Skip to content

ci: idempotent PyPI publish re-runs; fix stale branch-strategy review docs#2886

Merged
IntiTechnologies merged 1 commit into
mainfrom
release-train-hardening
Jul 13, 2026
Merged

ci: idempotent PyPI publish re-runs; fix stale branch-strategy review docs#2886
IntiTechnologies merged 1 commit into
mainfrom
release-train-hardening

Conversation

@unarbos

@unarbos unarbos commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Two seamlessness fixes from the first live run of the rc channel:

  • uv publish --check-url in release-train.yml and watch-mainnet-release.yml: run 29222052755 uploaded bittensor 11.0.0rc6 and then failed on bittensor-core (no trusted publisher for the not-yet-existing project). A plain re-run would 400 on the already-uploaded wheel; --check-url skips identical files already on the index, making publish re-runs resume instead of fail.
  • copilot-instructions.md branch strategy: still described the pre-release-train world ("all PRs must target devnet"), which the AI auditor cited to block a routine PR against main (sdk: declare readme and point Documentation at bittensor.com/docs #2866). Rewritten to match ai-review/common.md: PRs target main; devnet/testnet/mainnet are ruleset-locked CI mirrors.

Related ops changes made directly (not in this diff): stale classic branch protections on testnet and devnet deleted — they predate the mirror ruleset and the testnet one blocked the deploy-key mirror push on the first real testnet deploy.

Test plan

  • Next train's publish job re-run (if any) skips existing files.
  • Auditor no longer flags main-targeted PRs for branch policy.

Made with Cursor

… docs

- uv publish --check-url: the rc publish uploaded the SDK wheel and then
  failed on bittensor-core (missing trusted publisher); a plain re-run
  would 400 on the duplicate wheel. --check-url skips files already on
  the index so re-runs after partial uploads just resume.

- copilot-instructions.md still described the pre-release-train branch
  strategy (PRs target devnet); the auditor cited it to block a routine
  PR against main. Align it with common.md: PRs target main, the network
  branches are ruleset-locked CI mirrors.

Co-authored-by: Cursor <cursoragent@cursor.com>
@vercel

vercel Bot commented Jul 13, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
subtensor Ready Ready Preview, Comment Jul 13, 2026 2:23pm

Request Review

@IntiTechnologies IntiTechnologies left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI/docs-only hardening from the first rc-channel run.

@IntiTechnologies IntiTechnologies merged commit d4c14f7 into main Jul 13, 2026
1 of 2 checks passed

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment on lines +6 to +8
* All PRs target `main`. Deployment is automated, not PR-driven: merges to `main` ride the release train, which promotes devnet → testnetmainnet via on-chain `setCode` (see `docs/internals/release-process.mdx`)
* `devnet`, `testnet`, and `mainnet` are CI-managed mirror branches recording what each network currently runs; they are ruleset-locked and only the release train updates them
* Flag any PR that targets `devnet`, `testnet`, or `mainnet` — those branches never receive merges

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] Trusted review instructions are modified by the PR

This changes the AI review control plane relative to the trusted base copy. Although the new branch policy is consistent with trusted common.md and appears benign, changes to .github/copilot-instructions.md must be treated as HIGH risk. Land this through the repository's dedicated trusted-instruction review process with explicit nucleus verification.

@github-actions

Copy link
Copy Markdown
Contributor

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

MEDIUM scrutiny: ~4-month-old contributor with write permission and substantial activity; no Gittensor association found. Branch release-train-hardening -> main.

Static review found no security issue in the two uv publish --check-url changes. The branch-policy wording also matches the trusted common.md, so there is no evidence of malicious intent.

Findings

Sev File Finding
HIGH .github/copilot-instructions.md:8 Trusted review instructions are modified by the PR inline

Conclusion

The release workflow hardening appears safe, but this PR modifies trusted AI-review instructions and therefore requires a HIGH control-plane finding under the review policy.


# 🔍 AI Review — Auditor (domain review) has not yet run on this PR.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants