[PR #1384] [MERGED] chore(ci): delete vault-content-hash-sli workflow (non-solution) #8154

New Issue

GiteaMirror · 2026-04-27T17:27:44-05:00

GiteaMirror commented

2026-04-27 17:27:44 -05:00

📋 Pull Request Information

Original PR: https://github.com/harvard-edge/cs249r_book/pull/1384
Author: @profvjreddi
Created: 4/17/2026
Status: ✅ Merged
Merged: 4/17/2026
Merged by: @profvjreddi

Base: dev ← Head: fix/vault-sli-architecture

📝 Commits (1)

80b81c1 chore(ci): delete vault-content-hash-sli workflow (non-solution to non-problem)

📊 Changes

1 file changed (+0 additions, -148 deletions)

View changed files

➖ .github/workflows/vault-content-hash-sli.yml (+0 -148)

📄 Description

Summary

Deletes .github/workflows/vault-content-hash-sli.yml outright
No replacement workflow — the SLI's premise was flawed, not its configuration

Why this is right

The SLI compared D1.content_hash to vault.db.content_hash. Both are produced by the same compiler run and written in a single transaction — there is no runtime moment where they can disagree without a Cloudflare infrastructure incident (which Cloudflare's own monitoring would catch first).

Since PR #1348 merged, the cron has filed 17 "content-hash SLI mismatch · priority-high · bug" issues (#1358–#1380), one per hour. Every one is a false positive: the Python probe throws ValueError: unknown url type before any compare happens, because WORKER_URL is unset (worker not deployed — Phase 4 cutover pending). Issue #1327 is the orphan from the separately-deleted link-check workflow. These 18 issues will be bulk-closed after this merges.

Considered and rejected:

Branch gate (if: github.ref == 'refs/heads/main') — stops the noise but preserves a workflow whose design conflates liveness with correctness
Env guard (if: vars.WORKER_URL != '') — same problem, hides config state
Port canonicalization to TS for request-time verification — hours of work to catch a Cloudflare-infrastructure failure mode Cloudflare's native monitoring already handles

The right long-term integrity story, if needed later, is signed responses + client-side verification — not hourly hash re-probing. See commit message for full rationale.

Test plan

CI passes on this PR (CodeQL + worker vitest + vault-cli pytest)
After merge: bulk-close #1358-#1380 + #1327 with pointer to this PR
Verify no new content-hash SLI mismatch issues auto-file over the next 24h

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/harvard-edge/cs249r_book/pull/1384 **Author:** [@profvjreddi](https://github.com/profvjreddi) **Created:** 4/17/2026 **Status:** ✅ Merged **Merged:** 4/17/2026 **Merged by:** [@profvjreddi](https://github.com/profvjreddi) **Base:** `dev` ← **Head:** `fix/vault-sli-architecture` --- ### 📝 Commits (1) - [`80b81c1`](https://github.com/harvard-edge/cs249r_book/commit/80b81c18da4a8a3bdaacd7cade72d032c108586a) chore(ci): delete vault-content-hash-sli workflow (non-solution to non-problem) ### 📊 Changes **1 file changed** (+0 additions, -148 deletions) <details> <summary>View changed files</summary> ➖ `.github/workflows/vault-content-hash-sli.yml` (+0 -148) </details> ### 📄 Description ## Summary - Deletes `.github/workflows/vault-content-hash-sli.yml` outright - No replacement workflow — the SLI's premise was flawed, not its configuration ## Why this is right The SLI compared `D1.content_hash` to `vault.db.content_hash`. Both are produced by the same compiler run and written in a single transaction — there is no runtime moment where they can disagree without a Cloudflare infrastructure incident (which Cloudflare's own monitoring would catch first). Since PR #1348 merged, the cron has filed 17 "content-hash SLI mismatch · priority-high · bug" issues (#1358–#1380), one per hour. Every one is a false positive: the Python probe throws `ValueError: unknown url type` before any compare happens, because `WORKER_URL` is unset (worker not deployed — Phase 4 cutover pending). Issue #1327 is the orphan from the separately-deleted link-check workflow. These 18 issues will be bulk-closed after this merges. Considered and rejected: - **Branch gate** (`if: github.ref == 'refs/heads/main'`) — stops the noise but preserves a workflow whose design conflates liveness with correctness - **Env guard** (`if: vars.WORKER_URL != ''`) — same problem, hides config state - **Port canonicalization to TS for request-time verification** — hours of work to catch a Cloudflare-infrastructure failure mode Cloudflare's native monitoring already handles The right long-term integrity story, if needed later, is signed responses + client-side verification — not hourly hash re-probing. See commit message for full rationale. ## Test plan - [ ] CI passes on this PR (CodeQL + worker vitest + vault-cli pytest) - [ ] After merge: bulk-close #1358-#1380 + #1327 with pointer to this PR - [ ] Verify no new `content-hash SLI mismatch` issues auto-file over the next 24h --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-27 17:27:44 -05:00

GiteaMirror closed this issue

2026-04-27 17:27:46 -05:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/cs249r_book#8154