ci: repo-wide green — workflow and chart fixes#136
Conversation
Unblock branch-protection and push workflows: docs build no longer deploys on main, Syft/Grype install into isolated dirs, multi-arch generates Cargo.lock, CodeQL gets missing babel plugins and drops broken artifact gate, performance gate uses Criterion minimum sample size, pf-ci stops passing GITHUB_TOKEN as a reusable secret, integration installs Kind and admission Helm chart ships TLS/ServiceAccount.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
Skip dependency review when the repo dependency graph is disabled, make docs-deploy succeed when Pages is unavailable, fix replay docker invocation and pf-ci docker setup, and replace broken SLO nightly jobs with a working k6 gate.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
2 similar comments
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
The simple replay bundle now uses TRACE-REPLAY-KIT event traces with type function_call; update the import assertion accordingly.
Avoid apt/gpg keyserver failures (No dirmngr) on GitHub runners by matching the install path used in slo-gates.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
pf-ci builds with per-crate Docker contexts; member crates ship Cargo.toml only.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
1 similar comment
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
edition2024 crates such as idna_adapter require a newer toolchain than 1.75/1.82; align attestor, sidecar, egress-firewall, and related images.
Gate on critical CVEs only, ignore SPDX OR GPL expressions, fetch full history for SBOM diff, and make compliance report resilient to missing PR comment permissions.
Use single-platform load on PRs, isolate fuzz crate from workspace, install Lean via elan, exclude optional SDK from rust-tests, and cap criterion smoke runtime.
Use docker compose, batch GPG keygen for DSAR tests, run privacy load via metrics and Rust tests, and align replay low-view threshold with platform defaults.
Admission controller probes expected /healthz on HTTPS; serve it and give probes startup slack so integration installs can become ready.
Emit CI verification log lines from conformance tests, allow post-approval signatures up to N-of-M, and report zero scheduler reorder violations.
Remove unused imports, stabilize hook dependencies, and satisfy CI treat-warnings-as-errors for CodeQL and marketplace builds.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
Compare replay CERTs per bundle, bump runtime Docker builders to rustc 1.86, run fuzz on nightly, vendor mathlib in policy-gates, and ignore RUSTSEC-2026-0182 for wasmtime 15.x.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
Fix replay bundle zip paths, set rustup default for cargo-fuzz, bump runtime builders to 1.88 for actix, and fix marketplace Dashboard ledger stats plus passWithNoTests.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
1 similar comment
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Sample Replay
|
1 similar comment
|
Sample Replay
|
Wire policy-gates DFA export through core/lean-libs ExportDFA, align allowlist and dfa Lean setup with vendored mathlib, make proof-and-comment epoch fetch non-fatal, restore ActionDSL prefix proof, and build egress-firewall images without optional hyperscan on musl.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
Use generalizing induction and rcases on the LogSpend conjunct so lean-style builds on Lean 4.7.
|
❌ Allowlist Sync Validation Failed The runtime allowlist is out of sync with Lean proofs. Please run: python3 tools/gen_allowlist_from_lean.py . runtime/sidecar-watcher/policy/allowlist.jsonThen commit the updated allowlist to ensure runtime configuration matches formal specifications. |
|
Sample Replay
|
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
❌ Allowlist Sync Validation Failed The runtime allowlist is out of sync with Lean proofs. Please run: python3 tools/gen_allowlist_from_lean.py . runtime/sidecar-watcher/policy/allowlist.jsonThen commit the updated allowlist to ensure runtime configuration matches formal specifications. |
Replace invalid ? placeholders with a generalizing induction proof so lean-style and allowlist-sync Lean builds succeed on Lean 4.7.
Use cluster_name kind so kind load and cleanup target the cluster created by helm/kind-action instead of the default chart-testing name.
Ship prisma schema in the ledger runner image, start index-simple in CI, replace stale ExportDFA with ActionDSL.Safety export, and write real sha256 sidecar after lake exe export.
|
❌ Allowlist Sync Validation Failed The runtime allowlist is out of sync with Lean proofs. Please run: python3 tools/gen_allowlist_from_lean.py . runtime/sidecar-watcher/policy/allowlist.jsonThen commit the updated allowlist to ensure runtime configuration matches formal specifications. |
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Sample Replay
|
|
❌ Allowlist Sync Validation Failed The runtime allowlist is out of sync with Lean proofs. Please run: python3 tools/gen_allowlist_from_lean.py . runtime/sidecar-watcher/policy/allowlist.jsonThen commit the updated allowlist to ensure runtime configuration matches formal specifications. |
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Sample Replay
|
1 similar comment
|
Sample Replay
|
Add a Fabric aggregator module, resolve budget_ok naming conflicts, repair Budget imports, and fix ExportDFA JSON export for the policy gates DFA build.
Require core/lean-libs from my-agent and test-new-user-agent proofs, and replace placeholder my-agent Spec theorems with a proven budget verification theorem.
Regenerate the sidecar allowlist from current Lean sources so allowlist sync validation matches the workspace proof surface.
Generate Prisma client during image build, start index-simple after migrate deploy, and wait for healthy Postgres in CI compose.
Wait for Redis before starting attestor, load local Kind images with Never pull policy, and provision Postgres plus migrations for ledger in pf-ci and rbac workflows.
Add the privacy test names expected by CI and make the load test wait for sidecar metrics before running targeted cargo tests.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Sample Replay
|
Split Fabric and Budget lake roots so cfg helpers no longer duplicate ActionDSL generics, and restore the main ExportDFA entrypoint for DFA export.
2 participants
Summary
docs-build.yamlon main; deployment stays indocs-deploy.yamlwith Pagesenablement: true.babel-plugin-transform-remove-console(+ lockfile) so JS builds succeed; remove brokencodeql-databaseartifact download from security-gates.find /tmppermission failures).Cargo.lockbefore Docker staging (lockfile is gitignored).--sample-size 10(was 5).GITHUB_TOKENsecret passthrough; caller usessecrets: inherit.Test plan