Skip to content

chore(deps): Bump docker/login-action from 3 to 4#2

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/docker/login-action-4
Open

chore(deps): Bump docker/login-action from 3 to 4#2
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/docker/login-action-4

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 22, 2026
edited
Loading

Bumps docker/login-action from 3 to 4.

Release notes

Sourced from docker/login-action's releases.

v4.0.0

Full Changelog: docker/login-action@v3.7.0...v4.0.0

v3.7.0

Full Changelog: docker/login-action@v3.6.0...v3.7.0

v3.6.0

Full Changelog: docker/login-action@v3.5.0...v3.6.0

v3.5.0

Full Changelog: docker/login-action@v3.4.0...v3.5.0

v3.4.0

Full Changelog: docker/login-action@v3.3.0...v3.4.0

... (truncated)

Commits
  • 4907a6d Merge pull request #930 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
  • 1e233e6 chore: update generated content
  • 6c24ead build(deps): bump the aws-sdk-dependencies group with 2 updates
  • ee034d7 Merge pull request #958 from docker/dependabot/npm_and_yarn/lodash-4.18.1
  • 1527209 Merge pull request #937 from docker/dependabot/npm_and_yarn/proxy-agent-depen...
  • d39362a build(deps): bump lodash from 4.17.23 to 4.18.1
  • a6f092b chore: update generated content
  • 60953f0 build(deps): bump the proxy-agent-dependencies group with 2 updates
  • 62c6885 Merge pull request #936 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • 102c0e6 chore: update generated content
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 22, 2026
@dependabot dependabot Bot changed the title Bump docker/login-action from 3 to 4 chore(deps): Bump docker/login-action from 3 to 4 Apr 22, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/docker/login-action-4 branch 2 times, most recently from 49f861c to 811f59c Compare April 24, 2026 04:12
@dependabot
chore(deps): Bump docker/login-action from 3 to 4
d20b526 
Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@v3...v4)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/docker/login-action-4 branch from 811f59c to d20b526 Compare April 24, 2026 05:34
blackbeardONE pushed a commit that referenced this pull request Apr 24, 2026
Phase 2c-ii: pkg/mining/enrollment — on-chain operator registry model
0f592e0 
The consensus-maintained backing store for the nvidia-hmac-v1
registry that pkg/mining/attest/hmac has been consuming through
an in-memory stub since Phase 2c-i. Wire format + validation
+ state-view adapter only — the pkg/chain state-transition
hook that actually debits the sender's balance and inserts the
record is a separate follow-on commit (kept isolated because
consensus-critical diffs deserve their own review).

SECURITY MODEL (documented exhaustively in doc.go)

  The nvidia-hmac-v1 HMAC key lives on-chain as public state.
  That is by design under the ratified tiered trust-anchor
  model: datacenter GPUs use nvidia-cc-v1 (real AIK crypto,
  Phase 2c-iv), consumer GPUs use nvidia-hmac-v1 where
  security comes from identity pinning + stake bond, NOT key
  secrecy. An adversary who reads the chain can produce valid
  bundles for any enrolled node_id, but the reward still flows
  to the enrolled owner — so the rational worst case is
  operators leaking their own keys, which is what the protocol
  rewards anyway.

PACKAGE SURFACE

  EnrollPayload          wire format, stored in Tx.Payload
                          with ContractID = "qsdm/enroll/v1"
  UnenrollPayload        companion wire format
  EnrollmentRecord       on-chain state entry, keyed by
                          NodeID; covers stake, unbond
                          maturity, owner, memo
  EnrollmentState        read-only interface (Lookup,
                          GPUUUIDBound) that the chain's
                          state store will implement
  InMemoryState          reference implementation — ApplyEnroll,
                          ApplyUnenroll, SweepMaturedUnbonds
  StateBackedRegistry    adapts EnrollmentState to
                          hmac.Registry; defensive-copies
                          HMACKey so callers can't corrupt
                          state through returned entries
  EncodeEnrollPayload    canonical JSON encoder —
  DecodeEnrollPayload    - SetEscapeHTML(false) for cross-
  EncodeUnenrollPayload    platform determinism
  DecodeUnenrollPayload  - DisallowUnknownFields on decode so
                           attackers can't smuggle extras
                           past un-updated validators
                         - no trailing newline (json.Encoder
                           appends one; we strip)
  PeekKind               lenient kind-lookup for dispatch
                          before full decode
  ValidateEnrollFields   stateless check: Kind, node_id
                          character set (a-z0-9_-), gpu_uuid
                          printable-ASCII + case check,
                          hmac_key length [32..128],
                          stake_dust == mining.MinEnrollStakeDust,
                          memo ≤ 256 bytes, sender non-empty
  ValidateEnrollAgainstState   stateful: sender balance ≥
                                stake, node_id uniqueness,
                                gpu_uuid uniqueness among
                                ACTIVE records
  ValidateUnenrollFields      stateless for unenroll
  ValidateUnenrollAgainstState  sender == Owner, not
                                already unenrolled

KEY DESIGN DECISIONS

  - Node_id character set [a-z0-9_-]: avoids unicode-
    normalization pitfalls, matches existing miner tooling
    conventions. Uppercase rejected to prevent "Alice" vs
    "alice" ambiguity.

  - gpu_uuid: case-preserved, must start with "GPU-" (upper)
    if the prefix is present, no embedded whitespace. Looser
    than RFC 4122 because nvidia-smi output varies by driver;
    strict enough that "GPU-abc" ≠ "GPU-abc ".

  - Stake exact-equals, not ≥: overpayment would leave surplus
    in limbo. Operators who try to pay more get a clean
    validation error.

  - gpu_uuid released immediately on unenroll, BUT node_id
    reserved until unbond matures: operators can unenroll rig
    #1 and immediately enroll rig #2 with the same physical
    GPU. The NAME stays locked so slashing can still target
    the revoked record during its window.

  - UnbondWindow = 7 days at 3s blocks = 201,600 blocks.
    Genesis default, exported as var for future governance
    adjustment.

  - InMemoryState.ApplyEnroll / ApplyUnenroll return errors
    on duplicate / missing rather than silently ignoring —
    catches programmer errors where validation was skipped.

TESTS (54 new, 328 total across ./pkg/api/... ./pkg/mining/...)

  codec_test.go (11):
    - EnrollPayload round-trip (ensures tx signatures cover
      bytes that decode back to the same struct)
    - canonical bytes have no trailing newline
    - encoding is deterministic across calls
    - DisallowUnknownFields rejects smuggled fields
    - trailing-data rejection (JSON-smuggling guard)
    - wrong-kind rejection on both decoders
    - PeekKind covers both variants + missing kind + non-JSON
    - default-Kind on encode convenience path

  validate_test.go (24):
    - ValidateEnrollFields accept + 14-case table of rejects
      covering every field + sentinel
    - ValidateUnenrollFields accept + 4 rejects
    - ValidateEnrollAgainstState accept, insufficient balance,
      node_id taken, gpu_uuid taken, nil-state
    - ValidateUnenrollAgainstState accept, wrong owner, already
      unenrolled, unknown node

  registry_test.go (11):
    - StateBackedRegistry Lookup for active/not-registered/
      revoked + defensive-copy check
    - NilState panics (fail-loud contract)
    - InMemoryState duplicate enroll fails, double unenroll
      fails
    - GPURebind after unenroll succeeds (physical binding
      released)
    - NodeID reserved during unbond (name-squatting guard)
    - SweepMaturedUnbonds respects UnbondWindow boundary
    - EnrollmentRecord.Active / MatureForUnbond

  integration_test.go (1, crown jewel):
    - Full path: payload → stateless validate → stateful
      validate → ApplyEnroll → StateBackedRegistry →
      NewProductionDispatcher → miner assembles bundle with
      real operator key → validator accepts.
    - Then ApplyUnenroll; fresh proof from the (now-revoked)
      node is rejected, proving the revocation path reaches
      the hmac verifier through the adapter.

EXPLICITLY NOT IN SCOPE (follow-on commits):

  1. pkg/chain integration: debit sender's balance by
     StakeDust, insert record into chain state, credit
     released stakes to owners on sweep. Touches account
     store + block sealer + receipt formatter — its own
     review.

  2. Block-time sweep trigger. Currently SweepMaturedUnbonds
     exists but nothing calls it; the chain commit wires it
     into block finalization.

  3. Slashing path: governance-triggered tx that burns a
     revoked record's StakeDust. Phase 2c-v.

  4. HTTP/JSON-RPC surface for submitting enrollments (the
     miner toolchain). Follows after chain integration.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants