validate-pr: accept context-only cherry-picks#479
Draft
nirmoy wants to merge 2 commits into
Draft
Conversation
Collaborator
Author
BaseOS Kernel ReviewSummaryCI actions in validate-pr-tests.yml are pinned to the floating tag @v6 instead of an immutable SHA, risking execution of injected code if the tag is hijacked. In validate-pr, a bare except in is_context_only_replay silently turns any bug into a spurious MISMATCH with no diagnostics, and an unsanitized object_dir could inject an extra object store via a colon-containing path. Findings: Critical: 0, High: 1, Medium: 2, Low: 2 Latest watcher review: open review Generated test plan: open test plan Kernel deb build: failed (failure log, build artifacts) Head: This comment is maintained by nv-pr-bot. It is updated when the GitHub watcher publishes a newer review. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
github-actionschangesRoot cause
NVIDIA/NV-Kernels#476 applies two independent upstream commits that touch adjacent lines. The second local commit therefore has different diff context even though its changed lines are identical to upstream, causing
git patch-id --stableto report a mismatch.The fallback remains fail-closed: changed content, relocation to another occurrence, replay conflicts/errors, malformed Git output, and unequal trees still fail validation.
Validation
python3 .github/scripts/test_validate_pr.py -v— 8/8 passeddaccaf10eb077..50594a932608passed with:50594a932608:contextddc654b5fbd0:matchgit diff --checkpassedFork workflow replay
daccaf10eb077/50594a932608, matching upstream PR [26.04_linux-nvidia] Pull Request - vlan and log fixes to lan743x driver #47650594a932608=context;ddc654b5fbd0=match