Skip to content

ci(browser-rbe-proof): advisory on PR, authoritative on workflow_dispatch#441

Open
Jesssullivan wants to merge 1 commit into
mainfrom
fix/browser-rbe-proof-advisory-on-pr
Open

ci(browser-rbe-proof): advisory on PR, authoritative on workflow_dispatch#441
Jesssullivan wants to merge 1 commit into
mainfrom
fix/browser-rbe-proof-advisory-on-pr

Conversation

@Jesssullivan

Copy link
Copy Markdown
Owner

Note: this touches another lane's workflow (browser-rbe-proof.yml). It fixes the never-passed browser-rbe-proof required check that has been blocking every PR (including #440).

Root cause (evidence)

browser-rbe-proof was made a required check on main today but has hard-failed on every PR since 2026-06-14. It is not unarmed and the dispatch is not buggy:

  • Repo var GF_REAPI_PROOF_ENABLED=true and secret GF_REAPI_PROOF_DISPATCH_TOKEN are both present, so the lane dispatches and the GF-side proof run actually starts.
  • The GF-side run fails at Run explicit gf-reapi-cell proof with:
    ERROR: requested digest differs from at least one live gf-rbe deployment.
    Set GF_REAPI_CELL_ALLOW_LIVE_DIGEST_CHANGE=true only for an intentional digest promotion.
    
  • This repo pins GF_REAPI_CELL_IMAGE_DIGEST=sha256:9db80cc90cb6736430cdbfcf0a0773fd89073d897ec084b9b141ded1d58661af (last set 2026-06-11, the same day this lane last went green). The live gf-rbe fleet has since been promoted to sha256:58b456281c0862da0153e8691cd77b5de43052dc25d37836329c48baf05af135 (observed on a green MassageIthaca proof). The GF guard correctly refuses to run a proof pinned to a non-live digest, and with apply defaulting true a consumer PR would be asking to promote the shared fleet backward to a stale digest.

So a per-PR hard gate on an exact digest match, against a shared fleet that advances independently of this repo, cannot stay green on its own. Dependabot/fork PRs additionally cannot see the dispatch secret and hard-failed on the token check.

Fix — house skip-green-until-armed pattern

  • Require GF dispatch token: on pull_request, soft-skip green with a ::notice:: when the token is unavailable (dependabot/fork) instead of exit 1. workflow_dispatch still hard-fails on a missing token.
  • Dispatch + Verify: continue-on-error: ${{ github.event_name == 'pull_request' }} — a stale-pin / fleet-drift failure is advisory (non-blocking) on PRs and remains authoritative (hard) on workflow_dispatch.
  • Record PR-advisory proof result: explains the posture and how to re-arm.

Net: the required check stops blocking PRs while unarmed/pin-stale; the real proof stays authoritative via workflow_dispatch.

Operator follow-ups (cannot be done from a workflow edit)

To actually prove changes again, pick one:

  1. Re-arm the pin: gh variable set GF_REAPI_CELL_IMAGE_DIGEST --repo Jesssullivan/darkmap.phasi.space --body sha256:58b456281c0862da0153e8691cd77b5de43052dc25d37836329c48baf05af135 (current live digest), then re-run the proof. This must be re-synced on every gf-reapi-cell promotion — consider automating the bump in the GF publish flow.
  2. Or run the authoritative proof on demand via Actions → Browser RBE proof → Run workflow (workflow_dispatch) with a current digest.
  3. Or, if a per-PR fleet proof isn't wanted, set repo var GF_REAPI_PROOF_ENABLED=false (the existing "Record skipped proof" path already soft-skips green on PRs).

…atch

The browser-rbe-proof lane is a required check on main but has hard-failed
on every PR since 2026-06-14. Root cause: the proof pins an exact
gf-reapi-cell image digest (repo var GF_REAPI_CELL_IMAGE_DIGEST, last set
2026-06-11) and the shared live gf-rbe fleet has since been promoted to a
newer digest, so the GF-side proof correctly refuses to run ("requested
digest differs from at least one live gf-rbe deployment"). A per-PR hard
gate on an exact digest match against an independently-advancing shared
fleet cannot stay green on its own, and dependabot/fork PRs additionally
cannot see the dispatch secret and hard-failed on the token check.

Adopt the house skip-green-until-armed pattern:
- Require GF dispatch token: on pull_request, soft-skip green with a clear
  notice when the token is unavailable (dependabot/fork) instead of exit 1;
  workflow_dispatch still hard-fails on a missing token.
- Dispatch + Verify: continue-on-error on pull_request only, so a stale-pin
  / fleet-drift failure is advisory (non-blocking) on PRs while remaining
  authoritative (hard) on workflow_dispatch.
- Record PR-advisory proof result: explain the advisory posture and how to
  re-arm (workflow_dispatch, or keep GF_REAPI_CELL_IMAGE_DIGEST in sync with
  the live fleet).

Net: the required check stops blocking PRs while unarmed/pin-stale, and the
real proof stays authoritative via workflow_dispatch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant