One-time v432 recovery: stamp SDK 11.0.0 in the stable PyPI publish#2945
Conversation
The deployed v432 commit (8586e65) still carries the 11.0.0.dev0 placeholder in sdk/python/pyproject.toml, so the watcher's publish-sdk job builds a dev version instead of the intended stable release. Stamp 11.0.0 after checking out the released commit, and refuse to publish any pre-release artifact so a failed stamp cannot leak dev0 to PyPI. Both steps are scoped to spec 432 at the exact released sha and are inert for every other release; remove once v432 is published. Co-authored-by: Cursor <[email protected]>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🛡️ AI Review — Skeptic (security review)VERDICT: SAFE HIGH scrutiny due to account age and org-concentrated history, tempered by repository write access and extensive substantive merged work; no Gittensor association found. The patch is confined to the release watcher and does not modify trusted review instructions. The recovery is gated on spec 432 and the full released commit SHA, whose SDK manifest contains the stated FindingsNo findings. ConclusionNo malicious behavior or security vulnerability was found in this narrowly scoped release recovery. 🔍 AI Review — Auditor (domain review)VERDICT: 👍 UNKNOWN Gittensor association; established, high-volume contributor with repository write access. The one-time recovery is narrowly gated to runtime spec 432 and the exact deployed commit. The stamp targets the confirmed PR #2944 overlaps this workflow but is complementary: this PR repairs the already-deployed v432 release, whereas #2944 provides the permanent publication-flow fix. FindingsNo findings. ConclusionThe implementation matches its description and safely addresses the v432 publication gap without affecting later releases. No blocking domain issues were found. |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
Summary
version = "11.0.0.dev0", so the watcher'spublish-sdkjob can only produce a dev version — PyPI never received the stablebittensor==11.0.0.publish-sdkthat rewrites the SDK version to11.0.0after checking out the released commit, hard-scoped to spec 432 at exactly sha 8586e65 (inert for every other release).dist/contains exactly the stablebittensor 11.0.0andbittensor_core 0.1.0artifacts and fails on any dev/rc file, so a broken stamp can never leak11.0.0.dev0.bittensor-coreneeds no stamping: it is committed at0.1.0.Test plan
uv buildlocally against the extracted 8586e65 SDK source: wheel/sdist metadata readsbittensor 11.0.0,Requires-Dist: bittensor-core<0.2.0,>=0.1.0aarch64, which contains "rc") and reject dev/rc versionsbittensor==11.0.0andbittensor-core==0.1.0land on PyPI and v432 is promoted to a full releaseMade with Cursor