Skip to content

fix(sovereign-ci): self-heal broken sibling clone cache #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
noahgift merged 1 commit into from
Apr 18, 2026
Merged

fix(sovereign-ci): self-heal broken sibling clone cache #24

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 60 additions & 20 deletions .github/workflows/sovereign-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
# Change once here → applies to all 38 repos instantly.
#
# Self-hosted jobs run inside the sovereign-ci container (built by forjar).
# Each job gets an isolated filesystem — no shared ~/.rustup/, no race conditions.

Check warning on line 7 in .github/workflows/sovereign-ci.yml

View workflow job for this annotation

GitHub Actions / validate 

7:81 [line-length] line too long (82 > 80 characters)
# Image: localhost:5000/sovereign-ci:stable (local registry on mac-server)
# Rebuild: cd infra && make -f machines/intel/Makefile ci-image
#
Expand Down Expand Up @@ -48,7 +48,7 @@
default: false
type: boolean
extra_pkgs:
description: 'Extra apt packages to install in container (e.g. python3-dev libclang-dev)'

Check warning on line 51 in .github/workflows/sovereign-ci.yml

View workflow job for this annotation

GitHub Actions / validate 

51:81 [line-length] line too long (97 > 80 characters)
required: false
default: ''
type: string
Expand All @@ -73,7 +73,7 @@
jobs:
test:
name: test
runs-on: [self-hosted, clean-room]

Check failure on line 76 in .github/workflows/sovereign-ci.yml

View workflow job for this annotation

GitHub Actions / validate 

label "clean-room" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2025-vs2026", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xlarge", "macos-latest-large", "macos-26-intel", "macos-26-xlarge", "macos-26-large", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xlarge", "macos-14-large", "macos-14", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file
container:
image: localhost:5000/sovereign-ci:stable@sha256:a7d47ef6e12e23c83075ceff4c41be8f34b00e68639a48bca9e41a2b2c8db80b
# Phase 3 §5.3 — sccache rustc cache + /var/log/ci-metrics for F9 stats.
Expand All @@ -89,7 +89,7 @@
persist-credentials: false
- name: Install extra packages
if: ${{ inputs.extra_pkgs != '' }}
run: |

Check failure on line 92 in .github/workflows/sovereign-ci.yml

View workflow job for this annotation

GitHub Actions / validate 

shellcheck reported issue in this script: SC2015:info:2:25: Note that A && B || C is not if-then-else. C may run when A is true
apt-get update -qq && apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || \
sudo apt-get update -qq && sudo apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || true
- name: Checkout sibling repos (path deps)
Expand All @@ -106,12 +106,20 @@
[ "$repo" = "${{ inputs.repo }}" ] && continue
# Remove stale partial clones (file instead of dir)
if [ -e "$repo" ] && [ ! -d "$repo" ]; then rm -f "$repo"; fi
# Validate cached clone. If HEAD missing or fetch fails, nuke + re-clone.
# Silent `|| true` on fetch previously masked broken caches (bashrs#197).
if [ -d "$repo" ]; then
# Pull latest to avoid stale cached versions
git -C "$repo" fetch --depth 1 origin main 2>/dev/null && git -C "$repo" reset --hard FETCH_HEAD 2>/dev/null || true
else
if ! git -C "$repo" rev-parse HEAD >/dev/null 2>&1; then
echo "::warning::$repo cache invalid (no HEAD) — re-cloning"
rm -rf "$repo"
elif ! (git -C "$repo" fetch --depth 1 origin main 2>&1 && git -C "$repo" reset --hard FETCH_HEAD >/dev/null 2>&1); then
echo "::warning::$repo fetch failed — re-cloning"
rm -rf "$repo"
fi
fi
if [ ! -d "$repo" ]; then
for attempt in 1 2 3; do
git clone --depth 1 --quiet "https://github.com/paiml/$repo.git" "$repo" 2>&1 && break
git clone --depth 1 "https://github.com/paiml/$repo.git" "$repo" 2>&1 && break
rm -rf "$repo" # Clean failed clone before retry
echo "::warning::Retry $attempt for $repo clone"
sleep 2
Expand All @@ -129,7 +137,7 @@
# Note: generated contract macros may have unused variables (provable-contracts#64).
# This is handled by adding -A unused-variables to the clippy step.
- name: Generate contract assertions (pv codegen)
run: |

Check failure on line 140 in .github/workflows/sovereign-ci.yml

View workflow job for this annotation

GitHub Actions / validate 

shellcheck reported issue in this script: SC2012:info:9:3: Use find instead of ls to better handle non-alphanumeric filenames
# pv is baked into sovereign-ci:stable at /usr/local/cargo/bin/pv
PV=""
for candidate in /usr/local/cargo/bin/pv /usr/local/bin/pv; do
Expand Down Expand Up @@ -178,7 +186,7 @@
REPO_NAME: ${{ inputs.repo }}
RUSTC_WRAPPER: ${{ inputs.enable_sccache && 'sccache' || '' }}
SCCACHE_DIR: ${{ inputs.enable_sccache && '/sccache' || '' }}
run: |

Check failure on line 189 in .github/workflows/sovereign-ci.yml

View workflow job for this annotation

GitHub Actions / validate 

shellcheck reported issue in this script: SC2086:info:4:34: Double quote to prevent globbing and word splitting

Check failure on line 189 in .github/workflows/sovereign-ci.yml

View workflow job for this annotation

GitHub Actions / validate 

shellcheck reported issue in this script: SC2086:info:3:18: Double quote to prevent globbing and word splitting
# Mark workspace as safe for git operations inside tests (dubious ownership in containers)
git config --global --add safe.directory "$GITHUB_WORKSPACE"
cargo test --lib $TEST_ARGS 2>&1 || \
Expand All @@ -193,7 +201,7 @@

lint:
name: lint
runs-on: [self-hosted, clean-room]

Check failure on line 204 in .github/workflows/sovereign-ci.yml

View workflow job for this annotation

GitHub Actions / validate 

label "clean-room" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2025-vs2026", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xlarge", "macos-latest-large", "macos-26-intel", "macos-26-xlarge", "macos-26-large", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xlarge", "macos-14-large", "macos-14", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file
container:
image: localhost:5000/sovereign-ci:stable@sha256:a7d47ef6e12e23c83075ceff4c41be8f34b00e68639a48bca9e41a2b2c8db80b
# Phase 3 §5.3 — sccache rustc cache + /var/log/ci-metrics for F9 stats.
Expand All @@ -209,7 +217,7 @@
persist-credentials: false
- name: Install extra packages
if: ${{ inputs.extra_pkgs != '' }}
run: |

Check failure on line 220 in .github/workflows/sovereign-ci.yml

View workflow job for this annotation

GitHub Actions / validate 

shellcheck reported issue in this script: SC2015:info:2:25: Note that A && B || C is not if-then-else. C may run when A is true
apt-get update -qq && apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || \
sudo apt-get update -qq && sudo apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || true
- name: Checkout sibling repos (path deps)
Expand All @@ -226,12 +234,20 @@
[ "$repo" = "${{ inputs.repo }}" ] && continue
# Remove stale partial clones (file instead of dir)
if [ -e "$repo" ] && [ ! -d "$repo" ]; then rm -f "$repo"; fi
# Validate cached clone. If HEAD missing or fetch fails, nuke + re-clone.
# Silent `|| true` on fetch previously masked broken caches (bashrs#197).
if [ -d "$repo" ]; then
# Pull latest to avoid stale cached versions
git -C "$repo" fetch --depth 1 origin main 2>/dev/null && git -C "$repo" reset --hard FETCH_HEAD 2>/dev/null || true
else
if ! git -C "$repo" rev-parse HEAD >/dev/null 2>&1; then
echo "::warning::$repo cache invalid (no HEAD) — re-cloning"
rm -rf "$repo"
elif ! (git -C "$repo" fetch --depth 1 origin main 2>&1 && git -C "$repo" reset --hard FETCH_HEAD >/dev/null 2>&1); then
echo "::warning::$repo fetch failed — re-cloning"
rm -rf "$repo"
fi
fi
if [ ! -d "$repo" ]; then
for attempt in 1 2 3; do
git clone --depth 1 --quiet "https://github.com/paiml/$repo.git" "$repo" 2>&1 && break
git clone --depth 1 "https://github.com/paiml/$repo.git" "$repo" 2>&1 && break
rm -rf "$repo" # Clean failed clone before retry
echo "::warning::Retry $attempt for $repo clone"
sleep 2
Expand Down Expand Up @@ -294,7 +310,7 @@
REPO_NAME: ${{ inputs.repo }}
RUSTC_WRAPPER: ${{ inputs.enable_sccache && 'sccache' || '' }}
SCCACHE_DIR: ${{ inputs.enable_sccache && '/sccache' || '' }}
run: |

Check failure on line 313 in .github/workflows/sovereign-ci.yml

View workflow job for this annotation

GitHub Actions / validate 

shellcheck reported issue in this script: SC2086:info:1:14: Double quote to prevent globbing and word splitting
cargo clippy $CLIPPY_ARGS -- -D warnings -A unused-variables 2>&1 || \
cargo clippy -p "$REPO_NAME" -- -D warnings -A unused-variables 2>&1 || \
{ echo "::error::Clippy failed — check workspace path dependencies"; exit 1; }
Expand All @@ -316,7 +332,7 @@
coverage:
name: coverage
if: ${{ !inputs.skip_coverage }}
runs-on: [self-hosted, clean-room]

Check failure on line 335 in .github/workflows/sovereign-ci.yml

View workflow job for this annotation

GitHub Actions / validate 

label "clean-room" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2025-vs2026", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xlarge", "macos-latest-large", "macos-26-intel", "macos-26-xlarge", "macos-26-large", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xlarge", "macos-14-large", "macos-14", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file
container:
image: localhost:5000/sovereign-ci:stable@sha256:a7d47ef6e12e23c83075ceff4c41be8f34b00e68639a48bca9e41a2b2c8db80b
# Phase 3 §5.3 — sccache rustc cache + /var/log/ci-metrics for F9 stats.
Expand All @@ -332,7 +348,7 @@
persist-credentials: false
- name: Install extra packages
if: ${{ inputs.extra_pkgs != '' }}
run: |

Check failure on line 351 in .github/workflows/sovereign-ci.yml

View workflow job for this annotation

GitHub Actions / validate 

shellcheck reported issue in this script: SC2015:info:2:25: Note that A && B || C is not if-then-else. C may run when A is true
apt-get update -qq && apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || \
sudo apt-get update -qq && sudo apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || true
- name: Checkout sibling repos (path deps)
Expand All @@ -349,12 +365,20 @@
[ "$repo" = "${{ inputs.repo }}" ] && continue
# Remove stale partial clones (file instead of dir)
if [ -e "$repo" ] && [ ! -d "$repo" ]; then rm -f "$repo"; fi
# Validate cached clone. If HEAD missing or fetch fails, nuke + re-clone.
# Silent `|| true` on fetch previously masked broken caches (bashrs#197).
if [ -d "$repo" ]; then
# Pull latest to avoid stale cached versions
git -C "$repo" fetch --depth 1 origin main 2>/dev/null && git -C "$repo" reset --hard FETCH_HEAD 2>/dev/null || true
else
if ! git -C "$repo" rev-parse HEAD >/dev/null 2>&1; then
echo "::warning::$repo cache invalid (no HEAD) — re-cloning"
rm -rf "$repo"
elif ! (git -C "$repo" fetch --depth 1 origin main 2>&1 && git -C "$repo" reset --hard FETCH_HEAD >/dev/null 2>&1); then
echo "::warning::$repo fetch failed — re-cloning"
rm -rf "$repo"
fi
fi
if [ ! -d "$repo" ]; then
for attempt in 1 2 3; do
git clone --depth 1 --quiet "https://github.com/paiml/$repo.git" "$repo" 2>&1 && break
git clone --depth 1 "https://github.com/paiml/$repo.git" "$repo" 2>&1 && break
rm -rf "$repo" # Clean failed clone before retry
echo "::warning::Retry $attempt for $repo clone"
sleep 2
Expand Down Expand Up @@ -466,12 +490,20 @@
[ "$repo" = "${{ inputs.repo }}" ] && continue
# Remove stale partial clones (file instead of dir)
if [ -e "$repo" ] && [ ! -d "$repo" ]; then rm -f "$repo"; fi
# Validate cached clone. If HEAD missing or fetch fails, nuke + re-clone.
# Silent `|| true` on fetch previously masked broken caches (bashrs#197).
if [ -d "$repo" ]; then
# Pull latest to avoid stale cached versions
git -C "$repo" fetch --depth 1 origin main 2>/dev/null && git -C "$repo" reset --hard FETCH_HEAD 2>/dev/null || true
else
if ! git -C "$repo" rev-parse HEAD >/dev/null 2>&1; then
echo "::warning::$repo cache invalid (no HEAD) — re-cloning"
rm -rf "$repo"
elif ! (git -C "$repo" fetch --depth 1 origin main 2>&1 && git -C "$repo" reset --hard FETCH_HEAD >/dev/null 2>&1); then
echo "::warning::$repo fetch failed — re-cloning"
rm -rf "$repo"
fi
fi
if [ ! -d "$repo" ]; then
for attempt in 1 2 3; do
git clone --depth 1 --quiet "https://github.com/paiml/$repo.git" "$repo" 2>&1 && break
git clone --depth 1 "https://github.com/paiml/$repo.git" "$repo" 2>&1 && break
rm -rf "$repo" # Clean failed clone before retry
echo "::warning::Retry $attempt for $repo clone"
sleep 2
Expand Down Expand Up @@ -584,12 +616,20 @@
[ "$repo" = "${{ inputs.repo }}" ] && continue
# Remove stale partial clones (file instead of dir)
if [ -e "$repo" ] && [ ! -d "$repo" ]; then rm -f "$repo"; fi
# Validate cached clone. If HEAD missing or fetch fails, nuke + re-clone.
# Silent `|| true` on fetch previously masked broken caches (bashrs#197).
if [ -d "$repo" ]; then
# Pull latest to avoid stale cached versions
git -C "$repo" fetch --depth 1 origin main 2>/dev/null && git -C "$repo" reset --hard FETCH_HEAD 2>/dev/null || true
else
if ! git -C "$repo" rev-parse HEAD >/dev/null 2>&1; then
echo "::warning::$repo cache invalid (no HEAD) — re-cloning"
rm -rf "$repo"
elif ! (git -C "$repo" fetch --depth 1 origin main 2>&1 && git -C "$repo" reset --hard FETCH_HEAD >/dev/null 2>&1); then
echo "::warning::$repo fetch failed — re-cloning"
rm -rf "$repo"
fi
fi
if [ ! -d "$repo" ]; then
for attempt in 1 2 3; do
git clone --depth 1 --quiet "https://github.com/paiml/$repo.git" "$repo" 2>&1 && break
git clone --depth 1 "https://github.com/paiml/$repo.git" "$repo" 2>&1 && break
rm -rf "$repo" # Clean failed clone before retry
echo "::warning::Retry $attempt for $repo clone"
sleep 2
Expand Down
Loading