Merge branch 'main' into feat/auto-completions-338

Author: lockwobr

.github/workflows/gpu-h100-conformance-test.yaml

@@ -43,6 +43,17 @@ on:
       - 'recipes/overlays/h100-kind-conformance.yaml'
       - 'kwok/manifests/karpenter/**'
       - 'kwok/scripts/install-karpenter-kwok.sh'
+      # Collector/snapshotter — affects GPU detection and snapshot content
+      - 'pkg/collector/**'
+      - 'pkg/snapshotter/**'
+      # Validator infrastructure — affects how validator Jobs are deployed and run
+      - 'pkg/validator/job/**'
+      - 'pkg/validator/catalog/**'
+      - 'pkg/defaults/timeouts.go'
+      # Conformance validator source
+      - 'validators/conformance/**'
+  pull_request:
+    types: [labeled]
   workflow_dispatch: {}  # Allow manual runs
 
 permissions:
@@ -55,6 +66,9 @@ concurrency:
 jobs:
 
   gpu-conformance-test:
+    if: >
+      github.event_name != 'pull_request' ||
+      github.event.label.name == 'run-gpu-tests'
     name: GPU Conformance Test (nvkind + H100 x2)
     runs-on: linux-amd64-gpu-h100-latest-2
     timeout-minutes: 60

.github/workflows/gpu-h100-inference-test.yaml

@@ -41,6 +41,18 @@ on:
       - 'recipes/overlays/h100-kind-inference-dynamo.yaml'
       - 'kwok/manifests/karpenter/**'
       - 'kwok/scripts/install-karpenter-kwok.sh'
+      # Collector/snapshotter — affects GPU detection and snapshot content
+      - 'pkg/collector/**'
+      - 'pkg/snapshotter/**'
+      - '.github/actions/gpu-snapshot-validate/**'
+      # Validator infrastructure — affects how validator Jobs are deployed and run
+      - 'pkg/validator/job/**'
+      - 'pkg/validator/catalog/**'
+      - 'pkg/defaults/timeouts.go'
+      # Conformance validator source
+      - 'validators/conformance/**'
+  pull_request:
+    types: [labeled]
   workflow_dispatch: {}  # Allow manual runs
 
 permissions:
@@ -53,6 +65,9 @@ concurrency:
 jobs:
 
   gpu-inference-test:
+    if: >
+      github.event_name != 'pull_request' ||
+      github.event.label.name == 'run-gpu-tests'
     name: GPU Inference Test (nvkind + H100)
     runs-on: linux-amd64-gpu-h100-latest-1
     timeout-minutes: 45

.github/workflows/gpu-h100-training-test.yaml

@@ -37,6 +37,18 @@ on:
       - 'kwok/manifests/karpenter/**'
       - 'kwok/scripts/install-karpenter-kwok.sh'
       - 'recipes/components/prometheus-adapter/**'
+      # Collector/snapshotter — affects GPU detection and snapshot content
+      - 'pkg/collector/**'
+      - 'pkg/snapshotter/**'
+      - '.github/actions/gpu-snapshot-validate/**'
+      # Validator infrastructure — affects how validator Jobs are deployed and run
+      - 'pkg/validator/job/**'
+      - 'pkg/validator/catalog/**'
+      - 'pkg/defaults/timeouts.go'
+      # Conformance validator source
+      - 'validators/conformance/**'
+  pull_request:
+    types: [labeled]
   workflow_dispatch: {}  # Allow manual runs
 
 permissions:
@@ -49,6 +61,9 @@ concurrency:
 jobs:
 
   gpu-training-test:
+    if: >
+      github.event_name != 'pull_request' ||
+      github.event.label.name == 'run-gpu-tests'
     name: GPU Training Test (nvkind + H100 x2)
     runs-on: linux-amd64-gpu-h100-latest-2
     timeout-minutes: 45

.github/workflows/gpu-smoke-test.yaml

@@ -27,6 +27,18 @@ on:
       - '.github/actions/aicr-build/**'
       - '.github/actions/gpu-test-cleanup/**'
       - '.github/actions/load-versions/**'
+      # Collector/snapshotter — affects GPU detection and snapshot content
+      - 'pkg/collector/**'
+      - 'pkg/snapshotter/**'
+      - '.github/actions/gpu-snapshot-validate/**'
+      # Validator infrastructure — affects how validator Jobs are deployed and run
+      - 'pkg/validator/job/**'
+      - 'pkg/validator/catalog/**'
+      - 'pkg/defaults/timeouts.go'
+      # Conformance validator source
+      - 'validators/conformance/**'
+  pull_request:
+    types: [labeled]
   workflow_dispatch: {}  # Allow manual runs
 
 permissions:
@@ -39,6 +51,9 @@ concurrency:
 jobs:
 
   gpu-smoke-test:
+    if: >
+      github.event_name != 'pull_request' ||
+      github.event.label.name == 'run-gpu-tests'
     name: GPU Smoke Test (nvkind + T4)
     runs-on: linux-amd64-gpu-t4-latest-1
     timeout-minutes: 30

.github/workflows/triage.yaml

@@ -28,6 +28,7 @@ jobs:
     name: Auto-Triage Issues
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       issues: write
     timeout-minutes: 5
     steps:
@@ -63,3 +64,49 @@ jobs:
                 name: 'needs-triage',
               });
             }
+
+      - name: Assign by area label
+        if: >-
+          github.event.action == 'labeled' &&
+          startsWith(github.event.label.name, 'area/')
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
+        with:
+          script: |
+            const { data: file } = await github.rest.repos.getContent({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              path: '.settings.yaml',
+            });
+            const content = Buffer.from(file.content, 'base64').toString('utf8');
+
+            // Parse area_assignees from .settings.yaml
+            const assignees = {};
+            let inBlock = false;
+            for (const line of content.split('\n')) {
+              if (line.startsWith('area_assignees:')) {
+                inBlock = true;
+                continue;
+              }
+              if (inBlock) {
+                const m = line.match(/^\s+(area\/\S+):\s*(\S+)/);
+                if (m) {
+                  assignees[m[1]] = m[2];
+                } else if (/^\S/.test(line)) {
+                  break;
+                }
+              }
+            }
+
+            const label = context.payload.label.name;
+            const user = assignees[label];
+            if (!user) {
+              core.info(`No assignee configured for ${label}`);
+              return;
+            }
+
+            await github.rest.issues.addAssignees({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              assignees: [user],
+            });

.settings.yaml

@@ -53,6 +53,19 @@ testing_tools:
   yq: 'v4.52.4'
   karpenter: 'v1.8.0'
 
+# Area Assignees (GitHub usernames assigned to issues by area label)
+area_assignees:
+  area/api: cullenmcdermott
+  area/bundler: ArangoGutierrez
+  area/ci: mchmarny
+  area/cli: lockwobr
+  area/collector: ayuskauskas
+  area/docs: dims
+  area/infra: mchmarny
+  area/recipes: yuanchen8911
+  area/tests: atif1996
+  area/validator: xdu31
+
 # Quality Thresholds
 quality:
   coverage_threshold: '70'

install

@@ -130,7 +130,7 @@ write_completion() {
 }
 
 setup_bash_completions() {
-  local bin_path="$1" os="$2" xdg_data="$3"
+  local bin_path="$1" os="$2" xdg_data="$3" user_only="$4"
   local sys_dir
   if [[ "$os" == "darwin" ]]; then
     local brew_prefix="/usr/local"
@@ -140,7 +140,7 @@ setup_bash_completions() {
     sys_dir="/usr/share/bash-completion/completions"
   fi
 
-  if write_completion "$bin_path" bash "${sys_dir}/aicr"; then
+  if [[ "$user_only" != "true" ]] && write_completion "$bin_path" bash "${sys_dir}/aicr"; then
     ok "Bash completions installed"
   elif write_completion "$bin_path" bash "${xdg_data}/bash-completion/completions/aicr"; then
     ok "Bash completions installed (user-local)"
@@ -150,7 +150,7 @@ setup_bash_completions() {
 }
 
 setup_zsh_completions() {
-  local bin_path="$1" os="$2" xdg_data="$3"
+  local bin_path="$1" os="$2" xdg_data="$3" user_only="$4"
   local sys_dir
   if [[ "$os" == "darwin" ]]; then
     local brew_prefix="/usr/local"
@@ -160,7 +160,7 @@ setup_zsh_completions() {
     sys_dir="/usr/local/share/zsh/site-functions"
   fi
 
-  if write_completion "$bin_path" zsh "${sys_dir}/_aicr"; then
+  if [[ "$user_only" != "true" ]] && write_completion "$bin_path" zsh "${sys_dir}/_aicr"; then
     ok "Zsh completions installed"
   elif write_completion "$bin_path" zsh "${xdg_data}/zsh/site-functions/_aicr"; then
     ok "Zsh completions installed (user-local)"
@@ -170,11 +170,11 @@ setup_zsh_completions() {
 }
 
 setup_fish_completions() {
-  local bin_path="$1"
+  local bin_path="$1" user_only="$2"
   local sys_dir="/usr/share/fish/vendor_completions.d"
   local user_dir="${XDG_CONFIG_HOME:-$HOME/.config}/fish/completions"
 
-  if [[ -d "$sys_dir" ]] && write_completion "$bin_path" fish "${sys_dir}/aicr.fish"; then
+  if [[ "$user_only" != "true" ]] && [[ -d "$sys_dir" ]] && write_completion "$bin_path" fish "${sys_dir}/aicr.fish"; then
     ok "Fish completions installed"
   elif [[ -d "${user_dir%/*}" ]] && write_completion "$bin_path" fish "${user_dir}/aicr.fish"; then
     ok "Fish completions installed (user-local)"
@@ -188,14 +188,19 @@ setup_completions() {
   fi
 
   local bin_path="${INSTALL_DIR}/${BIN_NAME}"
-  local os xdg_data
+  local os xdg_data user_only="false"
   os=$(get_os)
   xdg_data="${XDG_DATA_HOME:-$HOME/.local/share}"
+
+  # If the binary install did not need sudo, skip system completion dirs
+  # to avoid unexpected sudo prompts (e.g., ./install -d ~/bin).
+  [[ "${USED_SUDO:-false}" == "false" ]] && user_only="true"
+
   step "Setting up shell completions..."
 
-  setup_bash_completions "$bin_path" "$os" "$xdg_data"
-  setup_zsh_completions "$bin_path" "$os" "$xdg_data"
-  setup_fish_completions "$bin_path"
+  setup_bash_completions "$bin_path" "$os" "$xdg_data" "$user_only"
+  setup_zsh_completions "$bin_path" "$os" "$xdg_data" "$user_only"
+  setup_fish_completions "$bin_path" "$user_only"
 }
 
 # ==============================================================================
@@ -389,11 +394,13 @@ main() {
   chmod +x "${temp_dir}/${BIN_NAME}"
   step "Installing $BIN_NAME to $INSTALL_DIR"
   mkdir -p "$INSTALL_DIR"
+  USED_SUDO=false
   if [[ -w "$INSTALL_DIR" ]]; then
     mv "${temp_dir}/${BIN_NAME}" "${INSTALL_DIR}/${BIN_NAME}"
     [[ -f "${temp_dir}/${BIN_NAME}-attestation.sigstore.json" ]] && \
       mv "${temp_dir}/${BIN_NAME}-attestation.sigstore.json" "${INSTALL_DIR}/${BIN_NAME}-attestation.sigstore.json"
   else
+    USED_SUDO=true
     sudo mv "${temp_dir}/${BIN_NAME}" "${INSTALL_DIR}/${BIN_NAME}"
     [[ -f "${temp_dir}/${BIN_NAME}-attestation.sigstore.json" ]] && \
       sudo mv "${temp_dir}/${BIN_NAME}-attestation.sigstore.json" "${INSTALL_DIR}/${BIN_NAME}-attestation.sigstore.json"

pkg/bundler/verifier/trust.go

@@ -16,6 +16,7 @@ package verifier
 
 import (
 	"fmt"
+	"sort"
 	"strings"
 
 	"github.com/NVIDIA/aicr/pkg/constraints"
@@ -72,6 +73,17 @@ func ParseTrustLevel(s string) (TrustLevel, error) {
 	return level, nil
 }
 
+// GetTrustLevels returns all valid trust level names sorted alphabetically.
+// This excludes "max" which is a meta-value for auto-detection, not a real level.
+func GetTrustLevels() []string {
+	levels := make([]string, 0, len(trustOrder))
+	for level := range trustOrder {
+		levels = append(levels, string(level))
+	}
+	sort.Strings(levels)
+	return levels
+}
+
 // VerifyResult contains the outcome of bundle verification.
 type VerifyResult struct {
 	// TrustLevel is the computed trust level for the bundle.

pkg/bundler/verifier/trust_test.go

@@ -229,3 +229,17 @@ func TestMaxAchievableTrustLevel(t *testing.T) {
 		})
 	}
 }
+
+func TestGetTrustLevels(t *testing.T) {
+	levels := GetTrustLevels()
+
+	expected := []string{"attested", "unknown", "unverified", "verified"}
+	if len(levels) != len(expected) {
+		t.Fatalf("got %d levels, want %d", len(levels), len(expected))
+	}
+	for i, v := range levels {
+		if v != expected[i] {
+			t.Errorf("levels[%d] = %q, want %q", i, v, expected[i])
+		}
+	}
+}

pkg/cli/bundle.go

@@ -298,13 +298,13 @@ Package with explicit tag (overrides CLI version):
 				Usage:    "Estimated number of GPU nodes (written to nodeScheduling.nodeCountPaths in registry). 0 = unset.",
 				Category: "Scheduling",
 			},
-			&cli.StringFlag{
+			withCompletions(&cli.StringFlag{
 				Name:     "deployer",
 				Aliases:  []string{"d"},
 				Value:    string(config.DeployerHelm),
 				Usage:    fmt.Sprintf("Deployment method (e.g. %s)", strings.Join(config.GetDeployerTypes(), ", ")),
 				Category: "Deployment",
-			},
+			}, config.GetDeployerTypes),
 			&cli.StringFlag{
 				Name:     "repo",
 				Value:    "",