ci(release): dependency-ordered, checksum-verified kin-db publish + registry-only consumer smoke (FIR-1021)#29
Open
troyjr4103 wants to merge 2 commits into
Open
Conversation
troyjr4103
force-pushed
the
harden/kin-db-fir-1021-release-publish
branch
from
4be8ee9 to
4031805
Compare
…egistry-only consumer smoke (FIR-1021) Harden the first-cut auto-publish into a dependency-aware release flow. scripts/publish-kinlab-crates.sh: - Dependency-ordered preflight: reads kin-db's DECLARED registry deps from cargo metadata (not the locally patched/resolved versions) and fails loudly if a required version is missing from the kin index — in particular it enforces the pinned kin-model version (^0.2.0 -> requires 0.2.0 published). - Checksum-identical idempotency: an existing version (HTTP 409) is accepted only when the index cksum is byte-identical to the freshly packaged crate; a version that exists with DIFFERENT bytes fails loudly. - Post-publish proof: re-reads the index cksum, downloads the published .crate, and asserts download == index == locally-packaged checksum. - Reads the registry download template from config.json; DRY_RUN / SKIP_REGISTRY_CHECKS escape hatches for local packaging. ci/registry-smoke/: standalone out-of-tree consumer crate depending on kin-db ONLY via registry = "kin" (default-features=false, features=["vector"] — the set that broke in the version-skew incident). Building it proves the published crate is self-consistent and downloadable. Workflows: registry_publish / publish_registry pinned to a TROY-GATED protected environment (registry-publish); added a post-publish registry_consumer_smoke job that stages the consumer out-of-tree with a registry-only .cargo config (no patches) + fresh CARGO_HOME and builds it. Fixed release.yml's stale 'kin-model and kin-db' label (the script publishes kin-db only). Verified: bash -n + DRY_RUN package/checksum locally; dependency-parsing python emits correct rows incl. the kin-model 0.2.0 pin; consumer main.rs compiles against kin-db. Actual publish + registry resolution are Troy-gated (token). Signed-off-by: Troy Fortin <troy@firelock.io>
…n-model from registry 0.2.0 (FIR-1021) Signed-off-by: Troy Fortin <troy@firelock.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
FIR-1021 — dependency-ordered cargo publish + registry-only smoke
Linear: https://linear.app/firelock-ai/issue/FIR-1021 (child of FIR-1015) · Urgent
Hardens the first-cut auto-publish into a dependency-aware release flow.
scripts/publish-kinlab-crates.shcargo metadata(NOT the locally patched/resolved versions) and fails loudly if a required version is missing from the kin index. It enforces the pinned kin-model version:^0.2.0→ requires0.2.0published. Optional/range deps (kin-infer>=0.1.1) checked for presence; the consumer smoke is the authoritative cross-check.cksumis byte-identical to the freshly packaged crate. A version that already exists with different bytes fails loudly instead of being silently treated as success.cksum, downloads the published.crate, and assertsdownload == index == locally-packagedchecksum.config.json;DRY_RUN/SKIP_REGISTRY_CHECKSescape hatches for local packaging.ci/registry-smoke/(new)Standalone, out-of-tree consumer crate depending on kin-db only via
registry = "kin"(default-features = false, features = ["vector"]— the set that broke in the version-skew incident). Building it proves the published crate is self-consistent and downloadable by a third party.Workflows
registry_publish(push path) andpublish_registry(tag path) pinned to a Troy-gated protected environmentregistry-publish(configure required reviewer = Troy + scopeKINLAB_CARGO_TOKENto it; the kin daemon also fails closed without the token).registry_consumer_smokejob on both paths: stages the consumer out-of-tree, writes a registry-only.cargo/config.toml(no[patch.*]), pins it to the just-published version, and builds with a freshCARGO_HOME— fresh-cache, patches-disabled, post-publish.release.yml's stalePublish kin-model and kin-dblabel (the script publishes kin-db only).Acceptance mapping
0.2.0pin.registry_consumer_smoke.verify_published_matches.Verification (non-GPU)
bash -nclean;DRY_RUN=1packages kin-db@0.2.3 and computes sha256.0.2.0pin.main.rscompiles against kin-db (path-dep throwaway check).I cannot run the actual
cargo publish(Troy holdsKINLAB_CARGO_TOKEN). The publish job + the registry-resolving consumer smoke run only in CI behind the protected environment. Troy must: (1) create theregistry-publishGitHub Environment with required reviewer, (2) scopeKINLAB_CARGO_TOKENto it. Everything else is implemented and locally verified.