Skip to content

ci: add Verify Signed Skills workflow#78

Open
codepydog wants to merge 2 commits into
NVIDIA:mainfrom
codepydog:ci/add-signed-skills-verification
Open

ci: add Verify Signed Skills workflow#78
codepydog wants to merge 2 commits into
NVIDIA:mainfrom
codepydog:ci/add-signed-skills-verification

Conversation

@codepydog
Copy link
Copy Markdown

@codepydog codepydog commented May 22, 2026
edited
Loading

Runs model_signing verify certificate against every skill.oms.sig on PR, push to main, and daily at 09:00 UTC (after the sync passes). Motivated by #77 — this would have caught the cuOpt SKILL.md drift before it shipped.

Trust anchor

Lookup order (first match wins):

  1. ./nv-agent-root-cert.pem at repo root — where NVIDIA committed it in c27e3d0 and documented at fd1516e.
  2. .github/trust/nv-agent-root-cert.pem — committed fallback.
  3. Repo secret NV_AGENT_ROOT_CERT_PEM — PEM contents, written into the fallback path at runtime.

If none is present the job skips with a warning. With NVIDIA's existing nv-agent-root-cert.pem at repo root, no additional setup is needed for this workflow to activate on merge.

Local dry-run at HEAD fd1516e

Passed: 0 · Failed: 12 (all signed cuOpt skills, Hash mismatch on SKILL.md)

The original 9 from #77 plus three newly signed since: cuopt-developer, cuopt-install, cuopt-numerical-optimization-api-python. The drift has expanded — this CI gate would have prevented that.

Test plan

  • CI on this PR: verify step finds ./nv-agent-root-cert.pem and reports 12 failures (matching the dry-run)
  • On merge: scheduled run continues to catch drift introduced by the sync pipeline

@codepydog codepydog mentioned this pull request May 22, 2026
Open
codepydog and others added 2 commits May 25, 2026 15:40
@codepydog
ci: add Verify Signed Skills workflow
3bd306c 
Adds a CI guard that runs `model_signing verify certificate` against
every `skill.oms.sig` published in the catalog. Triggers on PR, push
to main, daily schedule, and manual dispatch.

Trust anchor is read from `.github/trust/nv-agent-root-cert.pem` if
committed, otherwise from the `NV_AGENT_ROOT_CERT_PEM` repo secret.
When neither is set the job is skipped with a warning, so the
workflow can land before the trust anchor distribution is decided.

Motivated by NVIDIA#77: every signed cuOpt skill currently fails
verification because the daily sync pipeline lands a newer SKILL.md
than what was signed. A CI guard would have caught this before the
mismatch shipped to the public catalog.

Signed-off-by: happydog <codepydog@gmail.com>
@codepydog @claude
ci(verify-signed-skills): prefer trust anchor at repo root
886521b 
NVIDIA committed nv-agent-root-cert.pem at repo root in c27e3d0
(referenced in docs at fd1516e). Look there first; keep
.github/trust/ and the NV_AGENT_ROOT_CERT_PEM secret as fallbacks.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@codepydog codepydog force-pushed the ci/add-signed-skills-verification branch from ee1fb08 to 886521b Compare May 25, 2026 07:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mosheabr mosheabr Awaiting requested review from mosheabr mosheabr is a code owner

@sayalinvidia sayalinvidia Awaiting requested review from sayalinvidia sayalinvidia is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@codepydog