ci(e2e-advisor): allowlist trusted auto-dispatch authors

[cv]

Summary

Allow the E2E advisor auto-dispatcher to trust specific GitHub logins when private NVIDIA org membership appears as CONTRIBUTOR in the pull request payload. This keeps the existing OWNER/MEMBER gate while adding a repository-secret-backed author allowlist for private org members.

Changes

• Pass E2E_ADVISOR_AUTO_DISPATCH_ALLOWED_AUTHORS from repository secrets into the advisor auto-dispatch step.
• Teach tools/e2e-advisor/dispatch.mts to allow case-insensitive login matches without writing the allowlist contents to artifacts.
• Add dispatch planner coverage for allowlisted private-member authors and non-allowlisted contributors.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• make docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• New Features

  • Added support for an allowlist of trusted GitHub authors eligible for E2E test auto-dispatch, in addition to existing organization association checks.

• Chores

  • Updated CI/CD workflow configuration to pass author allowlist settings to the E2E dispatcher.

• Tests

  • Added tests for auto-dispatch eligibility validation with allowlisted authors and updated existing tests to account for author allowlist checks.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cc32bfe4-fc75-47f8-99ce-7d4a9329ba39

📥 Commits

Reviewing files that changed from the base of the PR and between 09613fa and 71afec5.

📒 Files selected for processing (3)

• .github/workflows/e2e-advisor.yaml
• test/e2e-advisor-dispatch.test.ts
• tools/e2e-advisor/dispatch.mts

---

📝 Walkthrough

Walkthrough

The PR extends the E2E advisor auto-dispatch system to support PR author allowlisting as an alternative to association-based eligibility. It adds type support for author login, computes an allowlist from the E2E_ADVISOR_AUTO_DISPATCH_ALLOWED_AUTHORS environment variable, updates dispatch eligibility logic to accept either authorization path, and ensures all return branches propagate the new metadata.

Changes

E2E Advisor Author Allowlist Eligibility

Layer / File(s)	Summary
Type contracts and allowlist metadata tools/e2e-advisor/dispatch.mts	PullRequestPayload includes optional user.login for PR author. DispatchPlan extends with authorLogin, allowedAuthorAssociations, and allowedByAuthorAllowlist optional fields to represent author-based eligibility.
Allowlist computation and eligibility logic tools/e2e-advisor/dispatch.mts	planAutoDispatch extracts PR author login, derives the allowlist from E2E_ADVISOR_AUTO_DISPATCH_ALLOWED_AUTHORS, normalizes logins by trimming and lowercasing, and evaluates eligibility as "allowed by association OR allowed by author allowlist".
Return path updates for allowlist fields tools/e2e-advisor/dispatch.mts	All dispatch plan return branches (low-confidence, no required tests, no matching jobs, exceeds max jobs, ready) now include authorLogin and allowedByAuthorAllowlist to propagate author allowlist context consistently.
Workflow environment variable configuration .github/workflows/e2e-advisor.yaml	Auto-dispatch step passes E2E_ADVISOR_AUTO_DISPATCH_ALLOWED_AUTHORS secret as an environment variable to the dispatcher.
Test helper and allowlist feature tests test/e2e-advisor-dispatch.test.ts	Test helper pullRequest() sets a default user.login for PR authors. New test case validates dispatch readiness for allowlisted contributor authors. Updated skip-reason test includes allowlist configuration and verifies both "not allowed" and "not allowlisted" conditions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• NVIDIA/NemoClaw#3426: Introduced the initial planAutoDispatch function and auto-dispatch planning infrastructure that this PR now extends with author allowlist eligibility support.

Suggested labels

CI/CD, E2E

Suggested reviewers

• ericksoa
• jyaunches

Poem

🐰 A rabbit's hop through author lists,
Where allowlist checks persist,
No more association needs—just login names,
Normalized and lowercased through CI flames,
The dispatch plan now knows us all!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding an allowlist mechanism for trusted authors in the E2E advisor auto-dispatcher.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/e2e-advisor-author-allowlist

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: None

Workflow run

Full advisor summary

Pi Semantic E2E Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. This PR only modifies the E2E advisor's own CI tooling: the e2e-advisor.yaml workflow (passing a new secret to the auto-dispatch step), tools/e2e-advisor/dispatch.mts (adds an author-login allowlist next to the existing OWNER/MEMBER author_association gate, plus reporting of authorLogin/allowedByAuthorAllowlist in the plan), and the matching vitest in test/e2e-advisor-dispatch.test.ts. No NemoClaw product code is touched: nothing under src/, no sandbox/runtime/installer/onboarding/network/inference/deployment paths, no test/e2e/*.sh scenarios, and no other workflow under .github/workflows. The new gating logic (draft skip, association allow, allowlist allow, ref/jobs/pr_number validation, repository/workflow pinning to NVIDIA/NemoClaw and nightly-e2e.yaml, dispatchable-job extraction) is fully covered by the updated unit tests, and the existing nightly-e2e/regression/macos/wsl/sandbox/network/inference E2E suites do not exercise the advisor itself. Running any of them would not validate this change. The advisor workflow continues to fail-closed if dispatch.mts is missing on trusted main.

Optional E2E

• None.

New E2E recommendations

• None.