fix(ci): preflight-tidy retire gate 2, narrow gate 3 (#975, #976)#977
Open
millerjp wants to merge 1 commit into
Open
fix(ci): preflight-tidy retire gate 2, narrow gate 3 (#975, #976)#977millerjp wants to merge 1 commit into
millerjp wants to merge 1 commit into
Conversation
v0.2.4 second/third dispatches would have failed at gates 2 and 3 respectively after #973's gate-1 relaxation. Both rejections were false positives on routine post-release tidy output: - Gate 2 (no go.sum deletions) rejected tidy's orphan pruning when an `// indirect` require is removed (kr/text disappeared with the v0.2.2 transitive shift). go.sum deletions reflect the local require graph, not proxy-supplied data; the supply-chain threat manifests through ADDED entries that gate 4 (sumdb cross-check) defends. Gate 2 is now retired. - Gate 3 ("every added line in publishedModules at the released version") rejected legitimate transitive additions like `axonops/syncmap` and `golang.org/x/crypto` that v0.2.2's go.mod pulls in. The relaxed rule only enforces the version constraint on lines in our `github.com/axonops/audit/*` namespace; third- party transitives pass through and are validated by gate 4. The original threat (namespace squatter like `github.com/evil/audit`) is still caught — the defending gate shifts from 3 to 4 (sumdb has no record for the squatter and returns msgSumdbTransient). Verified end-to-end locally against the actual `make tidy` diff this time: preflight-tidy-check ... → rc=0 github.com/axonops/audit v0.2.2 github.com/axonops/audit/file v0.2.2 ... (all 13 axonops/audit/* modules) ... github.com/axonops/syncmap v1.0.0 golang.org/x/crypto v0.52.0 Changes: - cmd/release-tool/cmd_preflight_tidy_check.go: - msgGoSumDeletions, hasGoSumDeletions removed. - Gate 2 call site retired with rationale comment. - linesAreInExpectedSet only validates the version constraint on axonops/audit/* lines (new isOurModule helper). - Help text reflects the new gate semantics. - cmd/release-tool/cmd_preflight_tidy_check_test.go: - Gate2_DeletionsAbort → GoSumDeletionsAllowed (regression anchor: deletions must pass). - Gate3_UnrelatedModuleAborts → Gate3_NamespaceSquatterCaughtByGate4 (regression anchor: the attack is now defended at gate 4 not 3). - New Gate3_TransitiveDepAllowed: golang.org/x/crypto and axonops/syncmap added lines pass gate 3 and are verified by gate 4 against fake sumdb. - tests/release-scripts/release-yml-grep.bats: drop the test_release_yml_preflight_tidy_rejects_deletions test; drop the gate-2 anchor from _emits_exact_error_strings. - docs/releasing.md: failure-mode table updated. Row 2 marked retired; row 3 reflects the namespace-narrowed rule. - CHANGELOG.md: two new [Unreleased] / Fixed entries (#975, #976). Verifications: - `go test ./cmd/release-tool/... -count=1` clean. - `golangci-lint run ./cmd/release-tool/...` 0 issues. - `make test-release-scripts` 116/116 pass. - `make regen-llms` clean. - End-to-end: real `make tidy` on main produces rc=0. Closes #975 and #976.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
After #973's gate-1 relaxation, v0.2.4's dispatch would have hit gate 2 (
go.sum lines deleted) and then gate 3 (unrelated checksum lines). Both were false positives on routine post-release tidy output.axonops/audit/*lines. Third-party transitives (golang.org/x/crypto,axonops/syncmap) pass through and are validated by gate 4. The namespace-squatter threat shifts from gate-3 detection to gate-4 sumdb-not-found rejection.Verified end-to-end against the actual real tidy diff this time
Test plan
go test ./cmd/release-tool/... -count=1— all release-tool tests pass.golangci-lint run ./cmd/release-tool/...— 0 issues.make test-release-scripts— 116/116 pass.make tidyon main, thenrelease-tool preflight-tidy-checkagainst the actual diff → rc=0 with all 15 (module, version) pairs validated against the live sum.golang.org transparency log.tag-allafter merge.Closes #975 and #976.