Chore: protect genesis files#1732
Conversation
Signed-off-by: Justin Frevert <justinfrevert@gmail.com>
Signed-off-by: Justin Frevert <justinfrevert@gmail.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9ef59c2f3d
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| BASE_REF="${1:-origin/main}" | ||
|
|
||
| # Folders that must never change. Anchored at the start of the path. | ||
| PROTECTED_RE='^res/(mainnet|qanet|preprod|preview)/' |
There was a problem hiding this comment.
For PRs that touch the actual live genesis artifacts, such as res/genesis/genesis_state_mainnet.mn or res/genesis/genesis_block_qanet.mn, this regex does not match them, so check-frozen-res.sh reports OK even though the live chain configs point at those files (res/cfg/mainnet.toml:6-7) and the genesis docs list res/genesis/ as the generated ledger-state location. Since this check is meant to protect deployed genesis artifacts, add the live-network res/genesis/genesis_{state,block}_*.mn paths to the protected set.
Useful? React with 👍 / 👎.
Signed-off-by: Justin Frevert <justinfrevert@gmail.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 66ba5ac2aa
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| - name: Frozen res/ network config | ||
| env: | ||
| BASE_SHA: ${{ github.event.pull_request.base.sha }} | ||
| run: scripts/ci/check-frozen-res.sh "$BASE_SHA" |
There was a problem hiding this comment.
For a PR that changes a protected res/ path and also edits scripts/ci/check-frozen-res.sh to skip or narrow the check, the checkout step has already put the PR's version of the script in the worktree before this line runs, so the required guard can pass while frozen artifacts change. Since this is the enforcement point for immutable paths, run the diff logic from a trusted base-revision copy or keep it in the workflow/API without executing PR-controlled code.
Useful? React with 👍 / 👎.
| changed="$(git diff --name-only --no-renames "${BASE_REF}...HEAD" | grep -E "$PROTECTED_RE" || true)" | ||
|
|
||
| if [ -n "$changed" ]; then | ||
| echo "::error::Frozen res/ network config changed. These files are deployed artifacts and must never be modified:" |
There was a problem hiding this comment.
This sentence is false in few distinct ways:
- some of the config files were modified or even created after the chain-spec was created and network started
- "never" - preview is perhaps going to be restarted
- some of the config file should be changed, because they are just wrong and not consistent with chain-spec
There was a problem hiding this comment.
True. Only updatable in rare cases, which get flagged, and we can review case-by-case. Updated the language to allow for that.
Signed-off-by: Justin Frevert <justinfrevert@gmail.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1ace59fa71
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Signed-off-by: Justin Frevert <justinfrevert@gmail.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 693409e10c
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| name: "Frozen Paths Check" | ||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, reopened, ready_for_review] |
There was a problem hiding this comment.
Because this workflow only subscribes to opened, synchronize, reopened, and ready_for_review, retargeting a PR to a different base branch does not rerun scripts/ci/check-frozen-res.sh with the new BASE_SHA. In that case the PR can keep a green result computed against an old/non-main base while its diff against the new base includes a protected res/... change, until another head commit is pushed; include edited or avoid narrowing the activity types so the guard is recomputed on base changes.
Useful? React with 👍 / 👎.
2 participants
Overview
Protect changes against genesis files of live networks.
🗹 TODO before merging
📌 Submission Checklist
git commit -s) for the DCO🧪 Testing Evidence
Please describe any additional testing aside from CI:
🔱 Fork Strategy
Links