Skip to content

Publish tested localnet images and restore clippy#2928

Merged
UnArbosFive merged 3 commits into
stagingfrom
codex/fix-localnet-publish-clippy
Jul 16, 2026
Merged

Publish tested localnet images and restore clippy#2928
UnArbosFive merged 3 commits into
stagingfrom
codex/fix-localnet-publish-clippy

Conversation

@UnArbosFive

@UnArbosFive UnArbosFive commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • build, smoke-test, and push each native localnet platform image on the same runner
  • scope intermediate image tags to the workflow run and attempt, then hand immutable registry digest descriptors to the publication job
  • assemble the multi-architecture manifest exclusively from those tested digest references
  • centralize image identity in the setup job so validation and publication cannot drift
  • replace the leasing weight tests' lint-denied panic wrappers with direct assert_ok! assertions
  • run a non-pushing localnet publication contract check on relevant pull requests

Root cause

The localnet workflow validated locally loaded images, then discarded them and performed a second independent multi-platform build for publication. Runtime package installation in Dockerfile-localnet means that rebuild was not guaranteed to produce the artifact that passed the smoke tests.

The initial fix used SHA-and-architecture intermediate tags. Because mirror branches can publish the same SHA concurrently, one run could overwrite another run's intermediate tag before manifest assembly. The workflow now records each run-scoped platform image's registry digest and publishes only from immutable digest references.

The leasing weight tests also added panic wrappers that violated the workspace's denied clippy policy. Direct assertions preserve the failure semantics without suppressing or laundering the lint.

Impact

Published localnet manifests now reference the exact amd64 and arm64 registry digests that passed their native smoke tests. Concurrent mirror-branch runs cannot substitute platform images during final manifest assembly.

The final publication job no longer downloads binary artifacts, sets up QEMU, or rebuilds the image. A lightweight pull-request workflow exercises the manifest publication contract without pushing images or requiring registry credentials.

Both workspace clippy configurations are restored without weakening lint policy.

Validation

  • cargo fmt --all -- --check
  • SKIP_WASM_BUILD=1 cargo clippy --workspace --all-targets -- -D warnings
  • SKIP_WASM_BUILD=1 cargo clippy --workspace --all-targets --all-features -- -D warnings
  • SKIP_WASM_BUILD=1 cargo test -p pallet-subtensor --lib tests::leasing — 20 passed
  • ./.github/scripts/test-resolve-localnet-image.sh
  • ./.github/scripts/test-publish-localnet-manifest.sh
  • syntax-checked both publication scripts with bash -n
  • parsed both localnet workflow files as YAML
  • git diff --check

@vercel

vercel Bot commented Jul 16, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
subtensor Ready Ready Preview, Comment Jul 16, 2026 4:47pm

Request Review

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

🛡️ AI Review — Skeptic (security review)

VERDICT: SAFE

VERY HIGH scrutiny due to the 14-day-old account and zero public repos, mitigated by repository admin permission, substantive merged contributions, matching author/committer, and no Gittensor association; codex/fix-localnet-publish-clippy -> staging.

Static analysis found no malicious behavior or security vulnerability. Publication uses run-scoped tags and validated immutable digests, while final publication tooling is pinned to the workflow revision. Rust changes are test-only, and trusted AI-review and Copilot instruction files are unchanged.

Findings

No findings.

Conclusion

The changes match the stated purpose and introduce no security-relevant regression.


🔍 AI Review — Auditor (domain review)

VERDICT: 👍

Gittensor association UNKNOWN; repository admin with substantial recent contributions, reviewed as an established contributor.

The publication job now pins its tooling checkout to github.workflow_sha, while immutable digest descriptors bind the final manifest to the platform images that passed smoke testing. The overlap with PR #2837 is incidental and not duplicate work. The Rust-only changes affect tests, so no runtime specification bump is required.

Findings

No findings.

Prior-comment reconciliation

  • c131bb32: addressed — The publication tooling checkout is now explicitly pinned to github.workflow_sha, eliminating the mutable/default-checkout consistency gap while supporting intentionally selected older application revisions.

Conclusion

The prior revision-consistency issue is resolved. The workflow and test changes are coherent with the PR description and ready to merge.


📜 Previous run (superseded)
Sev File Finding Status
HIGH .github/workflows/docker-localnet.yml:273 Publish with the selected source revision ✅ Addressed
The publication tooling checkout is now explicitly pinned to github.workflow_sha, eliminating the mutable/default-checkout consistency gap while supporting intentionally selected older application revisions.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@UnArbosFive
UnArbosFive marked this pull request as ready for review July 16, 2026 16:26

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment thread .github/workflows/docker-localnet.yml Outdated
needs: [setup, validate-image]
runs-on: [self-hosted, fireactions-turbo-8]
steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] Publish with the selected source revision

This checkout defaults to the workflow event ref, while setup may select another immutable commit for workflow_dispatch, including pr-number and branch-or-tag. The job can consequently run a missing or divergent publication script against descriptors produced from needs.setup.outputs.sha. Check out the selected SHA here, as the other source-dependent jobs do.

Suggested change
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
ref: ${{ needs.setup.outputs.sha }}

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👎

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@UnArbosFive
UnArbosFive merged commit 79f8787 into staging Jul 16, 2026
50 checks passed
@UnArbosFive
UnArbosFive deleted the codex/fix-localnet-publish-clippy branch July 16, 2026 16:47
unarbos added a commit that referenced this pull request Jul 16, 2026
…).

Port the merged staging fix so published localnet manifests use smoke-tested
platform digests, plus the supporting resolve/cleanup/smoke scripts from
#2919 that this branch lacked. Also take the leasing weight tests' direct
assert_ok! form that restores clippy.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant