Skip to content

ci: cut CI time with trusted routing and Fireactions caches#2926

Draft
UnArbosFive wants to merge 70 commits into
mainfrom
codex/fireactions-host-cache-pilot
Draft

ci: cut CI time with trusted routing and Fireactions caches#2926
UnArbosFive wants to merge 70 commits into
mainfrom
codex/fireactions-host-cache-pilot

Conversation

@UnArbosFive

@UnArbosFive UnArbosFive commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Important

Manual diagnostic policy: test-alpha-deprecated-stake-histogram.ts is intentionally no longer part of required per-PR clone CI. It scans the complete legacy Alpha map and reports observational stake-distribution data, but has no expected-value assertion and therefore was not acting as a regression gate. The script and npm run test:alpha-deprecated-stake-histogram command remain available for explicit runs against an upgraded clone. The eight assertion-bearing clone regressions remain required. This removes about 49 seconds from the Runtime Checks critical path without removing effective pass/fail coverage.

What changed

This PR is a coordinated CI runtime and reliability pass:

  • classifies pull-request changes from the trusted base revision and fails closed when routing cannot be proven
  • runs Rust SDK, TypeScript, Docker, runtime, clone, and benchmark coverage only when changed production inputs can affect it
  • preserves required check contexts on skipped paths instead of leaving branch protection waiting for checks that never materialize
  • compiles the Rust SDK E2E harness once, verifies its complete 112-test manifest, and runs 32 balanced shards with per-test isolation and retries
  • reuses an immutable exact-base localnet image for SDK-only changes; chain-affecting changes still build and test the proposed node/runtime
  • builds only the TypeScript E2E variants selected by the classifier and overlaps independent Shield, EVM, staking, state, and development work without weakening assertions
  • shares build and snapshot outputs across runtime/clone consumers and runs independent clone checks concurrently
  • uses baked runner toolchains plus a bounded host-local compiler-cache tier backed by durable R2
  • refreshes the durable cache and each physical host-local cache daily at 11:00 UTC; normal CI continues to schedule through the two generic turbo runner pools
  • mirrors immutable clone artifacts for fleet prefetch while retaining provenance, digest, size, repository, workflow, branch, and artifact-name validation

Coverage policy

  • chain, runtime, pallet, primitive, node, dependency, toolchain, Dockerfile, and E2E infrastructure changes run the full applicable suites against the PR build
  • native SDK behavior changes run the complete Rust SDK E2E manifest against the immutable exact-base node image
  • test-only modules, migrations, benchmarks, generated/docs-only paths, and unrelated language surfaces are left to their owning checks
  • unknown paths and classifier/API/parser failures select full coverage
  • fork pull requests cannot execute protected self-hosted writer or benchmark jobs

No Rust SDK E2E test was removed. The 112 individual cases still receive isolated localnet containers; only compilation, image pulls, and job orchestration are shared.

Cache and failure behavior

  • host-local cache discovery is optional and fails open to authoritative R2 or GitHub Actions origins
  • reader and writer credentials remain separated; protected producers write directly to R2
  • compiler objects and mirrored artifacts are immutable/content-addressed
  • host-local compiler caches are bounded to 16 GiB, evict objects inactive for seven days, and retain a 60 GiB free-space floor
  • snapshots are published only after archive upload and validated before use
  • missing baked tools fall back to installing the exact repository Rust toolchain rather than breaking CI after a version change

Bootstrap trust note

The target branch does not yet contain the trusted Rust E2E matrix builder, so this introducing PR necessarily exercises the reviewed copy from the PR head. The workflow independently proves the complete 112-test manifest before sharding. After merge, subsequent PRs use the builder checked out from the trusted base and the bootstrap fallback is structurally unreachable.

Validation and measured impact

The clean post-deployment attempt on the current head passed every functional workflow:

  • Rust SDK E2E: 6m30s, down from 11m59s originally; shared binary 1m19s, PR localnet image 4m16s, all 32 shards started within two seconds
  • Runtime Checks: 8m35s; release producer 5m22s, clone consumers 2m09s and 2m55s in parallel
  • TypeScript E2E: 9m19s; all 12 test workers started together, with the test phase bounded by Shield C at 3m25s
  • Docker production binary/image: 7m58s
  • Check Rust: 4m36s
  • Eco Tests: 2m19s
  • Cargo Audit: 1m16s
  • compiler-cache health: release and production producers reported 100% cache hits with zero misses or I/O errors; try-runtime reported 1,367 hits, zero misses, and zero errors

The runner restart used to deploy the final cache-affinity metadata interrupted the first attempt; GitHub marked those orphaned jobs failed after its ten-minute runner-loss timeout. A clean rerun acquired replacement runners in roughly 4–8 seconds and produced the passing measurements above.

Expected warm behavior after the first daily all-host refresh:

  • chain-affecting PR: approximately 6–8 minutes full-CI wall time, with the production linker/LTO path likely setting the floor
  • SDK-only PR: approximately 2–3 minutes for Rust SDK E2E by reusing the immutable exact-base image
  • test-only, benchmark, migration, generated/docs, Python-only, or website-only PR: Rust SDK E2E is skipped when its owning checks provide the relevant coverage

The 6–8 minute all-host-warm estimate is intentionally marked as projected until the scheduled fleet refresh has run and been measured.

@UnArbosFive UnArbosFive added the fireactions-cache-benchmark Route selected PR cache benchmarks to the isolated turbo-8 canary label Jul 15, 2026
@vercel

vercel Bot commented Jul 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
subtensor Ready Ready Preview, Comment Jul 18, 2026 2:59am

Request Review

@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

VERY HIGH account-age scrutiny, mitigated by admin permission and substantive merged contributions; no known Gittensor association; codex/fireactions-host-cache-pilot → main.

Trusted AI-review instructions are unchanged. Static analysis found no new security issues; the prior bootstrap-only E2E trust-boundary issue remains.

Findings

Sev File Finding
MEDIUM .github/workflows/check-bittensor-e2e-tests.yml:153 [BOOTSTRAP] PR-controlled builder can select an incomplete E2E matrix inline

Prior-comment reconciliation

  • e3473c37: not addressed — The base revision still lacks the trusted matrix builder, and lines 152–153 retain the PR-head fallback without an independent matrix-completeness check.

Conclusion

The bootstrap fallback still permits PR-controlled code to construct this PR’s E2E matrix and omit tests during the nucleus-approved introducing run. It becomes structurally unreachable after merge.


📜 Previous run (superseded)
Sev File Finding Status
MEDIUM .github/workflows/check-bittensor-e2e-tests.yml:153 [BOOTSTRAP] PR-controlled builder can select an incomplete E2E matrix ➡️ Carried forward to current findings
The base revision still lacks the trusted matrix builder, and lines 152–153 retain the PR-head fallback without an independent matrix-completeness check.

🔍 AI Review — Auditor (domain review)

VERDICT: 👍

Gittensor association UNKNOWN; the account is new but has admin repository permission, and the now-focused CI diff received full scrutiny.

The prior scope concern is resolved: the effective diff is now focused on 52 CI, cache, routing, and E2E files, consistent with the PR description. The overlapping open PRs address unrelated PyPI, TypeScript SDK, and governance work, so none is a duplicate.

No runtime-affecting change requires a spec-version bump; the PR also carries no-spec-version-bump. No auto-fix was needed.

Findings

No findings.

Prior-comment reconciliation

  • 73eb1daf: addressed — The branch was rebased/refocused from 325 files and 86 commits to a coherent 52-file CI and E2E optimization diff matching the description.

Conclusion

The implementation now matches its stated scope and includes focused contract tests for the new routing, cache, artifact, toolchain, and E2E behavior. I found no substantive domain issue blocking merge.


📜 Previous run (superseded)
Sev File Finding Status
HIGH PR body / branch history Effective diff does not match the stated cache-pilot scope ✅ Addressed
The branch was rebased/refocused from 325 files and 86 commits to a coherent 52-file CI and E2E optimization diff matching the description.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

payload="$RUNNER_TEMP/artifacts.json"
for attempt in 1 2 3 4 5; do
gh api "repos/$GITHUB_REPOSITORY/actions/runs/$PRODUCER_RUN_ID/artifacts?per_page=100" > "$payload"
count=$(jq '[.artifacts[] | select(.name == "mainnet-snapshot" or (.name | startswith("try-runtime-snap-v0.10.1-")))] | length' "$payload")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[LOW] Count only artifacts the warming loop can process

This readiness count includes expired artifacts, but the processing query below excludes them. If a run contains only expired matching artifacts, the retry loop exits and the job succeeds after warming nothing. Apply the same expiry filter here so maintenance fails or retries instead of reporting a false success.

Suggested change
count=$(jq '[.artifacts[] | select(.name == "mainnet-snapshot" or (.name | startswith("try-runtime-snap-v0.10.1-")))] | length' "$payload")
count=$(jq '[.artifacts[] | select(.expired == false) | select(.name == "mainnet-snapshot" or (.name | startswith("try-runtime-snap-v0.10.1-")))] | length' "$payload")

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@UnArbosFive

UnArbosFive commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

Benchmark results on the standard 8 vCPU / 28 GiB turbo runner shape:

  • Exact runtime prewarm: first clean check 155s with 213 Rust hits / 384 misses; second clean check 49s with 596 hits / 1 miss (99.83% Rust hit rate).
  • Paired same-VM runtime reads: direct R2 34s and 33s (33.5s mean); warm host-local 38s and 31s (34.5s mean). This small-object check is effectively tied.
  • Real PR release build: recent turbo job median 332s; local cold-fill job 280s (225s compile); warm job 206s (145s compile). Both cache-enabled compiles had 1,890 Rust hits / 0 misses.
  • 2.0 GiB snapshot, same VM: direct GitHub 89s; host-local 9s and 8s. The real clone cold fill took 67s; the warm rerun took 19s.
  • Full clone-upgrade: recent turbo median 601s; local cold fill 365s; warm 309s. Both passed.

Exact remote compiler keys refresh every six hours. Scheduled clone snapshots are produced daily with a 36-hour freshness gate and now publish an immutable R2 mirror manifest for per-host polling. There is no random-runner local maintenance job because one selected VM cannot warm a shared-label fleet.

Runs: exact-key verification https://github.com/RaoFoundation/subtensor/actions/runs/29456620982 ; paired/artifact benchmark https://github.com/RaoFoundation/subtensor/actions/runs/29456911456 ; cold + warm PR attempts https://github.com/RaoFoundation/subtensor/actions/runs/29456621901

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

payload="$RUNNER_TEMP/artifacts.json"
for attempt in 1 2 3 4 5; do
gh api "repos/$GITHUB_REPOSITORY/actions/runs/$PRODUCER_RUN_ID/artifacts?per_page=100" > "$payload"
count=$(jq '[.artifacts[] | select(.name == "mainnet-snapshot" or (.name | startswith("try-runtime-snap-v0.10.1-")))] | length' "$payload")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[LOW] Count only artifacts the warming loop can process

This count includes expired artifacts and any name with the try-runtime prefix. Such an artifact can end polling even though the loop skips it or download-artifact.sh rejects its name, producing misleading maintenance results. Match the downloader’s exact allowlist and the loop’s expiry filter.

Suggested change
count=$(jq '[.artifacts[] | select(.name == "mainnet-snapshot" or (.name | startswith("try-runtime-snap-v0.10.1-")))] | length' "$payload")
count=$(jq '[.artifacts[] | select(.expired == false) | select(.name == "mainnet-snapshot" or .name == "try-runtime-snap-v0.10.1-mainnet" or .name == "try-runtime-snap-v0.10.1-testnet" or .name == "try-runtime-snap-v0.10.1-devnet")] | length' "$payload")

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@UnArbosFive

Copy link
Copy Markdown
Contributor Author

Final validation note: a subsequent run reached 597 Rust hits / 0 misses, which exposed that sccache omits the language-specific miss row at zero. The gate initially parsed that omission as empty and failed despite a perfect cache result. Commit e339b14 normalizes omitted counters to zero; the final validation is green with 596 hits / 1 miss on the fill pass and 597 hits / 0 misses (100%) after the second cargo clean.

Final validation: https://github.com/RaoFoundation/subtensor/actions/runs/29458291945

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

payload="$RUNNER_TEMP/artifacts.json"
for attempt in 1 2 3 4 5; do
gh api "repos/$GITHUB_REPOSITORY/actions/runs/$PRODUCER_RUN_ID/artifacts?per_page=100" > "$payload"
count=$(jq '[.artifacts[] | select(.name == "mainnet-snapshot" or (.name | startswith("try-runtime-snap-v0.10.1-")))] | length' "$payload")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[LOW] Count only artifacts the warming loop can process

This readiness check counts expired artifacts and any name beginning with try-runtime-snap-v0.10.1-, while the loop excludes expired entries and download-artifact.sh accepts only three exact network names. An unusable artifact can therefore stop polling before a usable one exists. Apply the processing loop/downloader’s expiry and exact-name filters here.

Suggested change
count=$(jq '[.artifacts[] | select(.name == "mainnet-snapshot" or (.name | startswith("try-runtime-snap-v0.10.1-")))] | length' "$payload")
count=$(jq '[.artifacts[] | select(.expired == false) | select(.name == "mainnet-snapshot" or .name == "try-runtime-snap-v0.10.1-mainnet" or .name == "try-runtime-snap-v0.10.1-testnet" or .name == "try-runtime-snap-v0.10.1-devnet")] | length' "$payload")

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@UnArbosFive UnArbosFive removed the fireactions-cache-benchmark Route selected PR cache benchmarks to the isolated turbo-8 canary label Jul 16, 2026
@UnArbosFive UnArbosFive changed the title ci: pilot host-local Fireactions caches ci: use host-local Fireactions caches Jul 16, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

payload="$RUNNER_TEMP/artifacts.json"
for attempt in 1 2 3 4 5; do
gh api "repos/$GITHUB_REPOSITORY/actions/runs/$PRODUCER_RUN_ID/artifacts?per_page=100" > "$payload"
count=$(jq '[.artifacts[] | select(.name == "mainnet-snapshot" or (.name | startswith("try-runtime-snap-v0.10.1-")))] | length' "$payload")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[LOW] Count only artifacts the warming loop can process

This count still includes expired artifacts and any name beginning with the try-runtime prefix, while the loop excludes expired entries and download-artifact.sh accepts only three exact try-runtime names. An expired or similarly prefixed artifact can make the retry loop stop despite having nothing usable, or make the warming step fail. Apply the same expired == false and exact-name allowlist predicates here and in the selection at line 69.

Suggested change
count=$(jq '[.artifacts[] | select(.name == "mainnet-snapshot" or (.name | startswith("try-runtime-snap-v0.10.1-")))] | length' "$payload")
count=$(jq '[.artifacts[] | select(.expired == false) | select(.name == "mainnet-snapshot" or .name == "try-runtime-snap-v0.10.1-mainnet" or .name == "try-runtime-snap-v0.10.1-testnet" or .name == "try-runtime-snap-v0.10.1-devnet")] | length' "$payload")

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment thread .github/scripts/r2-artifact-mirror.py Outdated
Comment on lines +251 to +252
publisher.put(
f"{MIRROR_PREFIX}/{args.artifact_name}/latest.json",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[LOW] Prevent stale writers from replacing the latest manifest

Both the scheduled snapshot producer and per-PR prewarm job call this publisher. If a prewarm selects artifact A, then a scheduled refresh publishes newer artifact B before the prewarm finishes, this unconditional final PUT replaces latest.json with A and gives it a new published_at. Hosts can consequently prefetch an older snapshot until another publication. Preserve monotonic freshness—for example, publish latest.json only from the scheduled producer, or conditionally replace it only when the existing manifest has an older artifact/production timestamp.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@UnArbosFive
UnArbosFive changed the base branch from main to staging July 16, 2026 11:50
@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment on lines +150 to +153
# One-time bootstrap until this PR lands. This is the same strict
# all-112 round-robin matrix enforced by the repository test.
.rust-sdk-e2e-manifest/.github/scripts/build-bittensor-e2e-matrix.py \
"$manifest" "$GITHUB_OUTPUT" 32

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] [BOOTSTRAP] PR-controlled builder can select an incomplete E2E matrix

The base revision still lacks the trusted matrix builder, so this PR executes build-bittensor-e2e-matrix.py from the PR checkout. A modified builder could emit an incomplete matrix and suppress E2E coverage during this introducing run. This path becomes structurally unreachable after merge because subsequent runs obtain the builder from the trusted base revision. The setup-time mitigation is the one nucleus-approved CI run plus heightened human scrutiny of .github/ changes; any future PR reintroducing such a fallback should be treated as a strong red flag.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment on lines +150 to +153
# One-time bootstrap until this PR lands. This is the same strict
# all-112 round-robin matrix enforced by the repository test.
.rust-sdk-e2e-manifest/.github/scripts/build-bittensor-e2e-matrix.py \
"$manifest" "$GITHUB_OUTPUT" 32

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] [BOOTSTRAP] PR-controlled builder can select an incomplete E2E matrix

The base revision does not contain the trusted matrix builder, so this PR’s initial CI run executes the builder checked out from the PR head. That script controls GITHUB_OUTPUT and can omit tests from the generated matrix.

This path becomes structurally unreachable after merge, when the builder exists on the trusted base. The setup-time mitigation is the nucleus-approved CI run plus heightened human scrutiny of .github/ changes; any future reintroduction of this fallback would be a strong red flag.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment on lines +150 to +153
# One-time bootstrap until this PR lands. This is the same strict
# all-112 round-robin matrix enforced by the repository test.
.rust-sdk-e2e-manifest/.github/scripts/build-bittensor-e2e-matrix.py \
"$manifest" "$GITHUB_OUTPUT" 32

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] [BOOTSTRAP] PR-controlled builder can select an incomplete E2E matrix

The trusted base revision still lacks build-bittensor-e2e-matrix.py, so this fallback executes the builder checked out from the PR head. A malicious builder can emit a valid-looking but incomplete matrix and suppress E2E coverage during this PR’s approved CI run. This is bootstrap-only: after merge, the base copy exists and the trusted branch is always used. The mitigating controls are the one nucleus-approved run and heightened human scrutiny of .github/; any future reintroduction of this fallback would be a strong red flag. Remove the fallback and make absence of the trusted builder fail closed, or have the workflow construct and validate the fixed 112-test matrix independently of PR-controlled code.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment on lines +150 to +153
# One-time bootstrap until this PR lands. This is the same strict
# all-112 round-robin matrix enforced by the repository test.
.rust-sdk-e2e-manifest/.github/scripts/build-bittensor-e2e-matrix.py \
"$manifest" "$GITHUB_OUTPUT" 32

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] [BOOTSTRAP] PR-controlled builder can select an incomplete E2E matrix

The trusted base revision does not contain build-bittensor-e2e-matrix.py, so this PR’s approved CI run necessarily executes the builder from the PR head. A hostile builder could emit an incomplete matrix while the required check passes.

This path becomes structurally unreachable after merge because subsequent PRs will use the base-checked-out builder. The setup-time mitigation is the nucleus-approved CI run plus heightened human scrutiny of .github/ changes. Any future PR reintroducing this fallback condition should be treated as a strong red flag.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment on lines +150 to +153
# One-time bootstrap until this PR lands. This is the same strict
# all-112 round-robin matrix enforced by the repository test.
.rust-sdk-e2e-manifest/.github/scripts/build-bittensor-e2e-matrix.py \
"$manifest" "$GITHUB_OUTPUT" 32

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] [BOOTSTRAP] PR-controlled builder can select an incomplete E2E matrix

When the trusted base lacks the matrix builder, this fallback executes the PR-head copy, allowing this PR to choose an incomplete E2E matrix despite the stated 112-test requirement.

This path is structurally unreachable after merge once the builder exists on main. The setup-time mitigation is the nucleus-approved CI run plus heightened human scrutiny of .github/ changes. Any future PR recreating this fallback path should be treated as a strong red flag.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment on lines +150 to +153
# One-time bootstrap until this PR lands. This is the same strict
# all-112 round-robin matrix enforced by the repository test.
.rust-sdk-e2e-manifest/.github/scripts/build-bittensor-e2e-matrix.py \
"$manifest" "$GITHUB_OUTPUT" 32

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] [BOOTSTRAP] PR-controlled builder can select an incomplete E2E matrix

The base revision still lacks this builder, so the introducing run executes the PR-controlled copy. A hostile builder can report test_count=112 while emitting duplicates or omitting tests, bypassing the downstream count check. This path becomes structurally unreachable after merge; the mitigation is the one nucleus-approved CI run plus heightened human scrutiny of .github/. Any future reintroduction of this fallback should be treated as a strong red flag.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment on lines +152 to +153
.rust-sdk-e2e-manifest/.github/scripts/build-bittensor-e2e-matrix.py \
"$manifest" "$GITHUB_OUTPUT" 32

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] [BOOTSTRAP] PR-controlled builder can select an incomplete E2E matrix

When the trusted base lacks this builder, the workflow executes the PR-head copy. The later compile-manifest comparison proves all 112 tests compiled, but does not prove the generated shards schedule all 112, so a modified builder can silently omit tests.

This unsafe path is structurally unreachable after merge. Its setup-time mitigation is the one nucleus-approved CI run plus heightened human scrutiny of .github/ changes; any future PR reintroducing this fallback would be a strong red flag. Add an independent matrix-completeness check that compares every generated test assignment against the manifest.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

no-spec-version-bump PR does not contain changes that requires bumping the spec version

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant