Skip to content

Update provenance guard action#3933

Merged
PingXie merged 6 commits into
valkey-io:unstablefrom
PingXie:provenance
Jun 14, 2026
Merged

Update provenance guard action#3933
PingXie merged 6 commits into
valkey-io:unstablefrom
PingXie:provenance

Conversation

@PingXie

@PingXie PingXie commented Jun 7, 2026

Copy link
Copy Markdown
Member
  • update verify-provenance to require near-duplicate evidence for fuzzy provenance matches
  • normalize master/primary and slave/replica terminology.
  • print the captured provenance script log in the check workflow.

PingXie added 4 commits April 29, 2026 14:52
- Point provenance workflows at verify-provenance commit dea1178, which refines layer2 evidence policy.

- The action now filters low-scope isolated single-file matches while preserving large copied-block and related-peer-file detections.

- See valkey-io/verify-provenance@dea1178 for the implementation.

Signed-off-by: Ping Xie <pingxie@outlook.com>
Signed-off-by: Ping Xie <pingxie@outlook.com>
Signed-off-by: Ping Xie <pingxie@outlook.com>
- Pin verify-provenance to the latest provenance-gate commit.
- Normalize master/primary and slave/replica terminology.
- Print the captured provenance script log in the check workflow.

Signed-off-by: Ping Xie <pingxie@outlook.com>
@coderabbitai

coderabbitai Bot commented Jun 7, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Two GitHub Actions workflows for provenance verification are updated: the pinned valkey-io/verify-provenance action reference is advanced in both check and refresh workflows, branding and prefix pairs configuration is consolidated into normalization_pairs using master:primary and slave:replica terminology, and a new completion-time logging step is added to the check workflow to print provenance output.

Changes

Provenance Workflow Updates

Layer / File(s) Summary
Provenance action and branding configuration
.github/workflows/provenance-check.yml, .github/workflows/provenance-refresh.yml
The valkey-io/verify-provenance action pin is advanced to a new commit in both workflows. The branding_pairs and prefix_pairs inputs are replaced with a consolidated normalization_pairs string that includes Redis:Valkey, master:primary, slave:replica, and the prior RM_/REDISMODULE_ prefix mappings.
Provenance output logging
.github/workflows/provenance-check.yml
A new step runs on workflow completion (including on failure) and prints the .provenance-output.log file if present, or reports that no log was found.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Update provenance guard action' is directly related to the main changes, which update the verify-provenance action configuration and add logging functionality.
Description check ✅ Passed The description is clearly related to the changeset, detailing three specific updates: fuzzy match verification, terminology normalization, and provenance log printing.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
⚔️ Resolve merge conflicts
  • Resolve merge conflict in branch provenance

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@hpatro hpatro left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had completely missed the provenance check getting introduced. Nice to have it in place. How do we verify if these branding pairs work according to our need? Did we ever tryout cherry picking a Redis commit to check if this works or not?

Comment thread .github/workflows/provenance-check.yml Outdated
target_repo: "${{ github.repository }}"
branding_pairs: "Redis:Valkey"
branding_pairs: "Redis:Valkey,master:primary,slave:replica"
prefix_pairs: "RM_:VM_,REDISMODULE_:VALKEYMODULE_"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we update the prefix pairs as well?

Suggested change
prefix_pairs: "RM_:VM_,REDISMODULE_:VALKEYMODULE_"
prefix_pairs: "RM_:VM_,REDISMODULE_:VALKEYMODULE_,master_:primary_,slave_:replica_"

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think having both prefix and branding pairs is confusing. I will simplify by merging the two.

@PingXie

PingXie commented Jun 9, 2026

Copy link
Copy Markdown
Member Author

How do we verify if these branding pairs work according to our need? Did we ever tryout cherry picking a Redis commit to check if this works or not?

there were offenders in the past and they have been part of the regression test pass now.

@zuiderkwast zuiderkwast left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is mainly a lift of the valkey-io/verify-provenance, which I haven't reviewed anyway. Here is my unblock to merge this.

Signed-off-by: Ping Xie <pingxie@outlook.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/provenance-check.yml (1)

31-38: ⚠️ Potential issue | 🔴 Critical

Remove or correct the provenance output log check.

The valkey-io/verify-provenance action does not output to .provenance-output.log. The action is designed to maintain database files (pr_fingerprints.json.gz and commits_bootstrap.json.gz) on an orphan branch for source comparison, not to produce log files. The conditional check will always fail, and the fallback message will always display regardless of the check's actual outcome. Either remove this step or revise it to display relevant output from the action's actual behavior.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/provenance-check.yml around lines 31 - 38, The "Show
Provenance Check Log" step checks for a .provenance-output.log file that the
valkey-io/verify-provenance action does not produce, causing the conditional to
always fail and the fallback message to always display. Either remove this step
entirely, or if you need to display relevant output from the action, revise it
to check for and display the actual database files that the action maintains
(pr_fingerprints.json.gz and commits_bootstrap.json.gz) on the orphan branch
instead of the non-existent log file.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/provenance-check.yml:
- Line 26: The normalization_pairs parameter used in the
valkey-io/verify-provenance action is not supported. Replace this single
parameter with two separate parameters: branding_pairs should contain the
branding normalizations (Redis:Valkey,master:primary,slave:replica) and
prefix_pairs should contain the prefix normalizations
(RM_:VM_,REDISMODULE_:VALKEYMODULE_). Split the combined value at the comma
boundary that separates the branding transformations from the prefix
transformations and assign each portion to its corresponding parameter.

---

Outside diff comments:
In @.github/workflows/provenance-check.yml:
- Around line 31-38: The "Show Provenance Check Log" step checks for a
.provenance-output.log file that the valkey-io/verify-provenance action does not
produce, causing the conditional to always fail and the fallback message to
always display. Either remove this step entirely, or if you need to display
relevant output from the action, revise it to check for and display the actual
database files that the action maintains (pr_fingerprints.json.gz and
commits_bootstrap.json.gz) on the orphan branch instead of the non-existent log
file.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ef4a2e4d-9151-48d5-b639-d6063cbd86d7

📥 Commits

Reviewing files that changed from the base of the PR and between 3f5ca2e and 95102dc.

📒 Files selected for processing (2)
  • .github/workflows/provenance-check.yml
  • .github/workflows/provenance-refresh.yml

Comment thread .github/workflows/provenance-check.yml
Signed-off-by: Ping Xie <pingxie@outlook.com>
@codecov

codecov Bot commented Jun 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.65%. Comparing base (ed6e9a9) to head (0ac0aa4).

Additional details and impacted files
@@             Coverage Diff              @@
##           unstable    #3933      +/-   ##
============================================
- Coverage     76.74%   76.65%   -0.10%     
============================================
  Files           162      162              
  Lines         80788    80788              
============================================
- Hits          62002    61929      -73     
- Misses        18786    18859      +73     

see 25 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@PingXie PingXie merged commit 699c64e into valkey-io:unstable Jun 14, 2026
63 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants