Skip to content

Clean merge fix#2819

Open
gztensor wants to merge 6 commits into
devnet-readyfrom
chore/clean-merges-fix-2026-07-01
Open

Clean merge fix#2819
gztensor wants to merge 6 commits into
devnet-readyfrom
chore/clean-merges-fix-2026-07-01

Conversation

@gztensor

@gztensor gztensor commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Description

This PR propagates all recent hotfixes to devnet-ready

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Other (please describe): maintenance

Checklist

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have run ./scripts/fix_rust.sh to ensure my code is formatted and linted correctly
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment thread .github/actions/try-runtime/action.yml
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

BASELINE scrutiny: gztensor has write permission and substantial repo history; branch is chore/clean-merges-fix-2026-07-01 -> main.

Findings

Sev File Finding
HIGH PR metadata / PR body Direct-to-main PR is not justified as a hotfix or deployment (off-diff)
HIGH .github/actions/try-runtime/action.yml:40 CI executes an unauthenticated downloaded binary inline

Other findings

  • [HIGH] Direct-to-main PR is not justified as a hotfix or deployment (PR metadata / PR body) — The PR targets main from chore/clean-merges-fix-2026-07-01, not from testnet, and the body says it propagates hotfixes to devnet-ready rather than explaining why this should merge directly into main. The branch policy requires direct-to-main PRs to be explicit hotfixes or deployment PRs; this needs a concrete main-target justification or retargeting to the proper branch.

Conclusion

The runtime diff does not show an obvious malicious backdoor, but this PR violates the main-branch flow without an explicit hotfix/deployment justification and adds an unauthenticated CI binary execution path. Those are blocking security-process/supply-chain risks.


# 🔍 AI Review — Auditor (domain review) has not yet run on this PR.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

@github-actions github-actions Bot added the hotfix This PR needs to be merged very quickly and will likely skip testing on devnet and testnet label Jul 1, 2026
@gztensor gztensor changed the base branch from main to devnet-ready July 1, 2026 16:45
@gztensor gztensor removed the hotfix This PR needs to be merged very quickly and will likely skip testing on devnet and testnet label Jul 1, 2026
@opentensor opentensor deleted a comment from github-actions Bot Jul 1, 2026
@gztensor gztensor added the skip-cargo-audit This PR fails cargo audit but needs to be merged anyway label Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip-cargo-audit This PR fails cargo audit but needs to be merged anyway

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants