chore(deps): Bump actions/checkout from 4 to 6#1
Open
dependabot[bot] wants to merge 1 commit intomainfrom
Open
chore(deps): Bump actions/checkout from 4 to 6#1dependabot[bot] wants to merge 1 commit intomainfrom
dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
from
a8d2a35 to
a0cbe9c
Compare
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
from
a0cbe9c to
a86d5a2
Compare
blackbeardONE
pushed a commit
that referenced
this pull request
Apr 22, 2026
The previous commit (cde2ee1) got govulncheck compiling again by wiring liboqs into the job so it could analyse the CGO-gated pkg/crypto. With the scan actually running end-to-end, it surfaced a real transitive vulnerability: Vulnerability #1: GO-2024-3218 Content Censorship in the InterPlanetary File System (IPFS) via Kademlia DHT abuse in github.com/libp2p/go-libp2p-kad-dht Module: github.com/libp2p/go-libp2p-kad-dht@v0.39.0 Fixed in: N/A Reached via pkg/networking/bootstrap.go -> libp2p.New() -> IpfsDHT. Because `Fixed in: N/A`, there is literally no upstream version we can upgrade to. Replacing the DHT backend outright would be a major architectural change far outside the scope of a CI hygiene fix -- that path is tracked separately (networking / DHT review). Blocking `main` forever on a finding with no upstream patch is cargo-culted security theatre, so introduce a narrow, auditable allowlist: - QSDM/scripts/govulncheck-filter.sh Runs `govulncheck -json ./...`, parses the emitted OSV ids with jq (falls back to regex grep if jq is missing), prints the raw findings for the job log, and exits: * 0 if govulncheck reports nothing, * 0 if every reported id is in the allowlist, * 1 (and a loud "UNEXPECTED vulnerabilities" message) if ANY id outside the allowlist is reported. Also propagates real tool failures (exit != {0,3}) so a genuine govulncheck crash still goes red. The allowlist today contains exactly one id (GO-2024-3218) with a mandatory comment block: OSV id, reason, Fixed-in status, and a soft expiry date (2026-10-22) so the allowlist cannot rot indefinitely; future maintainers are prompted to re-check upstream every ~6 months or replace the DHT backend. - .github/workflows/qsdm-go.yml The govulncheck step now calls the filter script instead of invoking govulncheck directly. All the CGO_* / liboqs setup is unchanged. Net result: govulncheck will go green on the next run because the only finding (GO-2024-3218) is explicitly acknowledged. The day a new CVE shows up in any of our Go deps, CI will go red with the offending OSV id printed in the log -- which is the behaviour we actually wanted from govulncheck all along. Made-with: Cursor
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
5 times, most recently
from
7451a8c to
a28de90
Compare
blackbeardONE
pushed a commit
that referenced
this pull request
Apr 24, 2026
The consensus-maintained backing store for the nvidia-hmac-v1
registry that pkg/mining/attest/hmac has been consuming through
an in-memory stub since Phase 2c-i. Wire format + validation
+ state-view adapter only — the pkg/chain state-transition
hook that actually debits the sender's balance and inserts the
record is a separate follow-on commit (kept isolated because
consensus-critical diffs deserve their own review).
SECURITY MODEL (documented exhaustively in doc.go)
The nvidia-hmac-v1 HMAC key lives on-chain as public state.
That is by design under the ratified tiered trust-anchor
model: datacenter GPUs use nvidia-cc-v1 (real AIK crypto,
Phase 2c-iv), consumer GPUs use nvidia-hmac-v1 where
security comes from identity pinning + stake bond, NOT key
secrecy. An adversary who reads the chain can produce valid
bundles for any enrolled node_id, but the reward still flows
to the enrolled owner — so the rational worst case is
operators leaking their own keys, which is what the protocol
rewards anyway.
PACKAGE SURFACE
EnrollPayload wire format, stored in Tx.Payload
with ContractID = "qsdm/enroll/v1"
UnenrollPayload companion wire format
EnrollmentRecord on-chain state entry, keyed by
NodeID; covers stake, unbond
maturity, owner, memo
EnrollmentState read-only interface (Lookup,
GPUUUIDBound) that the chain's
state store will implement
InMemoryState reference implementation — ApplyEnroll,
ApplyUnenroll, SweepMaturedUnbonds
StateBackedRegistry adapts EnrollmentState to
hmac.Registry; defensive-copies
HMACKey so callers can't corrupt
state through returned entries
EncodeEnrollPayload canonical JSON encoder —
DecodeEnrollPayload - SetEscapeHTML(false) for cross-
EncodeUnenrollPayload platform determinism
DecodeUnenrollPayload - DisallowUnknownFields on decode so
attackers can't smuggle extras
past un-updated validators
- no trailing newline (json.Encoder
appends one; we strip)
PeekKind lenient kind-lookup for dispatch
before full decode
ValidateEnrollFields stateless check: Kind, node_id
character set (a-z0-9_-), gpu_uuid
printable-ASCII + case check,
hmac_key length [32..128],
stake_dust == mining.MinEnrollStakeDust,
memo ≤ 256 bytes, sender non-empty
ValidateEnrollAgainstState stateful: sender balance ≥
stake, node_id uniqueness,
gpu_uuid uniqueness among
ACTIVE records
ValidateUnenrollFields stateless for unenroll
ValidateUnenrollAgainstState sender == Owner, not
already unenrolled
KEY DESIGN DECISIONS
- Node_id character set [a-z0-9_-]: avoids unicode-
normalization pitfalls, matches existing miner tooling
conventions. Uppercase rejected to prevent "Alice" vs
"alice" ambiguity.
- gpu_uuid: case-preserved, must start with "GPU-" (upper)
if the prefix is present, no embedded whitespace. Looser
than RFC 4122 because nvidia-smi output varies by driver;
strict enough that "GPU-abc" ≠ "GPU-abc ".
- Stake exact-equals, not ≥: overpayment would leave surplus
in limbo. Operators who try to pay more get a clean
validation error.
- gpu_uuid released immediately on unenroll, BUT node_id
reserved until unbond matures: operators can unenroll rig
#1 and immediately enroll rig #2 with the same physical
GPU. The NAME stays locked so slashing can still target
the revoked record during its window.
- UnbondWindow = 7 days at 3s blocks = 201,600 blocks.
Genesis default, exported as var for future governance
adjustment.
- InMemoryState.ApplyEnroll / ApplyUnenroll return errors
on duplicate / missing rather than silently ignoring —
catches programmer errors where validation was skipped.
TESTS (54 new, 328 total across ./pkg/api/... ./pkg/mining/...)
codec_test.go (11):
- EnrollPayload round-trip (ensures tx signatures cover
bytes that decode back to the same struct)
- canonical bytes have no trailing newline
- encoding is deterministic across calls
- DisallowUnknownFields rejects smuggled fields
- trailing-data rejection (JSON-smuggling guard)
- wrong-kind rejection on both decoders
- PeekKind covers both variants + missing kind + non-JSON
- default-Kind on encode convenience path
validate_test.go (24):
- ValidateEnrollFields accept + 14-case table of rejects
covering every field + sentinel
- ValidateUnenrollFields accept + 4 rejects
- ValidateEnrollAgainstState accept, insufficient balance,
node_id taken, gpu_uuid taken, nil-state
- ValidateUnenrollAgainstState accept, wrong owner, already
unenrolled, unknown node
registry_test.go (11):
- StateBackedRegistry Lookup for active/not-registered/
revoked + defensive-copy check
- NilState panics (fail-loud contract)
- InMemoryState duplicate enroll fails, double unenroll
fails
- GPURebind after unenroll succeeds (physical binding
released)
- NodeID reserved during unbond (name-squatting guard)
- SweepMaturedUnbonds respects UnbondWindow boundary
- EnrollmentRecord.Active / MatureForUnbond
integration_test.go (1, crown jewel):
- Full path: payload → stateless validate → stateful
validate → ApplyEnroll → StateBackedRegistry →
NewProductionDispatcher → miner assembles bundle with
real operator key → validator accepts.
- Then ApplyUnenroll; fresh proof from the (now-revoked)
node is rejected, proving the revocation path reaches
the hmac verifier through the adapter.
EXPLICITLY NOT IN SCOPE (follow-on commits):
1. pkg/chain integration: debit sender's balance by
StakeDust, insert record into chain state, credit
released stakes to owners on sweep. Touches account
store + block sealer + receipt formatter — its own
review.
2. Block-time sweep trigger. Currently SweepMaturedUnbonds
exists but nothing calls it; the chain commit wires it
into block finalization.
3. Slashing path: governance-triggered tx that burns a
revoked record's StakeDust. Phase 2c-v.
4. HTTP/JSON-RPC surface for submitting enrollments (the
miner toolchain). Follows after chain integration.
blackbeardONE
pushed a commit
that referenced
this pull request
Apr 25, 2026
Closes Tier-A #1: the v2 slashing wire format now has a corresponding consensus applier, so on-chain slashing is end-to-end functional once concrete EvidenceVerifiers ship. - pkg/chain/slash_apply.go: SlashApplier with ApplySlashTx. * Decodes + stateless-validates the payload. * Looks up the offender via SlasherStateMutator. * Computes actualSlash = min(payload.SlashAmountDust, verifier-cap, record.StakeDust). * Atomic fee+nonce debit on the slasher before any state mutation (matches enroll/unenroll fee-burn semantics). * Replay protection via state.MarkEvidenceSeen, keyed on sha256(EvidenceKind || 0x00 || EvidenceBlob). * Slasher reward = slashed * RewardBPS / 10000, capped at SlashRewardCap (50% of forfeiture). Remainder is burned. * Dispatcher is injected; at v2 genesis all kinds are stubbed out, so slash txs reject until Tier-3 verifiers ship. - pkg/mining/enrollment: InMemoryState extended with SlashStake, MarkEvidenceSeen, and EvidenceSeen. Clone / Restore propagate the new seenEvidence set so speculative replay through ChainReplayApplier stays correct. - pkg/chain/enrollment_aware_applier.go: routes slashing.ContractID via SetSlashApplier opt-in, exposes SlashApplier() accessor, surfaces ErrSlashingNotWired for unconfigured nodes, and deep-copies the slasher (sharing the cloned EnrollmentStateMutator with the enrollment applier so both routes see one consistent snapshot). Tests: 14 new cases covering happy path, replay rejection, verifier rejection with untouched nonce/balance, unknown node, wrong contract ID, zero-fee reject, stake clamp, reward cap panic, nil-field panics, fingerprint determinism, concurrent slash race, routing via EnrollmentAwareApplier, not-wired rejection, and ChainReplay preserves slasher deep-copy. All touched packages green: chain, mining/enrollment, mining/slashing, mining/attest/{,cc,hmac}, api. Made-with: Cursor
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
from
a28de90 to
ccfeaef
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/checkout from 4 to 6.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)