Commit Graph

8 Commits

Author SHA1 Message Date
Vincent Koc
6a0eecdb44 fix(release): separate code and release SHA validation (#105948) 2026-07-13 13:38:19 +08:00
Vincent Koc
c47ceb0f3d improve(release): reuse exact-SHA validation evidence (#104162)
* perf(release): share changelog verification snapshots

* perf(release): reuse exact-SHA validation evidence

* feat(release): checkpoint candidate workflow state

* feat(release): watch CI transitions compactly

* fix(testbox): rotate stale reusable leases

* refactor(release): move CI verifier into scripts

* fix(release): preserve verifier executable mode

* fix(testbox): force noninteractive remote hydration

* perf(testbox): skip sync for proven clean heads

* fix(testbox): keep changed gates synchronized

* fix(testbox): isolate git state probes

* fix(testbox): isolate wrapper git commands

* fix(testbox): preserve git command contracts

* fix(release): validate reused SHA evidence

* fix(release): resume serialized plugin selections

* fix(testbox): sync source on every lease reuse

* fix(release): verify from trusted workflow checkout

* fix(release): gate evidence reuse on trusted lineage

* fix(release): support legacy verifier checkouts

* fix(testbox): export CI across shell snippets

* fix(release): revalidate reused evidence before publish

* fix(release): reject untrusted reuse before lookup

* fix(release): reuse SHA-pinned root evidence

* fix(ci): allow unreleased notes in QA packages

* fix(release): satisfy script lint contracts

* fix(release): handle Unicode workflow refs safely
2026-07-11 12:48:27 +08:00
Vincent Koc
cbe3731f77 fix(release): make validation proof no-write (#103737)
* fix(release): make validation proof no-write

* test(release): align no-write workflow contracts
2026-07-10 08:18:44 -07:00
Peter Steinberger
ace2407acd fix(ci): compare the full harness surface for evidence reuse
Codex review round four: workflows execute helper scripts from the
workflow ref, so comparing only the .github/workflows tree missed
script-only harness changes. Harness equivalence now means the git tree
diff between the candidate run's head SHA and the current workflow SHA
is itself release-metadata-only, using the same canonical classifier as
the target delta. The classifier's worktree overlay no longer applies
when --head is an explicit SHA, keeping SHA-exact comparisons exact.
2026-07-10 00:21:26 -07:00
Peter Steinberger
494987fa6e fix(ci): require an identical workflow harness for evidence reuse
Codex review round three: a prior green run may have executed with
different lane definitions; the resolver now compares the candidate
run head SHA's .github/workflows tree against the current workflow
ref before accepting its manifest.
2026-07-10 00:21:25 -07:00
Peter Steinberger
e98bb5942a fix(ci): scope beta advisory to live-provider suites and validate reuse targets
Codex review round two: the reusable advisory input is global, so beta
would also have softened hermetic repo/OpenShell E2E — add a scoped
live_advisory input that only covers the live-provider suite jobs and
narrow the umbrella fail-fast exclusion to those job names. Evidence
reuse now also runs the macOS source-version consistency check against
the target (release-preflight --macos-versions-only) so version-stamp
deltas cannot reuse evidence while version surfaces disagree.
2026-07-10 00:21:24 -07:00
Peter Steinberger
6bb240b6da fix(ci): match validation inputs and recheck child runs before evidence reuse
Codex review findings: evidence reuse must not let a default-input run
stand in for a focused provider/mode/filter/package-spec run, and
recorded child runs can be re-run to failure while the parent stays
green. Manifests now record validationInputs; the resolver requires an
exact input match and healthy child runs, and the summary re-verifies
the chain root plus its recorded children. Reuse-mode evidence dispatch
notes now disclose the chain-root relationship.
2026-07-10 00:21:24 -07:00
Peter Steinberger
87f98090e1 feat(ci): reuse release validation evidence and speed up the release pipeline
- Full Release Validation now checks for a prior green validation whose
  target differs only by release metadata (changelog/version stamps) and
  reuses that evidence instead of re-running every lane; disable with
  reuse_evidence=false. Evidence manifests chain through reuse runs via
  evidenceReuse.runId and the summary re-verifies the chain root.
- The Docker runtime-assets preflight no longer serializes the CI,
  plugin-prerelease, release-checks, and performance lanes; it runs in
  parallel and stays enforced by the umbrella verifier.
- Umbrella runs for release/* refs now supersede in-progress runs with
  the same ref and rerun group instead of requiring manual cancels.
- release_profile=beta treats the live-provider E2E suites as advisory
  (third-party model deployments move underneath releases); stable and
  full profiles keep them blocking, and beta live failures no longer
  fail-fast-cancel the remaining release-check matrix.
2026-07-10 00:21:23 -07:00