ci(frost): compile + test the frost_roast_retry activation path in CI#4130
Merged
mswilkison merged 2 commits intoJul 2, 2026
Merged
Conversation
The interactive FROST + ROAST retry coordinator flow (liveness + evidence/blame) lives behind the `frost_roast_retry` build tag, but no CI job ever set it: client.yml and release.yml run untagged `go build/test`, and frost-cgo-integration.yml built only `frost_native frost_tbtc_signer` and `-run`-filtered to the `TestRealCgoInteractiveSigning*` family. So the entire ROAST retry state machine and ~30 `frost_native` unit tests never compiled or ran in CI, and `make build` (the release/Docker path) shipped the `!frost_roast_retry` no-op stubs. This closes that activation gap. - client.yml: add a `client-frost-roast-retry` job that builds the coordinator path with cgo disabled (`go build -tags "frost_roast_retry"` and `-tags "frost_native frost_roast_retry"` over `./...`) and runs the tagged unit tests under the three non-cgo tag sets that cover the whole matrix (`frost_native`, `frost_roast_retry`, `frost_native frost_roast_retry`) over ./pkg/frost/... and ./pkg/tbtc/... against the mock FFI (no Rust lib, no Docker). - frost-cgo-integration.yml: add `frost_roast_retry` to the real-crypto cgo tag set and drop the narrow `-run` filter so the whole tagged pkg/frost/signing suite runs against the linked libfrost_tbtc (skips still forbidden); the heavy multiproc e2e tests already ran and self-constrain their worker subprocesses with anchored `-test.run`, so dropping the outer filter only adds lighter tagged unit tests. Add a step that smoke-builds the activation artifact via `make build-frost`. - Makefile: add a `build-frost` target that produces the ROAST-retry activation binary (tags `frost_native frost_tbtc_signer frost_roast_retry`, cgo-linked to libfrost_tbtc with the same CGO_LDFLAGS as the cgo workflow). - frost-roast-retry-rollout.adoc: replace the false claim that CI already exercised the tag with an accurate description of the new coverage. Locally validated (system Go, cgo off): `go build -tags "frost_roast_retry" ./...` and `-tags "frost_native frost_roast_retry" ./...` compile clean; all three non-cgo tag sets pass on ./pkg/frost/... and ./pkg/tbtc/... The cgo-linked full build is deferred to CI (requires building the Rust libfrost_tbtc, which the cgo workflow does from the pinned signer source). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…c is linked Dropping the narrow `-run` filter in frost-cgo-integration.yml made `TestRegisterBuildTaggedTBTCSignerEngine` run for the first time under the cgo gate, where it failed: it asserts every engine operation returns `ErrNativeCryptographyUnavailable`, a fail-closed contract that only holds when libfrost_tbtc is NOT linked (the cgo bridge is compiled but the frost_tbtc_* symbols are unresolvable via dlsym). Under the gate the lib IS linked, so `StartSignRound` instead reached the real signer and its provenance gate, producing a different error. Probe the linked lib with `assertTBTCSignerABICompatible()` - the same check the ABI preflight uses, which keeps `ErrNativeCryptographyUnavailable` in the chain iff the lib is absent - and skip the fail-closed assertions with a reason when the lib is present. The registration-wiring assertions still run under both builds, and the linked-lib crypto path is covered by `TestBuildTaggedTBTCSignerInteractiveFROSTBridge_WithLinkedSigner` and the `TestRealCgoInteractiveSigning*` suite. No assertion was weakened and no production code was touched; this matches the skip-when-unavailable pattern already used by the neighbouring cgo tests. Validated locally by building libfrost_tbtc from the pinned signer mirror and running the whole tagged pkg/frost/signing suite with the lib linked and KEEP_CORE_FROST_REQUIRE_CGO=true: 402 pass, 1 skip (this test), 0 fail; the real-crypto DKG/multiproc e2e tests ran and passed. Without the lib linked the test still runs its fail-closed assertions and passes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
8b97d7f
into
feat/frost-schnorr-migration-scaffold
18 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
This closes the sole production-activation blocker found in the deep production-readiness review of the ROAST retry work (stacked on #3866).
The interactive FROST + ROAST retry coordinator flow —
BeginAttempt/RecordEvidence/AggregateBundle/VerifyBundle/NextAttempt, i.e. liveness plus slashing/blame — lives behind thefrost_roast_retryGo build tag (~50 files). No CI job ever set that tag:client.yml(~line 138) andrelease.yml(~line 56) run untaggedgo build/test ./..., which compiles only the!frost_roast_retryno-op stubs.frost-cgo-integration.yml(~line 111) built only-tags "frost_native frost_tbtc_signer"and-run-filtered to theTestRealCgoInteractiveSigning*family.Net effect: the entire ROAST retry state machine and ~30
frost_nativeunit tests never compiled or ran anywhere in CI, andmake build(the release/Docker path) shipped the ROAST-retry-noop default build. The rollout doc also falsely claimed CI already exercised the tag.What this changes
.github/workflows/client.yml— newclient-frost-roast-retryjob (plain Go, cgo off, no Docker; runs on every PR touching Go):go build -tags "frost_roast_retry" ./...andgo build -tags "frost_native frost_roast_retry" ./...(mock-FFI, no Rust lib).go testunder the three non-cgo tag sets that cover the whole matrix —frost_native,frost_roast_retry,frost_native frost_roast_retry— over./pkg/frost/...and./pkg/tbtc/.....github/workflows/frost-cgo-integration.yml:frost_roast_retryto the real-crypto cgo tag set (frost_native frost_tbtc_signer frost_roast_retry).-runfilter so the whole tagged./pkg/frost/signing/suite runs against the linkedlibfrost_tbtc, with skips still forbidden (KEEP_CORE_FROST_REQUIRE_CGO=true). Safe by construction: the heavy multiproc e2e tests already ran (matched by the old substring regex) and spawn their worker subprocesses with anchored-test.run, so dropping the outer filter only adds lighter tagged unit tests.make build-frostusing the lib built earlier in the job.Makefileto the path triggers.Makefile— newbuild-frosttarget: produces the ROAST-retry activation binary (tagsfrost_native frost_tbtc_signer frost_roast_retry, cgo-linked tolibfrost_tbtcwith the sameCGO_LDFLAGSas the cgo workflow). The defaultmake buildstill ships the!frost_roast_retrystubs; adopting the tagged artifact in the release/Docker path is gated on the readiness-manifest flip and is intentionally left to that decision (the Rust lib currently lives on a separate branch — seeci/frost-signer-pin.env), so this PR makes the artifact producible + CI-validated rather than silently flipping the default release image.docs/development/frost-roast-retry-rollout.adoc: replaces the false "CI already exercises the tag" claim with an accurate description of the coverage above.Validated locally (system Go, cgo disabled)
go build -tags "frost_roast_retry" ./...go build -tags "frost_native frost_roast_retry" ./...go test -tags "frost_native" ./pkg/frost/... ./pkg/tbtc/...go test -tags "frost_roast_retry" ./pkg/frost/... ./pkg/tbtc/...go test -tags "frost_native frost_roast_retry" ./pkg/frost/... ./pkg/tbtc/...make -n build-frostThe tagged builds compiled clean and every newly-run non-cgo tagged test passed — no failures were surfaced, and no assertion was weakened.
Deferred to CI: the cgo-linked full build/tests and the
make build-frostsmoke — these require building the Rustlibfrost_tbtc, which cannot be done locally without the pinned signer source. The cgo job already builds that lib, so those steps are correct by construction (they reuse the same lib +CGO_LDFLAGS).Follow-ups / known gaps
frost_native frost_tbtc_signer frost_roast_retryreal-crypto suite andmake build-frostlinklibfrost_tbtc; they were not run on this machine. First green run offrost-cgo-integration.ymlon this branch is the confirmation.make build(Dockerfilebuild-dockerstage) is unchanged; wiringbuild-frostinto the release image is deferred to the readiness-manifest flip and to the branch merge that brings the signer crate in-tree (perci/frost-signer-pin.env).frost_native frost_tbtc_signer cgofiles, e.g. real taproot-tx build) are not yet in the cgo gate; the cgo job keeps itspkg/frost/signingscope. Adding./pkg/tbtc/to the cgo run is a reasonable next step but pulls the heavy tbtc suite under real-crypto linking, so it is left as a follow-up.🤖 Generated with Claude Code