Merge branch 'main' into feat/auto-completions-338

Author: lockwobr

.github/workflows/gpu-h100-conformance-test.yaml

@@ -43,6 +43,17 @@ on:
       - 'recipes/overlays/h100-kind-conformance.yaml'
       - 'kwok/manifests/karpenter/**'
       - 'kwok/scripts/install-karpenter-kwok.sh'
+      # Collector/snapshotter — affects GPU detection and snapshot content
+      - 'pkg/collector/**'
+      - 'pkg/snapshotter/**'
+      # Validator infrastructure — affects how validator Jobs are deployed and run
+      - 'pkg/validator/job/**'
+      - 'pkg/validator/catalog/**'
+      - 'pkg/defaults/timeouts.go'
+      # Conformance validator source
+      - 'validators/conformance/**'
+  pull_request:
+    types: [labeled]
   workflow_dispatch: {}  # Allow manual runs
 
 permissions:
@@ -55,6 +66,9 @@ concurrency:
 jobs:
 
   gpu-conformance-test:
+    if: >
+      github.event_name != 'pull_request' ||
+      github.event.label.name == 'run-gpu-tests'
     name: GPU Conformance Test (nvkind + H100 x2)
     runs-on: linux-amd64-gpu-h100-latest-2
     timeout-minutes: 60

.github/workflows/gpu-h100-inference-test.yaml

@@ -41,6 +41,18 @@ on:
       - 'recipes/overlays/h100-kind-inference-dynamo.yaml'
       - 'kwok/manifests/karpenter/**'
       - 'kwok/scripts/install-karpenter-kwok.sh'
+      # Collector/snapshotter — affects GPU detection and snapshot content
+      - 'pkg/collector/**'
+      - 'pkg/snapshotter/**'
+      - '.github/actions/gpu-snapshot-validate/**'
+      # Validator infrastructure — affects how validator Jobs are deployed and run
+      - 'pkg/validator/job/**'
+      - 'pkg/validator/catalog/**'
+      - 'pkg/defaults/timeouts.go'
+      # Conformance validator source
+      - 'validators/conformance/**'
+  pull_request:
+    types: [labeled]
   workflow_dispatch: {}  # Allow manual runs
 
 permissions:
@@ -53,6 +65,9 @@ concurrency:
 jobs:
 
   gpu-inference-test:
+    if: >
+      github.event_name != 'pull_request' ||
+      github.event.label.name == 'run-gpu-tests'
     name: GPU Inference Test (nvkind + H100)
     runs-on: linux-amd64-gpu-h100-latest-1
     timeout-minutes: 45

.github/workflows/gpu-h100-training-test.yaml

@@ -37,6 +37,18 @@ on:
       - 'kwok/manifests/karpenter/**'
       - 'kwok/scripts/install-karpenter-kwok.sh'
       - 'recipes/components/prometheus-adapter/**'
+      # Collector/snapshotter — affects GPU detection and snapshot content
+      - 'pkg/collector/**'
+      - 'pkg/snapshotter/**'
+      - '.github/actions/gpu-snapshot-validate/**'
+      # Validator infrastructure — affects how validator Jobs are deployed and run
+      - 'pkg/validator/job/**'
+      - 'pkg/validator/catalog/**'
+      - 'pkg/defaults/timeouts.go'
+      # Conformance validator source
+      - 'validators/conformance/**'
+  pull_request:
+    types: [labeled]
   workflow_dispatch: {}  # Allow manual runs
 
 permissions:
@@ -49,6 +61,9 @@ concurrency:
 jobs:
 
   gpu-training-test:
+    if: >
+      github.event_name != 'pull_request' ||
+      github.event.label.name == 'run-gpu-tests'
     name: GPU Training Test (nvkind + H100 x2)
     runs-on: linux-amd64-gpu-h100-latest-2
     timeout-minutes: 45

.github/workflows/gpu-smoke-test.yaml

@@ -27,6 +27,18 @@ on:
       - '.github/actions/aicr-build/**'
       - '.github/actions/gpu-test-cleanup/**'
       - '.github/actions/load-versions/**'
+      # Collector/snapshotter — affects GPU detection and snapshot content
+      - 'pkg/collector/**'
+      - 'pkg/snapshotter/**'
+      - '.github/actions/gpu-snapshot-validate/**'
+      # Validator infrastructure — affects how validator Jobs are deployed and run
+      - 'pkg/validator/job/**'
+      - 'pkg/validator/catalog/**'
+      - 'pkg/defaults/timeouts.go'
+      # Conformance validator source
+      - 'validators/conformance/**'
+  pull_request:
+    types: [labeled]
   workflow_dispatch: {}  # Allow manual runs
 
 permissions:
@@ -39,6 +51,9 @@ concurrency:
 jobs:
 
   gpu-smoke-test:
+    if: >
+      github.event_name != 'pull_request' ||
+      github.event.label.name == 'run-gpu-tests'
     name: GPU Smoke Test (nvkind + T4)
     runs-on: linux-amd64-gpu-t4-latest-1
     timeout-minutes: 30

.github/workflows/triage.yaml

@@ -28,6 +28,7 @@ jobs:
     name: Auto-Triage Issues
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       issues: write
     timeout-minutes: 5
     steps:
@@ -63,3 +64,49 @@ jobs:
                 name: 'needs-triage',
               });
             }
+
+      - name: Assign by area label
+        if: >-
+          github.event.action == 'labeled' &&
+          startsWith(github.event.label.name, 'area/')
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
+        with:
+          script: |
+            const { data: file } = await github.rest.repos.getContent({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              path: '.settings.yaml',
+            });
+            const content = Buffer.from(file.content, 'base64').toString('utf8');
+
+            // Parse area_assignees from .settings.yaml
+            const assignees = {};
+            let inBlock = false;
+            for (const line of content.split('\n')) {
+              if (line.startsWith('area_assignees:')) {
+                inBlock = true;
+                continue;
+              }
+              if (inBlock) {
+                const m = line.match(/^\s+(area\/\S+):\s*(\S+)/);
+                if (m) {
+                  assignees[m[1]] = m[2];
+                } else if (/^\S/.test(line)) {
+                  break;
+                }
+              }
+            }
+
+            const label = context.payload.label.name;
+            const user = assignees[label];
+            if (!user) {
+              core.info(`No assignee configured for ${label}`);
+              return;
+            }
+
+            await github.rest.issues.addAssignees({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              assignees: [user],
+            });

.settings.yaml

@@ -53,6 +53,19 @@ testing_tools:
   yq: 'v4.52.4'
   karpenter: 'v1.8.0'
 
+# Area Assignees (GitHub usernames assigned to issues by area label)
+area_assignees:
+  area/api: cullenmcdermott
+  area/bundler: ArangoGutierrez
+  area/ci: mchmarny
+  area/cli: lockwobr
+  area/collector: ayuskauskas
+  area/docs: dims
+  area/infra: mchmarny
+  area/recipes: yuanchen8911
+  area/tests: atif1996
+  area/validator: xdu31
+
 # Quality Thresholds
 quality:
   coverage_threshold: '70'

pkg/bundler/verifier/trust.go

@@ -16,6 +16,7 @@ package verifier
 
 import (
 	"fmt"
+	"sort"
 	"strings"
 
 	"github.com/NVIDIA/aicr/pkg/constraints"
@@ -72,6 +73,17 @@ func ParseTrustLevel(s string) (TrustLevel, error) {
 	return level, nil
 }
 
+// GetTrustLevels returns all valid trust level names sorted alphabetically.
+// This excludes "max" which is a meta-value for auto-detection, not a real level.
+func GetTrustLevels() []string {
+	levels := make([]string, 0, len(trustOrder))
+	for level := range trustOrder {
+		levels = append(levels, string(level))
+	}
+	sort.Strings(levels)
+	return levels
+}
+
 // VerifyResult contains the outcome of bundle verification.
 type VerifyResult struct {
 	// TrustLevel is the computed trust level for the bundle.

pkg/bundler/verifier/trust_test.go

@@ -229,3 +229,17 @@ func TestMaxAchievableTrustLevel(t *testing.T) {
 		})
 	}
 }
+
+func TestGetTrustLevels(t *testing.T) {
+	levels := GetTrustLevels()
+
+	expected := []string{"attested", "unknown", "unverified", "verified"}
+	if len(levels) != len(expected) {
+		t.Fatalf("got %d levels, want %d", len(levels), len(expected))
+	}
+	for i, v := range levels {
+		if v != expected[i] {
+			t.Errorf("levels[%d] = %q, want %q", i, v, expected[i])
+		}
+	}
+}

pkg/cli/bundle.go

@@ -298,13 +298,13 @@ Package with explicit tag (overrides CLI version):
 				Usage:    "Estimated number of GPU nodes (written to nodeScheduling.nodeCountPaths in registry). 0 = unset.",
 				Category: "Scheduling",
 			},
-			&cli.StringFlag{
+			withCompletions(&cli.StringFlag{
 				Name:     "deployer",
 				Aliases:  []string{"d"},
 				Value:    string(config.DeployerHelm),
 				Usage:    fmt.Sprintf("Deployment method (e.g. %s)", strings.Join(config.GetDeployerTypes(), ", ")),
 				Category: "Deployment",
-			},
+			}, config.GetDeployerTypes),
 			&cli.StringFlag{
 				Name:     "repo",
 				Value:    "",

pkg/cli/bundle_verify.go

@@ -61,13 +61,13 @@ Output as JSON:
   aicr verify ./my-bundle --format json
 `,
 		Flags: []cli.Flag{
-			&cli.StringFlag{
+			withCompletions(&cli.StringFlag{
 				Name:  "min-trust-level",
 				Value: "max",
 				Usage: `Minimum required trust level. "max" (default) auto-detects the highest
 	achievable level for this bundle and verifies against it.
 	Explicit levels: verified, attested, unverified, unknown`,
-			},
+			}, verifier.GetTrustLevels),
 			&cli.StringFlag{
 				Name:  "require-creator",
 				Usage: "Require a specific creator identity (matched against bundle attestation certificate)",
@@ -83,11 +83,11 @@ Output as JSON:
 				Usage: `Override the certificate identity pattern for binary attestation verification.
 	Must contain "NVIDIA/aicr". Default pins to the release workflow on tag refs.`,
 			},
-			&cli.StringFlag{
+			withCompletions(&cli.StringFlag{
 				Name:  "format",
 				Value: "text",
 				Usage: "Output format: text, json",
-			},
+			}, func() []string { return []string{"json", "text"} }),
 		},
 		Action: runBundleVerifyCmd,
 	}