Skip to content

[no-ci] Support organization-owned forks in AGENTS.md#2378

Open
rwgk wants to merge 1 commit into
NVIDIA:mainfrom
rwgk:agents_md_update_intra-org_repos
Open

[no-ci] Support organization-owned forks in AGENTS.md#2378
rwgk wants to merge 1 commit into
NVIDIA:mainfrom
rwgk:agents_md_update_intra-org_repos

Conversation

@rwgk

@rwgk rwgk commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Description

This updates the repository-wide agent guidance to support approved forks owned by either personal accounts or organizations.

The existing guidance assumes that every contributor uses a personal fork and can always open a pull request with gh pr create. That command currently cannot identify some renamed organization-owned forks (cli/cli#10093), even though GitHub's GraphQL API supports selecting the head repository explicitly through headRepositoryId.

The update:

  • requires agents to distinguish the canonical repository and fork by complete OWNER/REPOSITORY names;
  • keeps the canonical repository read-only by default, with a narrowly scoped exception when the user explicitly requests a specific upstream test branch;
  • uses gh pr create when it can identify the fork unambiguously;
  • documents the GraphQL headRepositoryId fallback for organization-owned forks; and
  • preserves pull-request template, assignee, label, and milestone requirements regardless of how a pull request is created.

The wording is intentionally repository-neutral so the guidance remains applicable across supported development setups.

Review focus:

  • Is the upstream-push exception narrow enough while still supporting workflow testing?
  • Is the API fallback clear enough for agents to use reliably?
  • Are the fork and repository identity checks sufficiently explicit?

This PR does not have an associated GitHub issue.

Validation:

  • pre-commit run --files AGENTS.md
  • git diff --check

Checklist

  • New or existing tests cover these changes. (Not applicable: this is an agent-guidance-only change.)
  • The documentation is up to date with these changes.

@rwgk rwgk added this to the cuda.bindings 13.4.0 & 12.9.8 milestone Jul 16, 2026
@rwgk rwgk added the documentation Improvements or additions to documentation label Jul 16, 2026
@rwgk rwgk self-assigned this Jul 16, 2026
@copy-pr-bot

copy-pr-bot Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

@rwgk rwgk added the P0 High priority - Must do! label Jul 16, 2026
@rwgk
rwgk marked this pull request as ready for review July 16, 2026 05:57
@rwgk
rwgk requested a review from rparolin July 16, 2026 05:57
@rwgk rwgk added the cuda.bindings Everything related to the cuda.bindings module label Jul 16, 2026
@leofang leofang added the PR review get-together Mark PRs you'd like the team to review at the weekly PR review get-together. label Jul 16, 2026

@mdboom mdboom left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've had enough run-ins with my agent pushing branches and creating pull requests before they were ready that I've worked really hard to get my agent to /never/ write anything in a remote location without my consent (and I prefer to be in the driver's seat even now for those steps).

I'm worried that a lot of the language here will encourage my agent to act too autonomously again. We should instead frame it in terms of things we want it /not/ to do (don't push to a fork that can't be the source of the PR you are trying to create), rather than things /to do/ (use gh pr to create PRs). To put it another way -- this is shared context we want everyone to agree on to collaborate well together. It's not intended to prescribe /how/ to accomplish that. A pre-AI analogy would be: we all agree to write standard text files and share them with git. We don't have to agree on what editor we are using or what git tool we use.

Therefore, I think the only required change here should be:

All branch creation and pushes must go to the contributor's
personal fork.

changes to:

Branch creation and pushes must not go directly to the canonical upstream fork. Use the user's personal fork, or if that is not supported as an official fork of upstream, use a intra-repo fork "owned" by the user.  Confirm that the push target is a fork of the base repository and is not the base repository itself.

Comment thread AGENTS.md
force-pushing, or deleting branches; those actions require separate explicit
authorization.

Use `gh pr create` when it can identify the fork unambiguously. Always select

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So if the agent can identify the fork unambiguously, it is free to create a PR? Certainly that's not what's intended, but 100% can imagine the agent doing the wrong thing here.

Comment thread AGENTS.md
Comment on lines +111 to +113
If you are unsure which label or milestone to use, inspect the base repository
with `gh label list --repo "${BASE_REPO}"` and `gh api
"repos/${BASE_REPO}/milestones" --jq '.[].title'`, then pick the best match.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you are unsure which label or milestone to use, inspect the base repository
with `gh label list --repo "${BASE_REPO}"` and `gh api
"repos/${BASE_REPO}/milestones" --jq '.[].title'`, then pick the best match.
If you are unsure which label or milestone to use, don't guess. Flag it for the user and have them fill it in.

Comment thread AGENTS.md
Comment on lines +31 to +32
Do not push to the canonical repository unless the user explicitly requests,
in the current conversation, a push to a specific branch in that repository.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This opens up a window for mistakes. What's wrong with saying "Never push to the canonical repository"? The user can always do it by hand anyway. None of us should be running with write access to the canonical repository in our local checkouts -- that's too dangerous.

Comment thread AGENTS.md
Comment on lines +17 to +18
Treat the canonical repository used as the pull-request base as read-only by
default. Push branches and commits to an approved fork, which may be owned by

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Treat the canonical repository used as the pull-request base as read-only by
default. Push branches and commits to an approved fork, which may be owned by
Treat the canonical repository used as the pull-request base as read-only. Push branches and commits to an approved fork, which may be owned by

Comment thread AGENTS.md
Comment on lines +59 to +95
Obtain the node IDs with `gh api "repos/${BASE_REPO}" --jq '.node_id'` and
`gh api "repos/${HEAD_REPO}" --jq '.node_id'`. Then create the PR with
`headRepositoryId` to identify the organization-owned fork:

```
gh api graphql \
-f repositoryId="${BASE_REPO_ID}" \
-f headRepositoryId="${HEAD_REPO_ID}" \
-f baseRefName="${BASE_BRANCH}" \
-f headRefName="${HEAD_BRANCH}" \
-f title="<title>" \
-F body="@${BODY_FILE}" \
-F draft=false \
-f query='
mutation CreatePullRequest(
$repositoryId: ID!
$headRepositoryId: ID!
$baseRefName: String!
$headRefName: String!
$title: String!
$body: String!
$draft: Boolean!
) {
createPullRequest(input: {
repositoryId: $repositoryId
headRepositoryId: $headRepositoryId
baseRefName: $baseRefName
headRefName: $headRefName
title: $title
body: $body
draft: $draft
}) {
pullRequest { number url }
}
}' \
--jq '.data.createPullRequest.pullRequest'
```

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the rationale for including detailed information about the GraphQL API here? Certainly the agent has access to the docs, and I worry this would bitrot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cuda.bindings Everything related to the cuda.bindings module documentation Improvements or additions to documentation P0 High priority - Must do! PR review get-together Mark PRs you'd like the team to review at the weekly PR review get-together.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants