unredacted/linux-hardened-unredacted
2
1
Fork 0
Code Issues 1 Pull requests Projects Releases 6 Packages Wiki Activity Actions

Auto seed-bump PR workflow + fix reconcile/bump-seed ref resolution #6

Merged
zach merged 2 commits from feat/auto-seed-bump into main 2026-05-29 22:49:59 +00:00
Conversation 0 Commits 2 Files changed 6 +146 -4
zach commented 2026-05-29 20:48:56 +00:00
Owner
Copy link

Implements Option A from the cve-watch discussion: auto-open a PR for the one "necessary change" that's actually a file edit — the kernel-config seed. (A routine kernel bump is a tag push, deliberately human-gated on upstream-signature review, so it isn't automated here.)

fix(seed) — ref resolution (latent bug found while building this)

reconcile-vs-anthraxx.sh defaulted its compare ref to HEAD, and both it and bump-seed.sh check out the pinned baseline commit (detached HEAD) before checking out the target ref — so a literal HEAD resolved back to the pinned commit. The default reconcile-vs-anthraxx.sh (no arg) was therefore comparing the seed to itself and would report "no change" forever, silently defeating the drift check once anthraxx advances. Dormant today only because their packaging HEAD currently equals our pin.

  • reconcile: default ref HEADorigin/HEAD (remote-tracking ref → anthraxx's real tip).
  • bump-seed: rewrite a literal HEAD arg → origin/HEAD. Explicit tag/commit refs were always fine.

ciseed-bump.yml (weekly + manual dispatch)

  • Runs tools/bump-seed.sh against anthraxx's latest (origin/HEAD, or a dispatch-supplied ref). bump-seed verifies the commit's GPG signature against keys/anthraxx.gpg — an unsigned/mis-signed seed fails the job, no PR.
  • Proposes a bump only when config.x86_64's sha256 changes (a commit-only move is reverted and skipped).
  • Opens a PR with the hardening diff in the body; idempotent (skips if an open PR for the bump branch exists).
  • Never merges, never cuts a kernel tag — those stay human decisions. The next build's fidelity assertion + hardening-drift guard still run on whatever lands.
  • Token-safe: pushes via the checkout-configured credential (no token in a URL).

Operator step

Provision a SEED_BUMP_TOKEN secret (Forgejo PAT, write:repository) — documented in runner-setup.md / first-build.md, flow in config-architecture.md. Until then the PR step fails loudly; the detection still runs. Note: anthraxx hasn't advanced past our pin, so the first runs correctly no-op until they do.

Verified: shellcheck + yamllint clean; reconcile runs correctly via origin/HEAD; the workflow's sha-detection, idempotency jq, and PR-body construction tested in isolation.

🤖 Generated with Claude Code

Implements **Option A** from the cve-watch discussion: auto-open a PR for the one "necessary change" that's actually a file edit — the kernel-config **seed**. (A routine kernel bump is a tag push, deliberately human-gated on upstream-signature review, so it isn't automated here.) ## `fix(seed)` — ref resolution (latent bug found while building this) `reconcile-vs-anthraxx.sh` defaulted its compare ref to `HEAD`, and both it and `bump-seed.sh` check out the pinned baseline commit (detached HEAD) *before* checking out the target ref — so a literal `HEAD` resolved back to the pinned commit. The default `reconcile-vs-anthraxx.sh` (no arg) was therefore comparing the seed **to itself** and would report "no change" forever, silently defeating the drift check once anthraxx advances. Dormant today only because their packaging HEAD currently equals our pin. - `reconcile`: default ref `HEAD` → `origin/HEAD` (remote-tracking ref → anthraxx's real tip). - `bump-seed`: rewrite a literal `HEAD` arg → `origin/HEAD`. Explicit tag/commit refs were always fine. ## `ci` — `seed-bump.yml` (weekly + manual dispatch) - Runs `tools/bump-seed.sh` against anthraxx's latest (`origin/HEAD`, or a dispatch-supplied ref). bump-seed **verifies the commit's GPG signature** against `keys/anthraxx.gpg` — an unsigned/mis-signed seed fails the job, no PR. - Proposes a bump **only when `config.x86_64`'s sha256 changes** (a commit-only move is reverted and skipped). - Opens a PR with the hardening diff in the body; **idempotent** (skips if an open PR for the bump branch exists). - **Never merges, never cuts a kernel tag** — those stay human decisions. The next build's fidelity assertion + hardening-drift guard still run on whatever lands. - Token-safe: pushes via the checkout-configured credential (no token in a URL). ## Operator step Provision a `SEED_BUMP_TOKEN` secret (Forgejo PAT, `write:repository`) — documented in `runner-setup.md` / `first-build.md`, flow in `config-architecture.md`. Until then the PR step fails loudly; the detection still runs. Note: anthraxx hasn't advanced past our pin, so the first runs correctly **no-op** until they do. Verified: shellcheck + yamllint clean; reconcile runs correctly via `origin/HEAD`; the workflow's sha-detection, idempotency jq, and PR-body construction tested in isolation. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
reconcile-vs-anthraxx.sh defaulted its compare ref to `HEAD`, and both it
and bump-seed.sh check out the pinned baseline commit (detached HEAD) before
checking out the target ref. A literal `HEAD` then resolves back to the
pinned commit — so the default `reconcile-vs-anthraxx.sh` (no arg) compared
the seed to itself and ALWAYS reported "byte-identical / no action",
silently defeating the drift check once anthraxx advances. (Dormant today
only because anthraxx's packaging HEAD currently equals our pin.)

- reconcile: default ref `HEAD` -> `origin/HEAD` (a remote-tracking ref that
  points at anthraxx's default-branch tip regardless of local checkout).
- bump-seed: rewrite a literal `HEAD` arg to `origin/HEAD` for the same
  reason. Explicit tag/commit refs were always correct and are unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ci: add seed-bump workflow — auto-PR when anthraxx changes config.x86_64
All checks were successful
validate / yamllint (pull_request) Successful in 12s
Details
validate / pycompile (pull_request) Successful in 4s
Details
validate / intent-matches-policy (pull_request) Successful in 4s
Details
validate / no-placeholder-digests (pull_request) Has been skipped
Details
validate / shellcheck (pull_request) Successful in 12s
Details
3198be3743 
Implements the "auto-open a PR to make the necessary changes" request,
scoped to the change that actually IS a file edit: the kernel-config seed.
A routine kernel bump is a tag push (deliberately human-gated on upstream
signature review), not a file change — so this automates only the seed.

.forgejo/workflows/seed-bump.yml (weekly + manual dispatch):
- runs tools/bump-seed.sh against anthraxx's latest (origin/HEAD, or a
  dispatch-supplied ref). bump-seed verifies the commit's GPG signature, so
  an unsigned/mis-signed seed fails the job rather than opening a PR.
- proposes a bump only when config.x86_64's sha256 actually changes (a
  commit-only move is reverted and skipped); opens a PR with the hardening
  diff in the body; idempotent (skips if an open PR for the bump branch
  already exists).
- never merges and never cuts a kernel tag — those stay human decisions;
  the next build's fidelity assertion + hardening-drift guard still run.
- token-safe: pushes via the checkout-configured credential (no token in a
  URL). Needs a new SEED_BUMP_TOKEN secret (write:repository), documented in
  runner-setup.md / first-build.md; flow added to config-architecture.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
zach merged commit 6314844e68 into main 2026-05-29 22:49:59 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
unredacted/linux-hardened-unredacted!6
No description provided.