feat(ci): infra integration

[lloyal-research]

No description provided.

[Copilot]

Pull request overview

This PR shifts GPU CI infrastructure from this repository into a reusable workflow hosted in the private lloyal-infra repo, removing the local Cloud Run/GCP provisioning scripts and wiring release/PR GPU tests to the shared infra workflow.

Changes:

• Remove local GPU test container + runner scripts and GCP setup script under ci/.
• Update release.yml and gpu-test.yml to call lloyal-ai/lloyal-infra/.github/workflows/gpu-integration.yml.
• Update .gitignore to ignore ci/ (now expected to be injected during CI).

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
ci/setup-infra.sh	Removed local GCP provisioning script (moved to infra repo).
ci/run-gpu-tests.sh	Removed local GPU test runner script (moved to infra repo).
ci/Dockerfile.gpu-tests	Removed local GPU test image definition (moved to infra repo).
.gitignore	Ignore ci/ directory, now treated as CI-injected infra content.
.github/workflows/release.yml	GPU tests job now calls reusable workflow in lloyal-infra.
.github/workflows/gpu-test.yml	GPU integration now delegated to reusable workflow in lloyal-infra; trigger paths adjusted.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

secrets: inherit passes all repository/environment secrets to the called workflow. If the infra workflow only needs a small set (e.g., GCP project/service account/provider), prefer explicitly mapping only the required secrets to minimize blast radius if the called workflow changes.

Suggested change

	secrets: inherit
	secrets:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

[Copilot]

secrets: inherit forwards all secrets to the reusable workflow. If only specific secrets are required, map them explicitly to reduce unnecessary secret exposure to the called workflow.

Suggested change

	secrets: inherit
	secrets:
	# TODO: Restrict this list to only the secrets required by
	# lloyal-ai/lloyal-infra/.github/workflows/gpu-integration.yml
	# Example mappings (replace with actual required secrets):
	# CLOUD_RUN_SERVICE_ACCOUNT_KEY: ${{ secrets.CLOUD_RUN_SERVICE_ACCOUNT_KEY }}
	# GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
	# GCP_REGION: ${{ secrets.GCP_REGION }}

[Copilot]

The reusable workflow is referenced from another repository using @main. This is brittle (upstream changes can break releases unexpectedly) and increases supply-chain risk. Prefer pinning the reusable workflow to a tagged release or a specific commit SHA and updating intentionally.

[Copilot]

This workflow calls a reusable workflow from lloyal-ai/lloyal-infra pinned to @main. To avoid unexpected behavior changes and reduce supply-chain risk, pin to a tag or commit SHA instead of a moving branch reference.

Suggested change

	uses: lloyal-ai/lloyal-infra/.github/workflows/gpu-integration.yml@main
	uses: lloyal-ai/lloyal-infra/.github/workflows/gpu-integration.yml@v1

[Copilot]

skip_build is still exposed as a workflow_dispatch input, but the workflow no longer has a workflow_call path and there is no mechanism here to provide “existing artifacts” when build-cuda-package is skipped. As-is, dispatching with skip_build: true will likely leave gpu-integration without the package-linux-x64-cuda artifact. Consider removing this input, or adding logic to fetch artifacts from a known source when build is skipped.

[Copilot]

The comment above build-cuda-package says it is “Skipped when called from release.yml”, but workflow_call has been removed and release.yml no longer calls this workflow. Update/remove the comment so it reflects the current triggers/usage.

Suggested change

	# Skipped when called from release.yml (packages already built)
	# Skipped when skip_build is true or when running outside lloyal-ai/lloyal.node