ci: adopt ci-templates v2.5.0 enrollment gate (TIN-2109)#112
Merged
Conversation
added 2 commits
June 14, 2026 17:27
- bump js-bazel-package.yml pins @v2.3.0 -> @v2.5.0 (ci.yml + publish.yml) - promote the four enrollment dimensions to first-class manifest fields (enrollment.forgeScope/operatorOverlay/executionPool/substrateMode); substrateMode=shared-cache-backed drives the now manifest-sourced expected mode in the cache-backed gate - re-vendor scripts/cache-attachment-contract.sh from v2.5.0 (manifest-driven expected mode, hosted/repo-label fallback rejection, executor-backed contract defined+enforced but not selected) Stays cache-first: cache_backed:true, substrateMode=shared-cache-backed, no --remote_executor wired.
v2.5.1 makes repo-manifest-validate dependency-free so the cache-backed manifest-validation gate works on the tinyland-nix cluster pool (the v2.5.0 gate failed on a cold nix develop lock). Vendored cache-attachment-contract.sh is unchanged between v2.5.0 and v2.5.1.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adopts the hardened TIN-2109 enrollment gate from ci-templates v2.5.0.
js-bazel-package.ymlpins@v2.3.0->@v2.5.0(ci.yml + publish.yml).supply_chain.sbom.notesprose to first-class manifest fields:enrollment.{forgeScope,operatorOverlay,executionPool,substrateMode}.substrateMode: shared-cache-backedis now the authoritative expected mode the gate enforces (declared-vs-actual mismatch fails closed).scripts/cache-attachment-contract.shfrom v2.5.0 (manifest-driven expected mode, hosted/repo-label fallback rejection, executor-backed contract defined+enforced but selected by no repo).Stays cache-first:
cache_backed: true,substrateMode: shared-cache-backed, no--remote_executorwired. CI runs on thetinyland-nixcluster pool where nix-setup injectsBAZEL_REMOTE_CACHE, so the gate attaches and rejects any hosted fallback.