Skip to content

Hold sig-mismatched skills at sync; alert on failing integrity sweeps#350

Merged
sayalinvidia merged 1 commit into
mainfrom
sig-consistency-guards
Jul 15, 2026
Merged

Hold sig-mismatched skills at sync; alert on failing integrity sweeps#350
sayalinvidia merged 1 commit into
mainfrom
sig-consistency-guards

Conversation

@mosheabr

Copy link
Copy Markdown
Collaborator

Onboarding type

  • New product onboarding (new components.d/<slug>.yml file)
  • Other (catalog change, README fix, infrastructure, etc.)

Context

The daily integrity sweep has been red since at least July 9 with nobody noticing, and 30 published files across 7 skills (amc x3, deepstream-dev, earth2studio x3) fail signature verification on main today. Root cause analysis showed the content/sig inconsistency exists at the source repos, and it entered the catalog because of two gaps this PR closes.

Change 1: Defense #3 in the sync (the ingestion gate)

The drift detection held content changed without a sig refresh, but blindly trusted content and signature that changed together — and bot sync PRs trigger no CI, so nothing else checked them. Now every rsynced skill whose signature changed gets digest-verified against that signature; mismatches are held (revert to last-signed, or drop if new) with a new sig mismatch category in the sync PR body and the missing-compliance tracker.

Change 2: The sweep maintains a tracker issue

Scheduled failures alert no one. The sweep now opens/updates a rolling issue (label integrity-failure) with the finding list and owner recovery steps, and closes it automatically when a sweep passes — same pattern as the sync's missing-compliance tracker.

Tested locally

  • Both workflows parse; all modified run blocks pass bash -n.
  • Defense CI Pipeline to verify skill counts match source repos #3 verification, extracted verbatim from the workflow: holds amc-run-sample-calibration (known mismatch on main), passes nemo-mbridge-perf-sequence-packing (clean, synced today).
  • Sweep step: failure exit propagates through the report capture; report contains exactly the 30 known findings.

Team outreach for the existing 7 mismatched skills is already underway separately; this PR prevents recurrence and makes the cleanup visible.

…er issue

Two gaps let internally inconsistent skills publish and sit unnoticed:

1. The sync's drift detection only caught content changed WITHOUT a sig
   refresh. When content and signature changed together it trusted the
   pair blindly — and bot sync PRs run no CI, so nothing downstream
   verified them either. Seven skills published with content that fails
   signature verification this way. Defense #3 now digest-verifies every
   rsynced skill whose signature changed, and holds (revert/drop) any
   whose incoming content does not match its own incoming signature,
   with a 'sig mismatch' category in the PR body and tracker issue.

2. The daily full-catalog integrity sweep failed silently for a week —
   scheduled workflow failures alert no one. The sweep now maintains a
   rolling tracker issue (label: integrity-failure) with the finding
   list and owner recovery steps, and auto-closes it when a sweep
   passes.

Signed-off-by: Moshe Abramovitch <moshea@nvidia.com>
@sayalinvidia sayalinvidia merged commit f3f7ce4 into main Jul 15, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants