Update provenance guard action#3933
Conversation
PingXie
commented
Jun 7, 2026
- update verify-provenance to require near-duplicate evidence for fuzzy provenance matches
- normalize master/primary and slave/replica terminology.
- print the captured provenance script log in the check workflow.
- Point provenance workflows at verify-provenance commit dea1178, which refines layer2 evidence policy. - The action now filters low-scope isolated single-file matches while preserving large copied-block and related-peer-file detections. - See valkey-io/verify-provenance@dea1178 for the implementation. Signed-off-by: Ping Xie <pingxie@outlook.com>
Signed-off-by: Ping Xie <pingxie@outlook.com>
Signed-off-by: Ping Xie <pingxie@outlook.com>
- Pin verify-provenance to the latest provenance-gate commit. - Normalize master/primary and slave/replica terminology. - Print the captured provenance script log in the check workflow. Signed-off-by: Ping Xie <pingxie@outlook.com>
📝 WalkthroughWalkthroughTwo GitHub Actions workflows for provenance verification are updated: the pinned ChangesProvenance Workflow Updates
🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches⚔️ Resolve merge conflicts
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
hpatro
left a comment
There was a problem hiding this comment.
I had completely missed the provenance check getting introduced. Nice to have it in place. How do we verify if these branding pairs work according to our need? Did we ever tryout cherry picking a Redis commit to check if this works or not?
| target_repo: "${{ github.repository }}" | ||
| branding_pairs: "Redis:Valkey" | ||
| branding_pairs: "Redis:Valkey,master:primary,slave:replica" | ||
| prefix_pairs: "RM_:VM_,REDISMODULE_:VALKEYMODULE_" |
There was a problem hiding this comment.
Should we update the prefix pairs as well?
| prefix_pairs: "RM_:VM_,REDISMODULE_:VALKEYMODULE_" | |
| prefix_pairs: "RM_:VM_,REDISMODULE_:VALKEYMODULE_,master_:primary_,slave_:replica_" |
There was a problem hiding this comment.
I think having both prefix and branding pairs is confusing. I will simplify by merging the two.
there were offenders in the past and they have been part of the regression test pass now. |
zuiderkwast
left a comment
There was a problem hiding this comment.
This is mainly a lift of the valkey-io/verify-provenance, which I haven't reviewed anyway. Here is my unblock to merge this.
Signed-off-by: Ping Xie <pingxie@outlook.com>
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/provenance-check.yml (1)
31-38:⚠️ Potential issue | 🔴 CriticalRemove or correct the provenance output log check.
The valkey-io/verify-provenance action does not output to
.provenance-output.log. The action is designed to maintain database files (pr_fingerprints.json.gz and commits_bootstrap.json.gz) on an orphan branch for source comparison, not to produce log files. The conditional check will always fail, and the fallback message will always display regardless of the check's actual outcome. Either remove this step or revise it to display relevant output from the action's actual behavior.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/provenance-check.yml around lines 31 - 38, The "Show Provenance Check Log" step checks for a .provenance-output.log file that the valkey-io/verify-provenance action does not produce, causing the conditional to always fail and the fallback message to always display. Either remove this step entirely, or if you need to display relevant output from the action, revise it to check for and display the actual database files that the action maintains (pr_fingerprints.json.gz and commits_bootstrap.json.gz) on the orphan branch instead of the non-existent log file.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/provenance-check.yml:
- Line 26: The normalization_pairs parameter used in the
valkey-io/verify-provenance action is not supported. Replace this single
parameter with two separate parameters: branding_pairs should contain the
branding normalizations (Redis:Valkey,master:primary,slave:replica) and
prefix_pairs should contain the prefix normalizations
(RM_:VM_,REDISMODULE_:VALKEYMODULE_). Split the combined value at the comma
boundary that separates the branding transformations from the prefix
transformations and assign each portion to its corresponding parameter.
---
Outside diff comments:
In @.github/workflows/provenance-check.yml:
- Around line 31-38: The "Show Provenance Check Log" step checks for a
.provenance-output.log file that the valkey-io/verify-provenance action does not
produce, causing the conditional to always fail and the fallback message to
always display. Either remove this step entirely, or if you need to display
relevant output from the action, revise it to check for and display the actual
database files that the action maintains (pr_fingerprints.json.gz and
commits_bootstrap.json.gz) on the orphan branch instead of the non-existent log
file.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro Plus
Run ID: ef4a2e4d-9151-48d5-b639-d6063cbd86d7
📒 Files selected for processing (2)
.github/workflows/provenance-check.yml.github/workflows/provenance-refresh.yml
Signed-off-by: Ping Xie <pingxie@outlook.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## unstable #3933 +/- ##
============================================
- Coverage 76.74% 76.65% -0.10%
============================================
Files 162 162
Lines 80788 80788
============================================
- Hits 62002 61929 -73
- Misses 18786 18859 +73 🚀 New features to boost your workflow:
|