Fix stable PyPI publication retries#2944
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🛡️ AI Review — Skeptic (security review)VERDICT: SAFE VERY HIGH account-age tier (15-day-old account, 0 public repos), mitigated by repository admin permission, substantive merged contributions, matching author/committer, and no Gittensor association; branch targets main. Static review covered all seven changed files, with particular scrutiny of the release-artifact provenance gate, tag/commit binding, workflow permissions, shell inputs, PyPI retry state, and SDK version stamping. No protected AI-review instructions, runtime code, dependencies, or lockfiles are modified. FindingsNo findings. ConclusionNo malicious behavior or security vulnerability was found. The release workflow continues to derive publish inputs from provenance-gated artifacts and validates the completion marker against the released tag and spec version. 🔍 AI Review — Auditor (domain review)VERDICT: 👍 Gittensor association UNKNOWN; author is a repository administrator with substantial prior subtensor contributions. Applied normal maintainer-level scrutiny. The implementation cleanly separates GitHub release and Python publication state, validates the release artifact against the on-chain spec version, and makes partial PyPI publication retryable through a commit-bound completion marker. Focused SDK preparation and runtime change-filter tests pass. Both modified workflows parse as valid YAML, and FindingsNo findings. ConclusionThe change matches its description, includes appropriate focused tests and documentation, and introduces no runtime or migration implications. It is ready to merge. |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
Problem
The release train publishes release candidates after testnet, but stable Python publication was coupled to creating the final GitHub release. The SDK also remained at its committed
X.Y.Z.dev0version during the stable build. If PyPI publication failed or only partially completed after the GitHub release was created, later watcher runs treated the release as finished and never retried it.Fix
mainhas advanced while the multisig waits.X.Y.Z.dev0toX.Y.Zand remove monorepo-only uv inputs before building the stable distribution.The existing devnet/testnet release train and reusable core wheel workflow are unchanged.
Validation
bittensor-11.0.0wheel and source distribution.git diff --check.