ci: harden leanSpec fixtures release-info step#507
Conversation
The daily CI intermittently failed with `Invalid format '<!--'` when writing to $GITHUB_OUTPUT. Root cause: the fixtures release-info step fetched the release metadata and checksum with `curl -sL` (no `-f`), so a transient HTML error page from the GitHub API/asset CDN was captured as data and written verbatim into $GITHUB_OUTPUT, corrupting it. A command substitution in an assignment does not trip `set -e`, so the bad value propagated silently. Harden the step: - Authenticate the API call with github.token (unauthenticated requests share the runner IP's low rate-limit pool, the usual trigger). - Add `-f` + `--retry`/`--retry-all-errors` so HTTP errors fail fast and transient hiccups are ridden out instead of captured as data. - Fail loudly on each curl/parse (assignments don't propagate errexit). - Validate the checksum is a 64-char hex string before writing output.
Apply the same --retry/--retry-all-errors hardening to the fixtures and checksum downloads, so a transient blip in the download step can't flake CI either. Still -f-guarded and sha256-verified.
🤖 Claude Code ReviewReview:
|
🤖 Codex Code ReviewNo findings. This PR only touches the composite CI action, so the consensus-layer items you listed are not in scope for this diff. The changes in action.yml look sound: The only residual thing I’d validate is a real Automated review by OpenAI Codex · gpt-5.4 · custom prompt |
🤖 Kimi Code ReviewContext Note: This PR modifies CI infrastructure (GitHub Actions bash scripts), not Rust consensus code. Therefore, items like LMD GHOST, XMSS verification, and SSZ encoding are not applicable to this diff. The review below focuses on shell script correctness, CI security, and workflow reliability. Issues Found1. Curl version compatibility risk (Lines 22, 40, 70-71) # Add before curl calls
curl_version=$(curl --version | head -n1 | grep -oP '\d+\.\d+\.\d+')
if [[ "$(printf '%s\n' "7.71.0" "$curl_version" | sort -V | head -n1)" == "7.71.0" ]]; then
retry_all="--retry-all-errors"
else
retry_all=""
fi2. Misleading error messages on Python exceptions (Lines 35-38) asset_url() {
echo "$json" | python3 -c \
"import sys,json; name=sys.argv[1]; j=json.load(sys.stdin); \
matches=[a['browser_download_url'] for a in j.get('assets',[]) if a.get('name')==name]; \
print(matches[0]) if matches else (sys.stderr.write(f'Asset {name} not found\n') or sys.exit(2))" \
"$1"
}
# Then handle exit code 2 separately or use a generic "failed to parse" message.3. Potential word splitting in hash validation (Line 44) Security & Correctness (Positive)4. Authentication and secret handling (Line 4-6, 24) 5. Input validation before GITHUB_OUTPUT (Lines 43-46) 6. Error handling improvements (Line 15)
7. Retry logic Minor Suggestions**8. Consider Automated review by Kimi (Moonshot AI) · kimi-k2.5 · custom prompt |
Problem
The daily scheduled CI intermittently fails at the very first step of the
run-fixture-testsaction (before any Rust builds), e.g. run 28942947291:Root cause
The
Get leanSpec fixtures release infostep fetched the release metadata and the checksum asset withcurl -sL(no-f). When the GitHub API / asset CDN returned a transient HTML error page (rate-limit or 5xx), that HTML was captured as data and written verbatim into$GITHUB_OUTPUT, corrupting thekey=valuefile (<!--is the offending line). The failure was silent because a command substitution inside an assignment (var=$(...)) does not tripset -e, so the bad value flowed straight through. Unauthenticated API calls from shared-runner IPs make the rate-limit trigger routine; re-running the job usually "fixes" it.Fix
github.token(avoids the shared unauthenticated rate-limit pool).-f+--retry 5 --retry-all-errorsso HTTP errors fail fast and transient hiccups are retried instead of captured as data.$GITHUB_OUTPUT.Testing
python -c yaml.safe_load+bash -non the extracted script: pass.asset_urllookup resolves both assets; hex guard accepts a valid sha and rejects<!--.leanEthereum/leanSpeclatestrelease: resolves both asset URLs and a valid 64-hex checksum.