@]}"; do
+            if [[ "$actor" == "$allowed" ]]; then
+              echo "authorized=true" >> $GITHUB_OUTPUT
+              echo "✅ Authorized user: $actor"
+              exit 0
+            fi
+          done
+
+          # Check if actor matches blocked patterns
+          for pattern in "${blocked_patterns[@]}"; do
+            if [[ "$actor" == *"$pattern"* ]]; then
+              echo "❌ Blocked user pattern: $actor"
+              echo "authorized=false" >> $GITHUB_OUTPUT
+              exit 1
+            fi
+          done
+
+          # Default: block unknown users
+          echo "❌ Unauthorized user: $actor"
+          echo "authorized=false" >> $GITHUB_OUTPUT
+          exit 1
+
+  trigger-deploy-tests:
+    runs-on: ubuntu-latest
+    needs: validate-access
+    if: needs.validate-access.outputs.authorized == 'true'
+    environment: protected-deploy  # manual approval before triggering
+    steps:
+      - name: Call Secure Deploy Workflow
+        uses: ./.github/workflows/container-validation-backends.yml
+        with:
+          run_deploy_operator: ${{ github.event.inputs.run_deploy_operator }}
