Skip to content

ci: restore public multi-arch localnet images#2919

Open
UnArbosFive wants to merge 10 commits into
stagingfrom
codex/localnet-image-hardening
Open

ci: restore public multi-arch localnet images#2919
UnArbosFive wants to merge 10 commits into
stagingfrom
codex/localnet-image-hardening

Conversation

@UnArbosFive

@UnArbosFive UnArbosFive commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

  • publish subtensor-localnet from the deployment-mirror pushes for devnet and testnet, matching the existing regular subtensor image flow
  • publish main/localnet candidate tags directly from main, retain latest as the main-compatible tag, and add immutable SHA tags
  • build and smoke-test native amd64 and arm64 images before publishing
  • harden the existing localnet runtime, shutdown behavior, health check, and documentation without introducing a replacement public image
  • keep PR-specific E2E transport images out of the public package and provide correct OCI package metadata

Release linkage

After the release train verifies a runtime on devnet or testnet, it force-moves that network mirror branch to the exact deployed main commit. That push already publishes ghcr.io/raofoundation/subtensor and now also publishes ghcr.io/raofoundation/subtensor-localnet with the matching network tag.

Tag policy

  • main push: main, latest, SHA
  • devnet mirror push: devnet, SHA
  • testnet mirror push: testnet, SHA
  • other manual branches: sanitized branch, SHA
  • releases: version, SHA

E2E image isolation

The Bittensor E2E workflow builds one PR-specific localnet image and shares it across roughly 112 runner shards through GHCR. Those temporary images now publish to the separate, CI-only subtensor-localnet-ci package instead of appearing as permanent ci-* versions in the public release package. A scheduled cleanup removes only CI SHA versions older than 30 days, preserving GitHub's workflow rerun window.

Both the public and CI images now provide standard org.opencontainers.image.* labels, so GHCR displays Subtensor metadata instead of inherited Ubuntu marketing text. The fast E2E image is pinned to the same Ubuntu 24.04 digest as the public localnet image; the bundled node binary, entrypoint, ports, and authority behavior are unchanged.

Validation

  • tag resolver contract tests
  • YAML parsing, shell syntax, BuildKit Dockerfile checks, and clean-diff checks
  • real builds of the public runtime-base and fast E2E images with exact OCI label assertions
  • CI package isolation assertion before push
  • cleanup retention-filter edge cases, including protected and malformed tags
  • live CI-package push plus successful login, pull, retag, and test execution across E2E shards
  • native amd64 and arm64 binary builds
  • native architecture image validation
  • full amd64 localnet startup, RPC, persistence, and shutdown smoke test
  • multi-platform GHCR publish and anonymous manifest/pull/execution verification
  • local Skeptic security review and Auditor domain review

Successful publication run: https://github.com/RaoFoundation/subtensor/actions/runs/29431577113

@vercel

vercel Bot commented Jul 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
subtensor Ready Ready Preview, Comment Jul 16, 2026 12:06pm

Request Review

@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

🛡️ AI Review — Skeptic (security review)

VERDICT: SAFE

VERY HIGH scrutiny: account under 30 days old, mitigated by repository-admin permission, substantive merged contributions, matching commit identity, and no known Gittensor association; branch targets staging.

Static analysis covered the complete CI, Docker, package-cleanup, and localnet-script diff. Publishing uses immutable source SHAs for PR builds, rejects fork sources, isolates temporary images, and limits cleanup to expired CI-only tags. No protected AI-review or Copilot instruction files were modified.

Findings

No findings.

Conclusion

No malicious behavior or security vulnerability was found in the reviewed changes.


🔍 AI Review — Auditor (domain review)

VERDICT: 👍

Gittensor association is UNKNOWN; the account is new, but repository-admin permission and substantive merged Subtensor contributions reduce calibration concerns.

The implementation matches the substantive PR description. No runtime-affecting files changed, and the staging base has no spec-version check, so no spec_version bump is required. The single-file overlap with #2837 is incidental.

Diff whitespace checks pass. The linked publication run provides adequate multi-architecture build, publication, and localnet lifecycle validation.

Findings

No findings.

Conclusion

The image publication, immutable source selection, CI-package isolation, architecture validation, and container supervision changes are coherent and adequately tested. No actionable domain issues were found.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@UnArbosFive UnArbosFive changed the base branch from main to staging July 15, 2026 18:58
@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant