ci(browser-rbe-proof): advisory on PR, authoritative on workflow_dispatch#441
Open
Jesssullivan wants to merge 1 commit into
Open
ci(browser-rbe-proof): advisory on PR, authoritative on workflow_dispatch#441Jesssullivan wants to merge 1 commit into
Jesssullivan wants to merge 1 commit into
Conversation
…atch
The browser-rbe-proof lane is a required check on main but has hard-failed
on every PR since 2026-06-14. Root cause: the proof pins an exact
gf-reapi-cell image digest (repo var GF_REAPI_CELL_IMAGE_DIGEST, last set
2026-06-11) and the shared live gf-rbe fleet has since been promoted to a
newer digest, so the GF-side proof correctly refuses to run ("requested
digest differs from at least one live gf-rbe deployment"). A per-PR hard
gate on an exact digest match against an independently-advancing shared
fleet cannot stay green on its own, and dependabot/fork PRs additionally
cannot see the dispatch secret and hard-failed on the token check.
Adopt the house skip-green-until-armed pattern:
- Require GF dispatch token: on pull_request, soft-skip green with a clear
notice when the token is unavailable (dependabot/fork) instead of exit 1;
workflow_dispatch still hard-fails on a missing token.
- Dispatch + Verify: continue-on-error on pull_request only, so a stale-pin
/ fleet-drift failure is advisory (non-blocking) on PRs while remaining
authoritative (hard) on workflow_dispatch.
- Record PR-advisory proof result: explain the advisory posture and how to
re-arm (workflow_dispatch, or keep GF_REAPI_CELL_IMAGE_DIGEST in sync with
the live fleet).
Net: the required check stops blocking PRs while unarmed/pin-stale, and the
real proof stays authoritative via workflow_dispatch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Root cause (evidence)
browser-rbe-proofwas made a required check onmaintoday but has hard-failed on every PR since 2026-06-14. It is not unarmed and the dispatch is not buggy:GF_REAPI_PROOF_ENABLED=trueand secretGF_REAPI_PROOF_DISPATCH_TOKENare both present, so the lane dispatches and the GF-side proof run actually starts.Run explicit gf-reapi-cell proofwith:GF_REAPI_CELL_IMAGE_DIGEST=sha256:9db80cc90cb6736430cdbfcf0a0773fd89073d897ec084b9b141ded1d58661af(last set 2026-06-11, the same day this lane last went green). The live gf-rbe fleet has since been promoted tosha256:58b456281c0862da0153e8691cd77b5de43052dc25d37836329c48baf05af135(observed on a green MassageIthaca proof). The GF guard correctly refuses to run a proof pinned to a non-live digest, and withapplydefaulting true a consumer PR would be asking to promote the shared fleet backward to a stale digest.So a per-PR hard gate on an exact digest match, against a shared fleet that advances independently of this repo, cannot stay green on its own. Dependabot/fork PRs additionally cannot see the dispatch secret and hard-failed on the token check.
Fix — house skip-green-until-armed pattern
pull_request, soft-skip green with a::notice::when the token is unavailable (dependabot/fork) instead ofexit 1.workflow_dispatchstill hard-fails on a missing token.continue-on-error: ${{ github.event_name == 'pull_request' }}— a stale-pin / fleet-drift failure is advisory (non-blocking) on PRs and remains authoritative (hard) onworkflow_dispatch.Net: the required check stops blocking PRs while unarmed/pin-stale; the real proof stays authoritative via
workflow_dispatch.Operator follow-ups (cannot be done from a workflow edit)
To actually prove changes again, pick one:
gh variable set GF_REAPI_CELL_IMAGE_DIGEST --repo Jesssullivan/darkmap.phasi.space --body sha256:58b456281c0862da0153e8691cd77b5de43052dc25d37836329c48baf05af135(current live digest), then re-run the proof. This must be re-synced on every gf-reapi-cell promotion — consider automating the bump in the GF publish flow.workflow_dispatch) with a current digest.GF_REAPI_PROOF_ENABLED=false(the existing "Record skipped proof" path already soft-skips green on PRs).