ci: mirror Intel SDE for release proof

[Fieldnote-Echo]

Summary

• use a checksum-pinned GitHub release asset mirror for the fail-closed release AVX-512 Intel SDE proof
• keep the existing Intel SDE version and SHA-256 verification unchanged
• avoid Intel downloadmirror WAF/challenge responses during tag-release publishing

Verification

• downloaded mirror archive and verified SHA-256: 50b320cd226acef7a491f5b321fc1be3c3c7984f9e27a456e64894b5b0979dd3
• bash tests/release_signed_release_invariants.sh
• bash tests/release_environment_settings.sh
• git diff --check

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[qodo-code-review]

PR Summary by Qodo

CI: use GitHub mirror for Intel SDE in release AVX-512 proof
⚙️ Configuration changes 🕐 10-20 Minutes

Description

• Point release AVX-512 SDE proof to a GitHub-hosted Intel SDE mirror.
• Keep SDE version and SHA-256 pinning unchanged for fail-closed verification.
• Reduce release flakiness from Intel downloadmirror WAF/challenge responses.

Diagram

graph TD
  W["release.yml (release-avx512)"] --> A["setup-intel-sde action"] --> M{{"GitHub mirror"}} --> D{{"SDE .tar.xz"}} --> V["SHA-256 verify"] --> P["AVX-512 proof tests"]

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Reuse existing action input name (url-base) instead of introducing source-url

• ➕ Avoids breaking the workflow due to unexpected inputs
• ➕ Keeps a single canonical configuration knob for download origin
• ➖ Less semantically explicit than a dedicated mirror parameter name

2. Publish and consume SDE from a project-owned release/artifact repository

• ➕ Full control over availability and retention policies
• ➕ Can enforce org-level access and auditing
• ➖ More operational overhead than using an existing GitHub release mirror
• ➖ May require additional storage/governance decisions

Recommendation: The mirror approach is sound for release reliability (keeps checksum pinning and avoids Intel WAF/challenges). However, ensure the workflow input key matches the composite action interface: the current action defines url-base, so passing source-url may be rejected by GitHub Actions as an unexpected input unless the action is updated accordingly. If the intent is only to change the base URL, prefer wiring the mirror into the existing url-base input (or update the action to accept source-url and map it internally).

Files changed (1) +1 / -0

Other (1) +1 / -0

release.ymlSource Intel SDE from GitHub mirror for release AVX-512 proof +1/-0

Source Intel SDE from GitHub mirror for release AVX-512 proof

• Adds a mirror URL parameter when invoking the Intel SDE setup action in the release AVX-512 proof job. This is intended to keep checksum verification fail-closed while avoiding Intel downloadmirror availability/WAF issues during release publishing.

.github/workflows/release.yml

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

1. Wrong action input name 🐞 Bug ≡ Correctness

Description

.github/workflows/release.yml passes source-url to ./.github/actions/setup-intel-sde, but the
action declares/reads url-base (no source-url), so the mirror URL will not be used and
actionlint is likely to fail the workflow due to an unknown input.

Code

.github/workflows/release.yml[R224-226]

          version: ${{ env.SDE_VERSION }}
+          source-url: https://github.com/nihui/ncnn-assets/releases/download/toolchain
          sha256: ${{ env.SDE_SHA256 }}

Relevance

⭐⭐⭐ High

Repo enforces actionlint and accepts workflow correctness fixes; release gate requires actionlint
green (PR #54, #177).

PR-#54
PR-#177
PR-#165

ⓘ Recommendations generated based on similar findings in past PRs

Evidence

The workflow uses source-url, but the composite action only defines url-base and constructs
download_url from it; additionally, the repo runs actionlint to validate action input correctness,
which will flag unknown with: keys.

.github/workflows/release.yml[220-228]
.github/actions/setup-intel-sde/action.yml[4-13]
.github/actions/setup-intel-sde/action.yml[49-65]
.github/workflows/actionlint.yml[1-6]
.github/workflows/actionlint.yml[16-30]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The release workflow passes an input (`source-url`) that is not declared by the local composite action `./.github/actions/setup-intel-sde`. The action declares `url-base` and reads `inputs.url-base`, so the added mirror URL is ignored (the action will use its default Intel mirror URL instead), and `actionlint` may fail the workflow for an unknown input.

## Issue Context
- The composite action defines `inputs.url-base` with a default Intel mirror URL.
- The workflow currently uses `source-url`, which is not a declared input.
- `actionlint` is run in CI and explicitly checks “action input validity”.

## Fix Focus Areas
- .github/workflows/release.yml[220-228]
- .github/actions/setup-intel-sde/action.yml[4-13]
- .github/actions/setup-intel-sde/action.yml[49-64]

## Suggested change
- Replace `source-url:` with `url-base:` in the workflow step.
- (Optional) If you want to support `source-url` as an alias, add it as an input in `action.yml` and have the script prefer it over `url-base` (while keeping `url-base` for backwards compatibility).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---