ci: repo-wide green — workflow and chart fixes#136
Conversation
Unblock branch-protection and push workflows: docs build no longer deploys on main, Syft/Grype install into isolated dirs, multi-arch generates Cargo.lock, CodeQL gets missing babel plugins and drops broken artifact gate, performance gate uses Criterion minimum sample size, pf-ci stops passing GITHUB_TOKEN as a reusable secret, integration installs Kind and admission Helm chart ships TLS/ServiceAccount.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
Skip dependency review when the repo dependency graph is disabled, make docs-deploy succeed when Pages is unavailable, fix replay docker invocation and pf-ci docker setup, and replace broken SLO nightly jobs with a working k6 gate.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
2 similar comments
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
The simple replay bundle now uses TRACE-REPLAY-KIT event traces with type function_call; update the import assertion accordingly.
Avoid apt/gpg keyserver failures (No dirmngr) on GitHub runners by matching the install path used in slo-gates.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
pf-ci builds with per-crate Docker contexts; member crates ship Cargo.toml only.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
1 similar comment
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
edition2024 crates such as idna_adapter require a newer toolchain than 1.75/1.82; align attestor, sidecar, egress-firewall, and related images.
Gate on critical CVEs only, ignore SPDX OR GPL expressions, fetch full history for SBOM diff, and make compliance report resilient to missing PR comment permissions.
Use single-platform load on PRs, isolate fuzz crate from workspace, install Lean via elan, exclude optional SDK from rust-tests, and cap criterion smoke runtime.
Use docker compose, batch GPG keygen for DSAR tests, run privacy load via metrics and Rust tests, and align replay low-view threshold with platform defaults.
Admission controller probes expected /healthz on HTTPS; serve it and give probes startup slack so integration installs can become ready.
Emit CI verification log lines from conformance tests, allow post-approval signatures up to N-of-M, and report zero scheduler reorder violations.
Remove unused imports, stabilize hook dependencies, and satisfy CI treat-warnings-as-errors for CodeQL and marketplace builds.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
Compare replay CERTs per bundle, bump runtime Docker builders to rustc 1.86, run fuzz on nightly, vendor mathlib in policy-gates, and ignore RUSTSEC-2026-0182 for wasmtime 15.x.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
Fix replay bundle zip paths, set rustup default for cargo-fuzz, bump runtime builders to 1.88 for actix, and fix marketplace Dashboard ledger stats plus passWithNoTests.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Sample Replay
|
Mem.tail case binders must not suffix-match the cons branch name (tl/as); use rest and h so Lean 4.7 tokenizes the membership hypothesis.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
Lean on Morph jobs stuck queued since a01b2b6; empty push to refresh CI.
|
Sample Replay
|
SBOM Security ReportTotal Packages: 3924 Language Distribution:
License Distribution:
✅ SBOM generated successfully |
Policy Coverage ReportTools Coverage: 100% All policy gates passed successfully! |
Path-filtered workflows ignore empty commits; touch Capability.lean to run morph/fallback-local on the rest+tail h proof fix.
List.Mem.tail takes the skipped head and the recursive proof separately; pattern tail h bound h to the action, not membership.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
1 similar comment
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
SBOM Security ReportTotal Packages: 3924 Language Distribution:
License Distribution:
✅ SBOM generated successfully |
|
Sample Replay
|
Policy Coverage ReportTools Coverage: 100% All policy gates passed successfully! |
|
Sample Replay
|
SBOM Security ReportTotal Packages: 3924 Language Distribution:
License Distribution:
✅ SBOM generated successfully |
1 similar comment
SBOM Security ReportTotal Packages: 3924 Language Distribution:
License Distribution:
✅ SBOM generated successfully |
test-agent-2 Spec.lean referenced namespace Fabric.Capability which does not exist; Capability.lean lives in namespace Fabric. Match the other bundle specs by importing Fabric only.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
Policy Coverage ReportTools Coverage: 100% All policy gates passed successfully! |
1 similar comment
Policy Coverage ReportTools Coverage: 100% All policy gates passed successfully! |
SBOM Security ReportTotal Packages: 3924 Language Distribution:
License Distribution:
✅ SBOM generated successfully |
|
Sample Replay
|
Policy Coverage ReportTools Coverage: 100% All policy gates passed successfully! |
Skip vendor-mathlib when cached artifacts and commit are already present, and time-bound git fetch during commit checkout so the job fails fast instead of hitting the 45-minute runner limit.
Stop busting the mathlib artifact cache when vendor-mathlib.sh changes, time-bound git clone, and cap offline lake build so cold runs fail fast instead of hitting the runner job limit.
|
Thanks for the PR! CI will run CERT validation and replay checks. Results will appear in workflow badges and artifacts. |
|
Sample Replay
|
SBOM Security ReportTotal Packages: 3924 Language Distribution:
License Distribution:
✅ SBOM generated successfully |
Policy Coverage ReportTools Coverage: 100% All policy gates passed successfully! |
2 participants
Summary
docs-build.yamlon main; deployment stays indocs-deploy.yamlwith Pagesenablement: true.babel-plugin-transform-remove-console(+ lockfile) so JS builds succeed; remove brokencodeql-databaseartifact download from security-gates.find /tmppermission failures).Cargo.lockbefore Docker staging (lockfile is gitignored).--sample-size 10(was 5).GITHUB_TOKENsecret passthrough; caller usessecrets: inherit.Test plan