fix(ci): harden verify/rust-runner against flaky packages.microsoft.com apt source (#2975)#4115
Merged
rysweet merged 1 commit intoJul 16, 2026
Conversation
…om apt source (#2975) GitHub-hosted runner images ship `packages.microsoft.com` apt sources that periodically serve an invalid `InRelease` file ("NOSPLIT" / "no longer signed"). When that happens every `apt-get update` exits 100 and turns the default-branch `verify` workflow red even though nothing in our code changed — a recurring spurious failure in the CI-health steward's scope (issue #2975). Fix: a small, idempotent, non-fatal `scripts/ci-harden-apt.sh` strips the Microsoft apt sources (both `sources.list.d/*.list|*.sources` and monolithic `sources.list`) BEFORE any `apt-get update`. Wired into every network-fetching apt consumer: - `.github/actions/rust-runner-prep/action.yml` — before the mold `apt-get update` - `.github/workflows/verify.yml` (e2e-dashboard) — before `playwright install --with-deps` (`apt-get clean` needs no hardening — it fetches no repos.) None of our jobs need the Microsoft repos; they install only Ubuntu-archive packages. Regression rigor (which the prior stale duplicate PR #2986 lacked): - tests/ci_harden_apt_wiring.rs — asserts the script exists + is executable and that the hardening step is wired BEFORE the apt consumer in both files. - tests/gadugi/ci-harden-apt.{sh,yaml} — outside-in qa-team scenario that exercises the script in an isolated fake apt tree (Microsoft-only removal, third-party/Ubuntu preservation, idempotency) and runs the Rust guard. The script takes APT_SOURCES_LIST_D / APT_SOURCES_LIST / CI_HARDEN_APT_SUDO env overrides so the behaviour is verifiable with no sudo and no network. Supersedes and dedupes the stale PR #2986 (same steward goal, older instance). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
rysweet
deleted the
engineer/steward-ci-github-actions-health-across-all-gov-e06d9e64-1784153844-d227ed
branch
July 16, 2026 01:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Steward: CI/GitHub-Actions health — Simard
Standing-goal steward run. Swept the default branch's Actions health, diagnosed
the open failures, and shipped a fix for the one still-unresolved distinct
failure, deduping a stale duplicate PR.
Default-branch failure sweep (diagnosis)
Dependabot Updatesdtolnay/rust-toolchainunknown_error# stable/# nightly) that Dependabot's shallow clone can't resolvemainby #4077 (pins nowe97e2d8c… # v1). No action needed.verify(pre-commit,e2e-dashboard)packages.microsoft.comapt sources that periodically serve an invalidInRelease(NOSPLIT/ "no longer signed") →apt-get updateexits 100 → spurious redverify,release,advisory-scan,coverage(functional)Verified every SHA-pinned
uses:onmainnow carries a default-branch-reachableversion-tag comment (no diverged per-tool/per-channel pins remain), so the
Dependabot ecosystem is healthy going forward.
This PR — flaky
packages.microsoft.comapt hardening (#2975)scripts/ci-harden-apt.sh(idempotent, non-fatal) strips the Microsoft aptsources — both
sources.list.d/*.{list,sources}and monolithicsources.list—before any network-fetching
apt-get update. Wired into every such consumer:.github/actions/rust-runner-prep/action.yml— before the moldsudo apt-get update..github/workflows/verify.yml(e2e-dashboard) — beforenpx playwright install --with-deps.(
apt-get cleanneeds no hardening — it fetches no repos.) Our jobs install onlyUbuntu-archive packages (mold, Playwright browser deps), so dropping the Microsoft
sources is safe. The script accepts
APT_SOURCES_LIST_D/APT_SOURCES_LIST/CI_HARDEN_APT_SUDOoverrides so its behaviour is testable with no sudo/network.Dedupe
Supersedes the stale PR #2986 (same steward goal, older instance,
…-1783461322-…), which carried the same idea but is 8 days old,UNSTABLE, andlacked the regression rigor below. Closing #2986 in favor of this one → one PR
per distinct failure.
Merge-ready evidence
1. qa-team scenarios (
gadugi-test)Scenario:
tests/gadugi/ci-harden-apt.{yaml,sh}— outside-in; exercises thescript in an isolated fake apt tree (Microsoft-only removal, third-party/Ubuntu
preservation, idempotency), asserts both CI jobs wire it, and runs the Rust guard.
Behavioural assertions (from the scenario run):
OK: removes only Microsoft sources; preserves Ubuntu + third-party·OK: idempotent (second run is a no-op)·OK: both apt-consuming CI jobs invoke ci-harden-apt.sh·OK: ci_harden_apt_wiring regression guard passed·PASS.2. Docs / changed surfaces
No user-facing surface changes. Changed surfaces are CI-internal only:
scripts/ci-harden-apt.sh(CI helper), two workflow/composite-action wirings,and two test files. Intent is documented inline in the script header and both
workflow step comments. Internal-only → no external docs update required.
3. quality-audit (≥3 SEEK→VALIDATE→FIX cycles, clean final)
set -euo pipefail,quoting, deb822 vs one-line handling, sudo usage, no injection from untrusted
input. VALIDATE: behavioural harness (MS removal, non-MS preservation,
monolithic disable, idempotency) all green. FIX: added env overrides so the
script is testable without sudo/network.
find()first-match,which matched the substrings inside the step comments before the real command.
VALIDATE: 2/3 Rust tests failed — bug caught. FIX: matched the real run commands
(
sudo apt-get update,npx playwright install --with-deps), which don't appearin comments → 3/3 pass.
actions/checkoutprecedesrust-runner-prepin all consumers (verify,coverage, advisory-scan) and precedes the e2e harden step, so
$GITHUB_WORKSPACE/scripts/ci-harden-apt.shexists at runtime; confirmed allnetwork-fetching apt consumers are covered. VALIDATE:
cargo fmt --all --check,shellcheck(clean),cargo clippy --test ci_harden_apt_wiring -D warnings,local pre-commit (rust-only gate + release clippy) and pre-push (race-subset
test +
--all-targets --all-features --lockedclippy) all passed. FIX:cargo fmt.Final cycle clean: zero critical/high; zero medium correctness/security findings.
4. CI
Local mirrors of CI green before push:
cargo fmt --all --check✓,cargo clippy --release -D warnings✓.cargo test --release✓,cargo clippy --all-targets --all-features --locked -D warnings✓.cargo test --test ci_harden_apt_wiring→ 3 passed; 0 failed.Full GitHub
verify/releaseCI status is linked on this PR; will be confirmed100% green (0 failures) before marking ready.
6. Focused diff
6 files, +361/-0: 2 workflow/action wirings,
scripts/ci-harden-apt.sh, and 3test artifacts. No unrelated edits.