Workflow changes to facilitate maintenance (#2269)

* repo variable to configure image for integration testing

Signed-off-by: Bettina Heim <[email protected]>

* no need for a separate cudaq_nvqc_deploy_image setting

Signed-off-by: Bettina Heim <[email protected]>

* use bot credentials to delete branches

Signed-off-by: Bettina Heim <[email protected]>

* Revert "no need for a separate cudaq_nvqc_deploy_image setting"

This reverts commit 59ff2a9.

* allow to override deploy image specifically

Signed-off-by: Bettina Heim <[email protected]>

* DCO Remediation Commit for Bettina Heim <[email protected]>

I, Bettina Heim <[email protected]>, hereby add my Signed-off-by to this commit: 8a907da

Signed-off-by: Bettina Heim <[email protected]>

* dummy commit to test CI

Signed-off-by: Bettina Heim <[email protected]>

* dummy commit to test CI

Signed-off-by: Bettina Heim <[email protected]>

* dummy commit to test CI

Signed-off-by: Bettina Heim <[email protected]>

* making it more fork friendly

* Update integration_tests.yml

DCO Remediation Commit for Bettina Heim <[email protected]>

I, Bettina Heim <[email protected]>, hereby add my Signed-off-by to this commit: 2661a11

Signed-off-by: Bettina Heim <[email protected]>

* adding codeql workflow for advanced configuratino

Signed-off-by: Bettina Heim <[email protected]>

* adding some permissions

Signed-off-by: Bettina Heim <[email protected]>

* changes needed for merge queue

Signed-off-by: Bettina Heim <[email protected]>

* exclude sphinx templates from spellcheck

Signed-off-by: Bettina Heim <[email protected]>

* fix wildcard pattern

Signed-off-by: Bettina Heim <[email protected]>

---------

Signed-off-by: Bettina Heim <[email protected]>

.github/workflows/ci.yml

@@ -15,7 +15,10 @@ on:
   push:
     branches:
       - "pull-request/[0-9]+"
-
+  merge_group:
+    types: 
+      - checks_requested
+
 name: CI # do not change name without updating workflow_run triggers
 
 concurrency:

.github/workflows/clean_up.yml

@@ -42,7 +42,7 @@ jobs:
               /repos/nvidia/cuda-quantum/git/refs/heads/$branch 
           done
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.REPO_BOT_ACCESS_TOKEN || github.token }}
 
   draft_releases:
     name: Delete draft release

.github/workflows/codeql.yml

@@ -0,0 +1,81 @@
+# This workflow is used to override the set of languages analyzed,
+# and to provide custom queries or build logic.
+
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: 
+      - 'main'
+      - 'releases/*'
+      - 'experimental/*'
+      - 'features/*'
+  pull_request:
+    branches: 
+      - 'main'
+      - 'releases/*'
+      - 'experimental/*'
+      - 'features/*'
+  schedule:
+    - cron: '37 9 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: 'ubuntu-latest'
+    permissions:
+      security-events: write
+      # read permissions below are only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # For analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+        - language: c-cpp
+          build-mode: none # Consider setting this to manual and providing a build command to get more accurate scanning
+        - language: python
+          build-mode: none
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/config/spellcheck_config.yml

@@ -45,7 +45,7 @@ matrix:
 
 - name: rst
   sources:
-  - '**/*.rst'
+  - '**/*.rst|!docs/sphinx/_templates/**/*.rst'
   expect_match: false
   aspell:
     lang: en

.github/workflows/dco_merge_queue.yml

@@ -0,0 +1,17 @@
+on:
+  # Do not add any triggers here!
+  merge_group:
+    types: 
+      - checks_requested
+
+name: DCO (merge queue)
+
+permissions: {} # no permissions needed. 
+
+jobs:
+  DCO:
+    runs-on: ubuntu-latest
+    steps:
+      - run: 
+          echo "Enable merge_queue check to pass."
+          echo "No checks were performed; these checks were already performed during PR workflows."

.github/workflows/gh_registry.yml

@@ -8,7 +8,6 @@ name: Update GHCR
 jobs:
   ghcr_config:
     name: Read GHCR config
-    if: github.event_name == 'workflow_dispatch' || vars.enabled_workflows == 'all'
     runs-on: ubuntu-latest
     permissions:
       contents: read

.github/workflows/integration_tests.yml

@@ -34,7 +34,7 @@ on:
       cudaq_test_image:
         type: string
         required: false
-        default: 'nvcr.io/nvidia/nightly/cuda-quantum:latest' # If changed, update env defaults, too
+        default: '' # picked up from repo variable if not provided
         description: 'CUDA Quantum image to run the tests in. Default to the latest CUDA Quantum nightly image'
       commit_sha:
         type: string
@@ -43,7 +43,7 @@ on:
       cudaq_nvqc_deploy_image:
         type: string
         required: false
-        default: 'nvcr.io/nvidia/nightly/cuda-quantum:latest' # If changed, update env defaults, too
+        default: '' # same as cudaq_test_image if not provided
         description: 'CUDA Quantum image to use for NVQC deployment to NVCF. Default to the latest CUDA Quantum nightly image'
       workflow_id:
         type: string
@@ -52,7 +52,6 @@ on:
       python_version:
         type: choice
         required: true
-        default: '3.10' # If changed, update env defaults, too
         description: 'Python version to run wheel test'
         options:
         - '3.8'
@@ -70,10 +69,6 @@ env:
   NVQC_FUNCTION_ID: 3bfa0342-7d2a-4f1b-8e81-b6608d28ca7d
   # <Backend>:<GPU Type>:<Instance Type>:<Min Instances>:<Max Instances>
   NGC_NVQC_DEPLOYMENT_SPEC: GFN:L40S:gl40s_1.br25_2xlarge:1:1
-  # If vars below are changed, it is recommended to also update the
-  # workflow_dispatch defaults above so they stay in sync.
-  cudaq_test_image: nvcr.io/nvidia/nightly/cuda-quantum:latest
-  cudaq_nvqc_deploy_image: nvcr.io/nvidia/nightly/cuda-quantum:latest
   python_version: '3.10'
 
 jobs:
@@ -84,11 +79,13 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       cudaq_test_image: ${{ steps.vars.outputs.cudaq_test_image }}
+      cudaq_nvqc_deploy_image: ${{ steps.vars.outputs.cudaq_nvqc_deploy_image }}
     steps:
       - name: Set variables
         id: vars
         run: |
-          echo "cudaq_test_image=${{ inputs.cudaq_test_image || env.cudaq_test_image }}" >> $GITHUB_OUTPUT
+          echo "cudaq_test_image=${{ inputs.cudaq_test_image || vars.cudaq_test_image }}" >> $GITHUB_OUTPUT
+          echo "cudaq_nvqc_deploy_image=${{ inputs.cudaq_nvqc_deploy_image || vars.cudaq_test_image }}" >> $GITHUB_OUTPUT
 
   metadata:
     name: Retrieve commit info
@@ -112,7 +109,7 @@ jobs:
   build_nvqc_image:
     name: Build NVQC deployment image
     runs-on: ubuntu-latest
-    needs: metadata
+    needs: [setup, metadata]
     environment: ghcr-deployment
     if: (inputs.target == 'nvqc' || github.event_name == 'schedule' || inputs.target == 'nightly')
     steps:
@@ -153,7 +150,7 @@ jobs:
           context: .
           file: ./docker/release/cudaq.nvqc.Dockerfile
           build-args: |
-            base_image=${{ inputs.cudaq_nvqc_deploy_image || env.cudaq_nvqc_deploy_image }}
+            base_image=${{ needs.setup.outputs.cudaq_nvqc_deploy_image }}
           tags: nvcr.io/${{ env.NGC_QUANTUM_ORG }}/${{ env.NGC_QUANTUM_TEAM }}/cuda-quantum:nightly
           platforms: linux/amd64
           provenance: false

.github/workflows/nvqc_regression_tests.yml

@@ -12,7 +12,7 @@ on:
       cudaq_test_image:
         type: string
         required: false
-        default: 'nvcr.io/nvidia/nightly/cuda-quantum:latest' # If changed, update env defaults, too
+        default: '' # picked up from repo variable if not provided
         description: 'CUDA Quantum image to run the tests in. Default to the latest CUDA Quantum nightly image'
       commit_sha:
         type: string
@@ -25,7 +25,6 @@ on:
       python_version:
         type: choice
         required: true
-        default: '3.10' # If changed, update env defaults, too
         description: 'Python version to run wheel test'
         options:
         - '3.8'
@@ -37,9 +36,6 @@ on:
     - cron: 0 3 * * *
 
 env:
-  # If vars below are changed, it is recommended to also update the
-  # workflow_dispatch defaults above so they stay in sync.
-  cudaq_test_image: nvcr.io/nvidia/nightly/cuda-quantum:latest
   python_version: '3.10'
 
 jobs:
@@ -54,7 +50,7 @@ jobs:
       - name: Set variables
         id: vars
         run: |
-          echo "cudaq_test_image=${{ inputs.cudaq_test_image || env.cudaq_test_image }}" >> $GITHUB_OUTPUT
+          echo "cudaq_test_image=${{ inputs.cudaq_test_image || vars.cudaq_test_image }}" >> $GITHUB_OUTPUT
 
   metadata:
     name: Retrieve commit info

.github/workflows/publishing.yml

@@ -235,6 +235,8 @@ jobs:
           for info_file in ${{ join(fromJson(steps.artifacts.outputs.installers).info_files, ' ') }}; do
             delete_staging_branch $info_file '${{ steps.artifacts.outputs.installers }}'
           done
+        env:
+          GH_TOKEN: ${{ secrets.REPO_BOT_ACCESS_TOKEN }}
 
       - name: Retrieve 
         id: assets_retrieval

.github/workflows/repo_checks.yml

@@ -1,6 +1,9 @@
 on:
   workflow_dispatch:
   pull_request:
+  merge_group:
+    types: 
+      - checks_requested
 
 name: "Basic content checks"