Skip to content

fix(build): sync nested guest lockfiles#4

Merged
intel352 merged 1 commit into
mainfrom
fix/guest-lockfile-sync
Jul 13, 2026
Merged

fix(build): sync nested guest lockfiles#4
intel352 merged 1 commit into
mainfrom
fix/guest-lockfile-sync

Conversation

@intel352

Copy link
Copy Markdown

Summary

  • synchronize the independently locked ffproof guest workspaces after encrypted-spaces-changelog-core gained log
  • add a cached, fail-closed pull-request preflight that discovers every first-party guest workspace and validates locked fetch plus frozen metadata before Clippy
  • keep the bridge runtime, guest source, release artifact layout, and trust-root contract unchanged

Root cause

Main release run 29261973781 reached the RISC Zero build after about 40 minutes, then Cargo rejected ffproof/methods/guest/Cargo.lock because RISC0_BUILD_LOCKED=1 forbids updating the stale nested lock. ffproof/methods_bench/guest/Cargo.lock had the same dependency drift. The client-method and tracer guest locks were already synchronized.

Regression proof

With the lock fixes reverted:

$ cargo metadata --format-version 1 --manifest-path ffproof/methods/guest/Cargo.toml --locked
error: cannot update the lock file ... because --locked was passed

$ cargo metadata --format-version 1 --manifest-path ffproof/methods_bench/guest/Cargo.toml --locked
error: cannot update the lock file ... because --locked was passed

With the fixes restored:

PASS: 4 nested guest lockfiles are synchronized

The zero-manifest path also exits 1 with No nested guest Cargo manifests found.

Verification

  • RISC0_SKIP_BUILD=1 cargo clippy --workspace --all-targets --locked -- -D warnings
  • cargo fmt --all -- --check
  • actionlint -ignore 'actions-rs/toolchain@v1' .github/workflows/lint-prototype.yml (excludes the pre-existing format-job action warning)
  • changelog core: 240 passed
  • SDK: 324 passed, 1 intentional measurement helper ignored
  • numeric round trips: 6 passed
  • adversarial review: SHIP-IT; no Critical or Important findings

Runtime launch transcript

Build:

$ cargo build --locked -p encrypted-spaces-backend-server -p encrypted-spaces-bridge
Finished dev profile

Launch:

$ RISC0_SKIP_BUILD=1 ENCRYPTED_SPACES_BRIDGE_TEST_BINARY=<bridge> ENCRYPTED_SPACES_BACKEND_TEST_BINARY=<backend> cargo test -p encrypted-spaces-bridge --locked --test runtime runtime_member_invite_join_remove_enforces_revocation -- --exact --test-threads=1
test runtime_member_invite_join_remove_enforces_revocation ... ok
test result: ok. 1 passed; 0 failed

$ RISC0_SKIP_BUILD=1 ENCRYPTED_SPACES_BRIDGE_TEST_BINARY=<bridge> ENCRYPTED_SPACES_BACKEND_TEST_BINARY=<backend> cargo test -p encrypted-spaces-bridge --locked --test runtime runtime_space_lifecycle_survives_restart_and_membership_changes -- --exact --test-threads=1
test runtime_space_lifecycle_survives_restart_and_membership_changes ... ok
test result: ok. 1 passed; 0 failed

The revocation case emitted its expected removed-member decryption warning on stderr. Failure-signature scrape: clean.

Verdict: PASS

Scope

Continues Task 4 of the locked Signal/Encrypted Spaces group-channel plan by repairing its reproducible official-runtime release gate.

Doc-reconciliation: clean

The locked real-guest release build rejected stale independent guest locks after changelog-core gained a dependency. Check every nested guest workspace in cached pull-request lint before expensive guest compilation.
Copilot AI review requested due to automatic review settings July 13, 2026 17:01

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR restores reproducible builds for the RISC Zero “guest” workspaces by synchronizing stale nested Cargo.lock files and adding a CI preflight that validates all first-party guest manifests can resolve dependencies in a locked/frozen mode before running Clippy.

Changes:

  • Synchronize nested guest lockfiles (e.g., incorporate the new log dependency and updated internal crate versions).
  • Add a CI step that discovers all */guest/Cargo.toml manifests and runs cargo fetch --locked + cargo metadata --frozen for each prior to Clippy.
  • Expand workflow path filters so PRs touching toolchain/config (rust-toolchain*, .cargo/**) reliably trigger the lint workflow.

Reviewed changes

Copilot reviewed 1 out of 3 changed files in this pull request and generated no comments.

File Description
ffproof/methods/guest/Cargo.lock Updates guest lockfile to include the new log dependency.
ffproof/methods_bench/guest/Cargo.lock Updates guest lockfile versions and includes log to match current dependency graph.
.github/workflows/lint-prototype.yml Adds a fail-closed nested-guest lockfile validation step and broadens workflow path triggers.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@intel352
intel352 merged commit c98bc1f into main Jul 13, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants