Skip to content

CI: inherit authenticated package baselines across stacked PRs#904

Open
brandonpayton wants to merge 1 commit into
mainfrom
fix/stacked-pr-package-baselines
Open

CI: inherit authenticated package baselines across stacked PRs#904
brandonpayton wants to merge 1 commit into
mainfrom
fix/stacked-pr-package-baselines

Conversation

@brandonpayton

Copy link
Copy Markdown
Member

Summary

  • authenticate the complete same-repository base-PR chain and snapshot exact matching package archives from the nearest staging releases
  • validate live PR ancestry, release and asset identities, GitHub digests, full ABI/cache keys, built_by workflow runs, and embedded archive manifests before reuse
  • rebuild only unresolved inherited requirements, then carry verified archives to library, program, and test-gate consumers as a current-run artifact
  • reject ambiguous overlay inputs and prevent prepare-merge from publishing durable package state while a PR targets a non-default branch

Root cause

PR #900 correctly classified its Homebrew-only contribution as archive-neutral, but test-gate-prepare resolved only from binaries-abi-v18. Its open base PR #885 already had the 69 exact current package keys in pr-885-staging, so every durable archive was rejected even though valid staged bytes existed. The workflow accepted arbitrary same-repository base refs for change scope but had no base-PR artifact baseline.

Release tags and assets are mutable, and a staging release target_commitish can name GitHub synthetic merge state rather than the PR head. This change therefore treats the release index only as a selector, downloads by asset ID, validates built_by against the source PR and workflow run, rechecks PR/release snapshots for races, and uploads accepted bytes into the child workflow run before later jobs consume them. Missing entries remain ordinary matrix work; provenance or mutation failures stop the run.

Validation

All commands ran through scripts/dev-shell.sh unless noted.

Contract impact

No package recipe, archive input, release index, VFS image, host/runtime behavior, or ABI surface changes. No ABI bump or package rebuild is required by this PR. Stacked PRs remain staging-only until retargeted to the default branch for durable publication.

Residual risk

The live probe exercised one real archive rather than downloading the full 69-archive #885 staging release locally. The mocked suite covers multi-level selection and the PR workflow will exercise the complete current CI wiring. A base release that mutates during selection intentionally fails closed and requires a fresh child run after the base staging run stabilizes.

Archive-neutral child PRs previously resolved only against the durable ABI release, even when their same-repo base PRs had changed every package key. Authenticate the recursive base-PR chain, snapshot exact staged archives with release, workflow-run, digest, ABI, and cache-key validation, and rebuild only unresolved requirements.

Carry inherited archives through the current workflow run for library, program, and test consumers; reject ambiguous overlays and prevent stacked PRs from publishing unmerged state to the durable release. No package recipe, archive input, or ABI changes.
@brandonpayton

Copy link
Copy Markdown
Member Author

Independent exact-head review completed for 2d1f8f41a77e32471eaa96819ecf177e3e6b21d9: no blocker found.

I traced the same-repository PR-chain authentication, ancestry checks, release/asset snapshots, full cache-key selection, built_by run validation, archive digest and embedded-manifest validation, nearest-first fallback, final chain/release rereads, workflow artifact handoff, inherited/current overlay separation, empty-matrix behavior, and default-branch-only durable publication guard. Trust or mutation failures stop the run; missing releases/entries/assets remain ordinary child matrix rebuilds.

Independent local evidence through scripts/dev-shell.sh: 4 selector tests, all 12 mocked resolver scenarios, prepare-merge/workflow wiring checks, strict overlay materialization tests, both change-scope classifiers, and 8 package-system Vitest tests passed. git diff --check is clean. The remaining bounded risk is the one already disclosed: the live probe validated one real zlib archive rather than downloading all 69 base-release archives; CI is the complete workflow-level exercise.

This is a main-repository PR and remains for maintainer review; I did not merge or enable auto-merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant