From d9b98cc394025d34801d5c587ed8808196ab868a Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sat, 23 May 2026 20:30:36 +0200 Subject: [PATCH] Harden CI sibling checkouts against force-pushes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #18 (.bazelignore) and PR #20 (rules_rust bump) both failed their CI rivet-validate job with `fatal: could not read Username for 'https://github.com'` from `actions/checkout@v4`. Same flake in PR #18 seemed transient (passed on rerun) but it recurred on PR #20, and the GitHub compare API confirms why: - rivet pinned ref 335bb84 vs current main: behind_by=1 ahead_by=3 status=diverged - relay pinned ref 4d42acf vs current main: behind_by=5 ahead_by=4 status=diverged Both sibling-repo main branches were force-pushed since the original pins landed in #17. The pinned SHAs are now orphaned in those repos' default branch history. actions/checkout@v4's default shallow fetch (fetch-depth: 1) can't find an orphaned SHA on a public repo and falls back to a cloning mode that asks for credentials, which the GITHUB_TOKEN doesn't have for cross-repo public checkouts. Two-part fix: 1. Bump pins to current sibling main: RELAY_REF: 4d42acf -> 178ffd47 RIVET_REF: 335bb84 -> 78f001e2 2. Add `fetch-depth: 0` to every cross-repo checkout (5 total: 4 relay in lint/test/kani/fuzz, 1 rivet in rivet-validate). Full clone so any SHA on a public repo resolves — orphaned or not. ~30 extra seconds on the cold cache; trades CI speed for robustness against the architect's recurring force-pushes of sibling repos. The fetch-depth: 0 hardening is the durable fix. The pin bumps are maintenance — they'll need to happen again on the next force-push, ideally via the Renovate bot tracked in #8. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7ae8b2a..6c93a7c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,8 +16,13 @@ env: # pins, unpinned `main` of relay/rivet can change tool behavior on this # workflow with zero wohl code change (see #8 for the concrete # incident that motivated pinning). - RELAY_REF: 4d42acf4a23c56980091f943c966ae5e0223a79f - RIVET_REF: 335bb84be0bb1be3768438ecec109c945c6b6530 + # + # IMPORTANT: every cross-repo checkout below uses `fetch-depth: 0` + # because relay/rivet are routinely force-pushed by the architect. + # Without a full fetch, an orphaned (rebased-away) SHA fails to + # resolve under actions/checkout's default shallow strategy. + RELAY_REF: 178ffd479ad863c91ece4f580379a9207c36a530 + RIVET_REF: 78f001e23d595ba816f7a7be59282194dedfdc12 jobs: lint: @@ -32,6 +37,7 @@ jobs: repository: pulseengine/relay path: relay ref: ${{ env.RELAY_REF }} + fetch-depth: 0 - uses: dtolnay/rust-toolchain@master with: toolchain: "1.85.0" @@ -66,6 +72,7 @@ jobs: repository: pulseengine/relay path: relay ref: ${{ env.RELAY_REF }} + fetch-depth: 0 - uses: dtolnay/rust-toolchain@master with: toolchain: "1.85.0" @@ -88,6 +95,7 @@ jobs: repository: pulseengine/relay path: relay ref: ${{ env.RELAY_REF }} + fetch-depth: 0 # Kani-verifier (the installer) needs newer Rust than our MSRV. # Kani itself uses an internal nightly for the proofs. - uses: dtolnay/rust-toolchain@stable @@ -130,6 +138,7 @@ jobs: repository: pulseengine/relay path: relay ref: ${{ env.RELAY_REF }} + fetch-depth: 0 - uses: dtolnay/rust-toolchain@master with: toolchain: nightly @@ -161,6 +170,7 @@ jobs: repository: pulseengine/rivet path: rivet ref: ${{ env.RIVET_REF }} + fetch-depth: 0 # rivet-cli's deps need Rust 1.89+; we don't care about MSRV for tooling. - uses: dtolnay/rust-toolchain@stable - uses: Swatinem/rust-cache@v2