paiml · noahgift · Apr 18, 2026 · Apr 18, 2026
diff --git a/.github/workflows/pr-gate.yml b/.github/workflows/pr-gate.yml
@@ -16,12 +16,13 @@
 
 jobs:
   authorize:
+    # falsify-f8-allow: authorization gate MUST run before self-hosted runner claim — untrusted PR code cannot execute on self-hosted infra.
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
    steps:
      - name: Check PR author authorization
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            const author = context.payload.pull_request.user.login;
@@ -44,7 +45,7 @@
            ]);

            if (allowlist.has(author)) {
              console.log(`${author} is on the external contributor allowlist — allowed`);
              return;
            }

@@ -71,9 +72,9 @@
              body: [
                `Thank you for your interest in this project, @${author}.`,
                '',
                'This repository only accepts pull requests from organization members and authorized contributors. Your PR has been closed automatically.',
                '',
                'If you believe you should have access, please open an issue to discuss your contribution first.',
              ].join('\n'),
            });


diff --git a/.github/workflows/sovereign-ci.yml b/.github/workflows/sovereign-ci.yml
@@ -4,7 +4,7 @@
 # Change once here → applies to all 38 repos instantly.
 #
 # Self-hosted jobs run inside the sovereign-ci container (built by forjar).
 # Each job gets an isolated filesystem — no shared ~/.rustup/, no race conditions.
 # Image: localhost:5000/sovereign-ci:stable (local registry on mac-server)
 # Rebuild: cd infra && make -f machines/intel/Makefile ci-image
 #
@@ -48,7 +48,7 @@
        default: false
        type: boolean
      extra_pkgs:
        description: 'Extra apt packages to install in container (e.g. python3-dev libclang-dev)'
        required: false
        default: ''
        type: string
@@ -73,7 +73,7 @@
 jobs:
  test:
    name: test
    runs-on: [self-hosted, clean-room]
    container:
      image: localhost:5000/sovereign-ci:stable@sha256:a7d47ef6e12e23c83075ceff4c41be8f34b00e68639a48bca9e41a2b2c8db80b
      # Phase 3 §5.3 — sccache rustc cache + /var/log/ci-metrics for F9 stats.
@@ -89,11 +89,11 @@
          persist-credentials: false
      - name: Install extra packages
        if: ${{ inputs.extra_pkgs != '' }}
        run: |
          apt-get update -qq && apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || \
          sudo apt-get update -qq && sudo apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || true
      - name: Checkout sibling repos (path deps)
        run: |
          cd "$GITHUB_WORKSPACE/.."
          # APR-MONO (2026-04-13): trueno, trueno-rag, trueno-db, trueno-viz,
          # alimentar, presentar, renacer, batuta, realizar, probar merged into
@@ -129,7 +129,7 @@
          # Note: generated contract macros may have unused variables (provable-contracts#64).
          # This is handled by adding -A unused-variables to the clippy step.
      - name: Generate contract assertions (pv codegen)
        run: |
          # pv is baked into sovereign-ci:stable at /usr/local/cargo/bin/pv
          PV=""
          for candidate in /usr/local/cargo/bin/pv /usr/local/bin/pv; do
@@ -178,7 +178,7 @@
          REPO_NAME: ${{ inputs.repo }}
          RUSTC_WRAPPER: ${{ inputs.enable_sccache && 'sccache' || '' }}
          SCCACHE_DIR: ${{ inputs.enable_sccache && '/sccache' || '' }}
        run: |
          # Mark workspace as safe for git operations inside tests (dubious ownership in containers)
          git config --global --add safe.directory "$GITHUB_WORKSPACE"
          cargo test --lib $TEST_ARGS 2>&1 || \
@@ -193,7 +193,7 @@

  lint:
    name: lint
    runs-on: [self-hosted, clean-room]
    container:
      image: localhost:5000/sovereign-ci:stable@sha256:a7d47ef6e12e23c83075ceff4c41be8f34b00e68639a48bca9e41a2b2c8db80b
      # Phase 3 §5.3 — sccache rustc cache + /var/log/ci-metrics for F9 stats.
@@ -209,11 +209,11 @@
          persist-credentials: false
      - name: Install extra packages
        if: ${{ inputs.extra_pkgs != '' }}
        run: |
          apt-get update -qq && apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || \
          sudo apt-get update -qq && sudo apt-get install -y -qq ${{ inputs.extra_pkgs }} 2>/dev/null || true
      - name: Checkout sibling repos (path deps)
        run: |
          cd "$GITHUB_WORKSPACE/.."
          # APR-MONO (2026-04-13): trueno, trueno-rag, trueno-db, trueno-viz,
          # alimentar, presentar, renacer, batuta, realizar, probar merged into
@@ -294,7 +294,7 @@
          REPO_NAME: ${{ inputs.repo }}
          RUSTC_WRAPPER: ${{ inputs.enable_sccache && 'sccache' || '' }}
          SCCACHE_DIR: ${{ inputs.enable_sccache && '/sccache' || '' }}
        run: |
          cargo clippy $CLIPPY_ARGS -- -D warnings -A unused-variables 2>&1 || \
          cargo clippy -p "$REPO_NAME" -- -D warnings -A unused-variables 2>&1 || \
          { echo "::error::Clippy failed — check workspace path dependencies"; exit 1; }
@@ -643,6 +643,7 @@
 
   provenance:
     name: provenance
+    # falsify-f8-allow: SLSA attest-build-provenance needs GitHub OIDC id-token, only issued on GitHub-hosted runners. Job is continue-on-error (advisory).
     runs-on: ubuntu-latest
     timeout-minutes: 5
     continue-on-error: true