ci: restore public multi-arch localnet images#2919
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🛡️ AI Review — Skeptic (security review)VERDICT: SAFE VERY HIGH scrutiny: account under 30 days old, mitigated by repository-admin permission, substantive merged contributions, matching commit identity, and no known Gittensor association; branch targets staging. Static analysis covered the complete CI, Docker, package-cleanup, and localnet-script diff. Publishing uses immutable source SHAs for PR builds, rejects fork sources, isolates temporary images, and limits cleanup to expired CI-only tags. No protected AI-review or Copilot instruction files were modified. FindingsNo findings. ConclusionNo malicious behavior or security vulnerability was found in the reviewed changes. 🔍 AI Review — Auditor (domain review)VERDICT: 👍 Gittensor association is UNKNOWN; the account is new, but repository-admin permission and substantive merged Subtensor contributions reduce calibration concerns. The implementation matches the substantive PR description. No runtime-affecting files changed, and the Diff whitespace checks pass. The linked publication run provides adequate multi-architecture build, publication, and localnet lifecycle validation. FindingsNo findings. ConclusionThe image publication, immutable source selection, CI-package isolation, architecture validation, and container supervision changes are coherent and adequately tested. No actionable domain issues were found. |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
|
🔄 AI review updated — Skeptic: SAFE Auditor: 👍 |
Summary
subtensor-localnetfrom the deployment-mirror pushes for devnet and testnet, matching the existing regularsubtensorimage flowlatestas the main-compatible tag, and add immutable SHA tagsRelease linkage
After the release train verifies a runtime on devnet or testnet, it force-moves that network mirror branch to the exact deployed main commit. That push already publishes
ghcr.io/raofoundation/subtensorand now also publishesghcr.io/raofoundation/subtensor-localnetwith the matching network tag.Tag policy
main,latest, SHAdevnet, SHAtestnet, SHAE2E image isolation
The Bittensor E2E workflow builds one PR-specific localnet image and shares it across roughly 112 runner shards through GHCR. Those temporary images now publish to the separate, CI-only
subtensor-localnet-cipackage instead of appearing as permanentci-*versions in the public release package. A scheduled cleanup removes only CI SHA versions older than 30 days, preserving GitHub's workflow rerun window.Both the public and CI images now provide standard
org.opencontainers.image.*labels, so GHCR displays Subtensor metadata instead of inherited Ubuntu marketing text. The fast E2E image is pinned to the same Ubuntu 24.04 digest as the public localnet image; the bundled node binary, entrypoint, ports, and authority behavior are unchanged.Validation
Successful publication run: https://github.com/RaoFoundation/subtensor/actions/runs/29431577113