Skip to content

One-time v432 recovery: stamp SDK 11.0.0 in the stable PyPI publish#2945

Merged
IntiTechnologies merged 1 commit into
mainfrom
fix/v432-stable-pypi-recovery
Jul 17, 2026
Merged

One-time v432 recovery: stamp SDK 11.0.0 in the stable PyPI publish#2945
IntiTechnologies merged 1 commit into
mainfrom
fix/v432-stable-pypi-recovery

Conversation

@unarbos

@unarbos unarbos commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Mainnet runtime v432 shipped from 8586e65, but the SDK source at that commit still says version = "11.0.0.dev0", so the watcher's publish-sdk job can only produce a dev version — PyPI never received the stable bittensor==11.0.0.
  • Adds a stamp step to publish-sdk that rewrites the SDK version to 11.0.0 after checking out the released commit, hard-scoped to spec 432 at exactly sha 8586e65 (inert for every other release).
  • Adds a verify step (same scope) that asserts dist/ contains exactly the stable bittensor 11.0.0 and bittensor_core 0.1.0 artifacts and fails on any dev/rc file, so a broken stamp can never leak 11.0.0.dev0.
  • bittensor-core needs no stamping: it is committed at 0.1.0.
  • Temporary by design; remove after v432 publishes. The permanent flow fix is Fix stable PyPI publication retries #2944.

Test plan

  • actionlint: no new findings (remaining SC2086 infos are pre-existing)
  • Rehearsed the stamp + uv build locally against the extracted 8586e65 SDK source: wheel/sdist metadata reads bittensor 11.0.0, Requires-Dist: bittensor-core<0.2.0,>=0.1.0
  • Verified guard patterns accept the real wheel names (incl. aarch64, which contains "rc") and reject dev/rc versions
  • Dispatch watcher from main, approve mainnet environment, confirm bittensor==11.0.0 and bittensor-core==0.1.0 land on PyPI and v432 is promoted to a full release

Made with Cursor

The deployed v432 commit (8586e65) still carries the 11.0.0.dev0
placeholder in sdk/python/pyproject.toml, so the watcher's publish-sdk
job builds a dev version instead of the intended stable release. Stamp
11.0.0 after checking out the released commit, and refuse to publish
any pre-release artifact so a failed stamp cannot leak dev0 to PyPI.
Both steps are scoped to spec 432 at the exact released sha and are
inert for every other release; remove once v432 is published.

Co-authored-by: Cursor <[email protected]>
@vercel

vercel Bot commented Jul 17, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
subtensor Building Building Preview, Comment Jul 17, 2026 8:52am

Request Review

@IntiTechnologies
IntiTechnologies merged commit b212672 into main Jul 17, 2026
41 of 42 checks passed
@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

🛡️ AI Review — Skeptic (security review)

VERDICT: SAFE

HIGH scrutiny due to account age and org-concentrated history, tempered by repository write access and extensive substantive merged work; no Gittensor association found.

The patch is confined to the release watcher and does not modify trusted review instructions. The recovery is gated on spec 432 and the full released commit SHA, whose SDK manifest contains the stated 11.0.0.dev0 placeholder. Post-build checks prevent that prerelease from reaching publication.

Findings

No findings.

Conclusion

No malicious behavior or security vulnerability was found in this narrowly scoped release recovery.


🔍 AI Review — Auditor (domain review)

VERDICT: 👍

UNKNOWN Gittensor association; established, high-volume contributor with repository write access.

The one-time recovery is narrowly gated to runtime spec 432 and the exact deployed commit. The stamp targets the confirmed 11.0.0.dev0 manifest, while the post-build checks prevent publishing the prerelease artifacts.

PR #2944 overlaps this workflow but is complementary: this PR repairs the already-deployed v432 release, whereas #2944 provides the permanent publication-flow fix.

Findings

No findings.

Conclusion

The implementation matches its description and safely addresses the v432 publication gap without affecting later releases. No blocking domain issues were found.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@unarbos
unarbos deleted the fix/v432-stable-pypi-recovery branch July 17, 2026 09:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants