Rel v25.10.2 #1734
Merged
Rel v25.10.2 #1734
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes crossbario#1733, crossbario#1732 - Prevents corrupted artifacts from reaching PyPI ## Problem Native wheels (macOS, Windows, Linux no-NVX) had NO checksum verification during artifact transfer from wheels workflow to release workflows. This is the SAME vulnerability that allowed the corrupted v25.10.1 source distribution to reach PyPI (issue crossbario#1714). The root cause: all three native wheel artifacts download to the same dist/ directory with files all named CHECKSUMS.sha256, causing them to overwrite each other. Only the last downloaded checksum file remains, leaving most wheels unverified. ## Solution Implemented immediate verification pattern for all three release jobs (release-development, release-nightly, release-stable): 1. Changed from merge-multiple downloads to separate artifact downloads 2. Verify checksums immediately after each download, before the next download overwrites the checksum file 3. Fail fast on any checksum mismatch or missing files ## Coverage ALL artifact transfer pairs now have SHA256 verification: - ✅ Source distributions (wheels → release) - already fixed in prior commit - ✅ macOS ARM64 wheels (wheels → release) - NEW - ✅ Windows x86_64 wheels (wheels → release) - NEW - ✅ Linux no-NVX wheels (wheels → release) - NEW - ✅ Manylinux wheels with NVX (wheels-docker → release) - already existed - ✅ ARM64 wheels with NVX (wheels-arm64 → release) - already existed Complete end-to-end cryptographic chain of custody from build → PyPI.
Fixes crossbario#1731 - Adds comprehensive Conda installation guidance ## Changes 1. **New documentation structure** - Created `docs/environments/` directory for environment-specific guides - Added `docs/environments/index.rst` overview page - Moved `autobahn-on-free-threaded-python.rst` → `environments/free-threaded-python.rst` 2. **New Conda documentation** (`docs/environments/conda.rst`) - Explains why conda-forge lags behind PyPI - Recommends `pip install autobahn` within Conda environments - Documents native wheel selection and NVX acceleration - Troubleshooting guide for common Conda issues - Addresses user feedback from issue crossbario#1731 3. **Updated references** - Modified `docs/index.rst` to reference new `environments/index` section - Updated reference label from `autobahn-on-free-threaded-python` to `free-threaded-python` ## Why This Structure Consolidates all environment-specific documentation under a single section, making it easier for users to find platform/deployment-specific guidance. Future additions (Docker, embedded systems, etc.) can follow the same pattern. ## Documentation Quality - Follows existing .rst formatting patterns - Includes comprehensive examples and code blocks - Cross-references related documentation pages - Provides troubleshooting sections - Uses consistent section hierarchy Addresses user confusion about installing Autobahn in Conda environments and getting outdated versions from conda-forge.
Updates wheels.yml to use new upload-artifact-verified action from wamp-cicd.
## Changes
1. **Updated .cicd submodule** to bfe9880 (includes new verified artifact actions)
2. **Replaced all upload-artifact@v4 calls** with upload-artifact-verified:
- wheels-{platform}-{arch} upload (line 591)
- source-distribution upload (line 773, Linux only)
- linux-wheels-no-nvx upload (line 781, Linux only)
3. **Simplified upload paths** from file patterns to entire dist/ directory
## Behavior Changes
**Before:**
- Manual CHECKSUMS.sha256 generation (kept for debugging)
- Upload specific files via YAML list pattern
- No meta-checksum verification
**After:**
- Automated CHECKSUMS.sha256 generation by verified action
- Upload entire dist/ directory (includes all build outputs)
- Auto-generated CHECKSUMS.sha256.meta for integrity verification
- Filesystem sync before/after checksum generation
## Files in Uploaded Artifacts
Each artifact now includes:
- Original build outputs (*.whl, *.tar.gz, *.verify.txt, VALIDATION.txt)
- CHECKSUMS.sha256 (generated by action, replaces manual version)
- CHECKSUMS.sha256.meta (NEW - enables two-level verification)
## Security Improvement
Artifacts now have cryptographic chain-of-custody protection:
1. Build creates files → dist/
2. verified-upload generates checksums + meta-checksum
3. verified-download verifies meta-checksum → checksums → files
4. Any corruption during artifact transfer is detected
This prevents corrupted artifacts (like the PyPy ARM64 wheel in v25.10.1)
from reaching the release workflow and ultimately PyPI.
Part of fixing crossbario#1733, crossbario#1732 (chain-of-custody verification).
…verification
This commit integrates the new verified artifact actions from wamp-cicd to
replace standard GitHub Actions artifact handling with cryptographically
verified transfers that include automatic retry logic for GitHub storage
eventual consistency issues.
Changes:
1. wheels-docker.yml (line 478-484):
- Replaced upload-artifact@v4 with upload-artifact-verified
- Changed from file patterns to directory path (wheelhouse/)
- Automatic CHECKSUMS.sha256 and meta-checksum generation
2. wheels-arm64.yml (line 414-419):
- Replaced upload-artifact@v4 with upload-artifact-verified
- Changed from file patterns to directory path (wheelhouse/)
- Automatic CHECKSUMS.sha256 and meta-checksum generation
3. release.yml (multiple locations):
- Replaced download-artifact@v4 with download-artifact-verified for:
* wheels-macos-arm64 (3 occurrences)
* wheels-windows-x86_64 (3 occurrences)
* source-distribution (3 occurrences)
* linux-wheels-no-nvx (3 occurrences)
- Removed 12 manual "Re-verify" steps (replaced by built-in verification)
- Added max-attempts: 3 and retry-delay: 60 for all downloads
- Preserved continue-on-error behavior for optional artifacts
Technical improvements:
- Two-level cryptographic verification:
1. Meta-checksum verifies CHECKSUMS.sha256 integrity
2. Individual file checksums verify each artifact file
- Automatic retry logic with delay handles GitHub Actions storage eventual
consistency issues (artifacts marked "completed" before async writes finish)
- Filesystem sync before/after checksum generation ensures QEMU buffer flush
- Self-contained verification (checksum files travel with artifacts)
- Fail-safe design: only succeeds after complete verification
Note: Pattern-based downloads (artifacts-*, artifacts-arm64-*) still use
standard download-artifact@v4 with merge-multiple because the verified action
doesn't yet support pattern matching. These artifacts are protected at upload
time by the verified upload actions in wheels-docker.yml and wheels-arm64.yml.
Related issues:
- Addresses artifact corruption detected in run 18516073936
- Implements solution discussed in issue crossbario#1714
Added detailed Sphinx-compatible docstrings for the following public API attributes to improve documentation and developer experience: 1. autobahn.websocket.HAS_NVX - Explains build-time NVX availability check - Documents what NVX provides (UTF-8 validation, XOR masking) - Clarifies independence from AUTOBAHN_USE_NVX runtime setting - Includes usage example and cross-reference to USES_NVX 2. autobahn.websocket.USES_NVX - Explains runtime NVX usage decision - Documents interaction between build-time availability and runtime config - Provides complete AUTOBAHN_USE_NVX environment variable reference - Includes scenario examples and cross-reference to HAS_NVX 3. autobahn.twisted.__ident__ - Enhanced existing brief docstring with comprehensive documentation - Documents format variations (with/without NVX acceleration) - Explains usage in protocol handshakes (WebSocket Upgrade, WAMP HELLO) - Provides example values for different configurations - Cross-references asyncio.__ident__ and USES_NVX 4. autobahn.asyncio.__ident__ - Enhanced existing brief docstring with comprehensive documentation - Documents format variations (with/without NVX acceleration) - Explains usage in protocol handshakes (WebSocket Upgrade, WAMP HELLO) - Notes difference from Twisted variant (no asyncio version number) - Provides example values for different configurations - Cross-references twisted.__ident__ and USES_NVX All docstrings follow reStructuredText format for proper Sphinx rendering in Read the Docs documentation. This is a documentation-only change with no functional modifications. Related: This is a safe change to trigger final workflow testing before merging rel_v25.10.2 to master (addresses issues crossbario#1735, crossbario#1714).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Work towards #1733
Also fixes: #1732
Related Issue(s)
Closes or relates to #1733
Checklist
the style guidelines of this project
is effective or that my feature works
updated the changelog
in this PR