Harden CI sibling checkouts against force-pushes#21
Merged
Conversation
PR #18 (.bazelignore) and PR #20 (rules_rust bump) both failed their CI rivet-validate job with `fatal: could not read Username for 'https://github.com'` from `actions/checkout@v4`. Same flake in PR #18 seemed transient (passed on rerun) but it recurred on PR #20, and the GitHub compare API confirms why: - rivet pinned ref 335bb84 vs current main: behind_by=1 ahead_by=3 status=diverged - relay pinned ref 4d42acf vs current main: behind_by=5 ahead_by=4 status=diverged Both sibling-repo main branches were force-pushed since the original pins landed in #17. The pinned SHAs are now orphaned in those repos' default branch history. actions/checkout@v4's default shallow fetch (fetch-depth: 1) can't find an orphaned SHA on a public repo and falls back to a cloning mode that asks for credentials, which the GITHUB_TOKEN doesn't have for cross-repo public checkouts. Two-part fix: 1. Bump pins to current sibling main: RELAY_REF: 4d42acf -> 178ffd47 RIVET_REF: 335bb84 -> 78f001e2 2. Add `fetch-depth: 0` to every cross-repo checkout (5 total: 4 relay in lint/test/kani/fuzz, 1 rivet in rivet-validate). Full clone so any SHA on a public repo resolves — orphaned or not. ~30 extra seconds on the cold cache; trades CI speed for robustness against the architect's recurring force-pushes of sibling repos. The fetch-depth: 0 hardening is the durable fix. The pin bumps are maintenance — they'll need to happen again on the next force-push, ideally via the Renovate bot tracked in #8. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CI's
rivet-validatejob started failing on PRs that didn't touch artifacts (#18, #20) withfatal: could not read Username for 'https://github.com'fromactions/checkout@v4. Root cause confirmed via the GitHub compare API: bothrelayandrivetsiblings were force-pushed since the original #17 pins landed.The pinned SHAs are now orphaned in those repos' default-branch history.
actions/checkout@v4's default shallow fetch can't find an orphaned SHA on a public repo and falls back to a cloning mode that asks for credentials — which the workflow's GITHUB_TOKEN doesn't have for cross-repo public checkouts. Hence the auth error on a public repo.Fix — two parts
Bump pins to current sibling main (acute fix):
RELAY_REF: 4d42acf → 178ffd47RIVET_REF: 335bb84 → 78f001e2Add
fetch-depth: 0to every cross-repo checkout (durable fix): full clone, no shallow-fetch failure mode. Any SHA on a public repo resolves — orphaned or not. ~30s extra on cold cache; trades a bit of CI time for not having to chase every sibling force-push.The
fetch-depth: 0is the durable fix; the pin bumps are maintenance that'll recur until the Renovate bot from #8 lands.Unblocks
🤖 Generated with Claude Code