ci: validate release branch-rules

[ko3n1g]

Claude summary

Companion to NVIDIA-NeMo/FW-CI-templates#480, which mirrors the branch-protection rule of [rv][0-9].[0-9].[0-9] onto deploy-release/* so the validate-only release rehearsal is gated by the same required status checks as a real release.

Change

Bumps the FW-CI-templates pin in release.yaml to commit 042e967e4ac9652c324cbd5b78fd126c089aec6c (the head of ko3n1g/feat/mirror-release-branch-protection on FW-CI-templates).

What's being validated

After merge of FW-CI-templates#480, a workflow-dispatch of release.yaml with dry-run: true should:

1. Run the new "Mirror branch protection" step in bump-next-version.
2. Update the deploy-release/* rule on this repo to match [rv][0-9].[0-9].[0-9].
3. Open the bump PR with Nemo_CICD_Test (or the repo's equivalent) shown as a required check.
4. Block merge of the bump until the required checks pass.

Prerequisites

The nemo-automation-bot GitHub App must hold administration: write at the org installation, otherwise the mirror step fails the bump.

Rollout

This PR is draft + do not merge — pinned to an unmerged SHA. Once FW-CI-templates#480 lands and ships in a new tag, re-pin to that tag and merge.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[ko3n1g]

/ok to test d65b018

[github-actions]

Test Results

   52 files  ±0    114 suites  ±0   1m 35s ⏱️ +8s
1 067 tests ±0  1 067 ✅ ±0  0 💤 ±0  0 ❌ ±0 
2 385 runs  ±0  2 385 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 391f423. ± Comparison against base commit 1338dc4.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[ko3n1g]

/ok to test bcb6cc9

[ko3n1g]

/ok to test bdd27e7

[ko3n1g]

/ok to test 2c7ad95

[ko3n1g]

/ok to test fbf56a9

[ko3n1g]

/ok to test 83e66aa

[ko3n1g]

/ok to test 391f423

[greptile-apps]

Greptile Summary

Bumps the FW-CI-templates/_release_library.yml reusable workflow pin from v1.1.0 to v1.4.0, enabling the new "Mirror branch protection" step that gates deploy-release/* branches with the same required status checks as real releases.

• The single-line version bump in release.yaml upgrades the release job to v1.4.0; the pre-flight job intentionally stays at its own pin (v0.94.1), which is unrelated to the release-library versioning track.
• The PR description refers to pinning an unmerged SHA (042e967…) and is marked "do not merge", but the actual committed change uses the released tag v1.4.0. If FW-CI-templates#480 has since shipped as v1.4.0, the description should be updated to reflect that before merging.

Confidence Score: 4/5

The change is a single-line version bump in a CI workflow and introduces no new logic in this repository.

The bump from v1.1.0 to v1.4.0 is straightforward; the only concern is that the PR description still refers to an unmerged SHA and 'do not merge' while the code uses a proper tag — worth confirming before landing.

release.yaml — confirm the draft / 'do not merge' status and description are accurate before merging.

Important Files Changed

Filename	Overview
.github/workflows/release.yaml	Bumps the _release_library.yml reusable workflow pin from v1.1.0 to v1.4.0; pre-flight retains v0.94.1 — the two jobs intentionally track different versioning series.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant PF as pre-flight(v0.94.1)
    participant RL as release(v1.4.0 was v1.1.0)
    participant RS as release-summary

    GH->>PF: push / workflow_dispatch triggers
    PF-->>GH: docs_only, is_deployment_workflow outputs
    GH->>RL: "if !cancelled && !failure && !docs_only && !deploy"
    Note over RL: bump-next-version runs Mirror branch protection step new in v1.4.0
    RL-->>GH: release artifacts / dry-run output
    GH->>RS: always runs (!cancelled)
    RS-->>GH: pass/fail summary

Loading

_{Reviews (1): Last reviewed commit: "ci: re-pin FW-CI-templates from SHA to v..." | Re-trigger Greptile}

[greptile-apps]

PR description out of sync with the actual change

The PR description states the workflow is "pinned to an unmerged SHA" (042e967e4ac9652c324cbd5b78fd126c089aec6c) and is marked "do not merge", but the committed change references the released tag v1.4.0. If FW-CI-templates#480 has already landed and been tagged as v1.4.0, the draft status and description should be updated to reflect that before this is merged to avoid confusion for future maintainers.