fix(ci): require main ancestry for engine publish#4362
Conversation
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4362 +/- ##
=======================================
Coverage 93.74% 93.74%
=======================================
Files 387 387
Lines 36398 36398
Branches 13330 13330
=======================================
Hits 34120 34120
Misses 1621 1621
Partials 657 657 🚀 New features to boost your workflow:
|
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-09 04:45:33 UTC
⏸️ Suggested Action - Manual Review
Review summary Nits — 5 non-blocking
Concerns raised — review before merging
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
Motivation
@jsonbored/gittensory-enginereleases from an unchecked, unmerged ref by enforcing that the dispatched commit is reachable fromorigin/main.Description
git fetch --no-tags origin main+git merge-base --is-ancestor "$RELEASE_SHA" origin/maincheck to thevalidatejob in.github/workflows/publish-engine.ymlso the artifact is only built from a commit on the protected branch.merge-baseancestry check in the privilegedpublishjob before creating the release tag and performing OIDC/npm publishing as defense in depth.Testing
git diff --checkandnpm run actionlintcompleted (actionlint used the WASM fallback after transient setup failures).npm run test:ciwas executed but failed on a pre-existing drift (cf-typegen) unrelated to this change and reportedworker-configuration.d.ts is stale; the new checks themselves do not introduce test failures.npm audit --audit-level=moderatecould not complete due to the npm audit endpoint returning403 Forbidden.Codex Task