ci: add R2-backed shared sccache#2855
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🛡️ AI Review — Skeptic (security review)VERDICT: SAFE VERY HIGH account-age scrutiny, mitigated by admin repository permission; no Gittensor association or author/committer mismatch. Intentional stacked branch: codex/subtensor-r2-sccache → bittensor-core-exploration. The writer workflow is restricted to trusted FindingsNo findings. ConclusionNo malicious behavior or security vulnerability was identified. The shared-cache credential boundary remains fail-open without exposing a PR-accessible writer path. 🔍 AI Review — Auditor (domain review)VERDICT: 👍 Gittensor association UNKNOWN; the author has limited public history but repository admin permission, so full correctness scrutiny was applied. The PR is consistent with its description: R2 reader credentials are validated, writer credentials remain behind the protected main-only workflow, and cache failures degrade to GHA sccache or ordinary Cargo. No runtime code changed, and this base branch has no spec-version check. The helper still permits writer mode on Overlapping PRs are stacked dependencies or separate CI experiments; none is a competing implementation. FindingsNo findings. ConclusionThe shared-cache and multi-architecture build integration is coherent, fail-open, and adequately tested. No merge-blocking domain issues were found. |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
|
Live validation on
The runtime workflow was cancelled immediately after this proof, and all other active workflows from this PR were cancelled to free the self-hosted runners. Zero PR workflows are currently active. |
|
Temporary benchmark writer access is now included:
Merging this draft into |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
|
Final review and rollout status:
PR is ready for review and merge. Merging into |
| # Temporary writer for this cache integration PR so it can populate R2 | ||
| # before merging into #2846. | ||
| - codex/subtensor-r2-sccache |
There was a problem hiding this comment.
[HIGH] PR head receives shared-cache writer execution
This enables the writer workflow directly on the branch whose code is still under review. Once the protected environment run is approved, this branch controls the checked-out local actions and all Cargo build scripts while writer credentials are present, so a hostile follow-up commit could exfiltrate the credentials or populate malicious artifacts in the cache consumed by other PRs. The hard-coded exception also remains reusable after merge. Remove the PR-head branch from this workflow and from prepare_writer’s allowlist; validate writer behavior only after merging into a protected trusted branch.
|
🔄 AI review updated — Skeptic: VULNERABLE |
| - bittensor-core-exploration | ||
| # Temporary writer for this cache integration PR so it can populate R2 | ||
| # before merging into #2846. | ||
| - codex/subtensor-r2-sccache |
There was a problem hiding this comment.
[HIGH] PR head receives shared-cache writer execution
This still lets code under review execute with protected R2 writer credentials and populate the shared compiler cache. A hostile commit on this branch could exfiltrate the credentials or poison cached artifacts later consumed by ordinary PR jobs. Remove codex/subtensor-r2-sccache from this trigger, the job-level if, and prepare_writer in .github/scripts/sccache-configure.sh; only trusted post-review branches should receive writer access.
|
🔄 AI review updated — Skeptic: VULNERABLE |
b6b4f73 to
b3e0a90
Compare
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
82a050e to
b5856e3
Compare
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
|
Superseded by #2857. The runner-density branch contains this PR’s complete cache commit history unchanged, followed by the runner-pool and try-runtime placement work. Consolidating on #2857 preserves the latest combined CI run and avoids another force-push/retest cycle. This branch is being retained for history until the unified PR lands. |
Summary
sccache-writerenvironmentDepends on #2846 and intentionally targets its
bittensor-core-explorationbranch.Security boundaries
sccache-writerenvironment on trusted main push/schedule/dispatch eventsValidation
.github/scripts/test-sccache-configure.shactionlint -config-file .github/actionlint.yamlbash -n .github/scripts/sccache-configure.sh .github/scripts/test-sccache-configure.shgit diff --check origin/pr-2846-head..HEADThe R2 bucket, reader MMDS metadata, action allowlist, and protected writer environment are live. The BHS turbo canary proved reader GET succeeds and writer PUT is denied.