Avoid flaky ort downloads in Linux CI#490
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
🚧 Files skipped from review as they are similar to previous changes (3)
📝 WalkthroughWalkthroughAdds Linux-specific CI steps across three GitHub Actions workflows to download/extract ONNX Runtime v1.22.0, export Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/release.yml:
- Around line 100-110: Replace the direct curl | tar extraction for
ORT_VERSION/ORT_ROOT with a two-step verified download: first download the
tarball to a local file (using the ORT_VERSION and ORT_ROOT variables), then
verify its SHA256 digest either by running `gh release verify-asset` for the tag
v${ORT_VERSION} or by calling the GitHub Releases API GET
/repos/microsoft/onnxruntime/releases/tags/v{ORT_VERSION} and comparing
assets[].digest to a computed local sha256; only after the digest matches should
you extract into ORT_ROOT and export ORT_LIB_LOCATION and ORT_SKIP_DOWNLOAD into
GITHUB_ENV.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 616ae8f8-cce9-42af-8c93-6f7161c4e9f9
📒 Files selected for processing (3)
.github/workflows/desktop-build.yml.github/workflows/release.yml.github/workflows/rust-tests.yml
| - name: Provide ONNX Runtime (Linux) | ||
| if: matrix.platform == 'ubuntu-latest-8-cores' | ||
| run: | | ||
| ORT_VERSION=1.22.0 | ||
| ORT_ROOT="$RUNNER_TEMP/onnxruntime" | ||
| mkdir -p "$ORT_ROOT" | ||
| curl -fL --retry 5 --retry-delay 2 --retry-all-errors \ | ||
| "https://github.com/microsoft/onnxruntime/releases/download/v${ORT_VERSION}/onnxruntime-linux-x64-${ORT_VERSION}.tgz" \ | ||
| | tar -xz -C "$ORT_ROOT" | ||
| echo "ORT_LIB_LOCATION=$ORT_ROOT/onnxruntime-linux-x64-${ORT_VERSION}" >> "$GITHUB_ENV" | ||
| echo "ORT_SKIP_DOWNLOAD=true" >> "$GITHUB_ENV" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify whether ONNX Runtime download steps currently have checksum validation.
rg -n --iglob '.github/workflows/*.yml' 'Provide ONNX Runtime|onnxruntime-linux-x64-|ORT_SHA256|sha256sum|shasum'Repository: OpenSecretCloud/Maple
Length of output: 214
🏁 Script executed:
#!/bin/bash
# First, find workflow files in .github/workflows/
fd -e yml -e yaml . .github/workflows/ 2>/dev/null || fd -e yml -e yaml . .github/ 2>/dev/null || find .github -name "*release*" -type f 2>/dev/nullRepository: OpenSecretCloud/Maple
Length of output: 384
🏁 Script executed:
#!/bin/bash
# Read the file to check its size and content around lines 100-110
wc -l .github/workflows/release.yml
echo "---"
# Read lines 95-115 to see context around the specified lines
sed -n '95,115p' .github/workflows/release.ymlRepository: OpenSecretCloud/Maple
Length of output: 950
🏁 Script executed:
#!/bin/bash
# Search the entire release.yml file for checksum/hash/integrity verification
echo "=== Searching for checksum validation in release.yml ==="
rg -i 'sha256|checksum|sha1|integrity|verify.*hash' .github/workflows/release.yml
echo "=== Searching for 'ORT_SHA256' or similar patterns ==="
rg 'ORT_SHA256|ORT.*HASH' .github/workflows/release.yml
echo "=== Count of tar invocations with piped curl ==="
rg 'curl.*\|.*tar' .github/workflows/release.yml -A 2Repository: OpenSecretCloud/Maple
Length of output: 589
🌐 Web query:
ONNX Runtime v1.22.0 release checksums github
💡 Result:
No official checksums (SHA256 or otherwise) for ONNX Runtime v1.22.0 release assets are published on the GitHub releases page or in related official documentation. The release page at https://github.com/microsoft/onnxruntime/releases/tag/v1.22.0 lists the binary assets (e.g., onnxruntime-linux-x64-1.22.0.tgz, onnxruntime-win-x64-1.22.0.zip) with file sizes and download counts, but does not provide checksums. This is consistent across other ONNX Runtime releases, such as v1.24.2, where only assets and sizes are listed without hashes. Users should verify downloads using GitHub's built-in checksum verification if available or compute their own SHA256 sums after downloading from the official source.
Citations:
- 1: https://github.com/microsoft/onnxruntime/releases/tag/v1.22.0
- 2: https://github.com/microsoft/onnxruntime/releases
- 3: https://github.com/microsoft/onnxruntime/releases/tag/v1.22.1
- 4: https://onnxruntime.ai/docs/reference/releases-servicing.html
- 5: https://github.com/microsoft/onnxruntime/releases/tag/v1.24.1
- 6: https://github.com/microsoft/onnxruntime/releases/tag/v1.24.2
🌐 Web query:
GitHub Actions verify release asset integrity download without checksum
💡 Result:
To verify the integrity of a GitHub release asset downloaded in GitHub Actions without relying on a separate checksum file, use GitHub's built-in features: asset digests (SHA-256 hashes exposed via the Releases API since June 2025) and GitHub CLI's gh release verify-asset command, which validates against cryptographically signed attestations. ## Step 1: Download the Asset Use a third-party action like dsaltares/fetch-gh-release-asset (widely used, supports private repos): yaml - name: Download asset uses: dsaltares/fetch-gh-release-asset@v2 with: version: 'v1.0.0' # or 'latest' file: 'my-asset.zip' token: ${{ secrets.GITHUB_TOKEN }} This downloads to the current directory (e.g., ./my-asset.zip). ## Step 2: Verify Integrity Install gh CLI (pre-installed on GitHub-hosted runners) and run: yaml - name: Verify asset integrity run: gh release verify-asset v1.0.0 ./my-asset.zip env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} This command: - Fetches the release's signed attestation. - Computes the local file's digest. - Matches it against the expected digest and validates the signature/provenance. - Fails the workflow if tampered or mismatched. For latest release: gh release verify-asset ./my-asset.zip. ## Alternative: Manual Digest Check (No CLI) Fetch the expected SHA-256 digest from the API and compare: yaml - name: Get expected digest id: digest run: | curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ https://api.github.com/repos/${{ github.repository }}/releases/tags/v1.0.0 | \ jq -r '.assets[] | select(.name == "my-asset.zip") | .digest' | \ cut -d: -f2 > expected.sha256 shell: bash - name: Compute local digest and verify run: | sha256sum --check expected.sha256 <<< $(sha256sum ./my-asset.zip | cut -d' ' -f1) shell: bash Note: Digest format is sha256:. ## Key Benefits (No Separate Checksum File Needed) - Automatic Digests: GitHub computes SHA-256 for every asset at upload (immutable). - Attestations: gh release verify-asset provides end-to-end integrity + provenance. - API Access: asset.digest in Releases REST/GraphQL APIs. - Works for immutable releases (marked on GitHub UI). For official docs, see GitHub's "Verifying the integrity of a release" and Releases API (asset.digest field).
Citations:
- 1: https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/verifying-the-integrity-of-a-release
- 2: https://docs.github.com/rest/releases/assets
- 3: https://github.blog/changelog/2025-06-03-releases-now-expose-digests-for-release-assets
- 4: https://cli.github.com/manual/gh_release_verify-asset
- 5: https://github.com/dsaltares/fetch-gh-release-asset
- 6: [Feature] Use asset.digest to check hash for github assets for releases ScoopInstaller/Scoop#6381
Use GitHub API digests to verify ONNX Runtime tarball integrity instead of piping through tar.
The current download at lines 102–113 extracts the tarball without verification. While ONNX Runtime v1.22.0 does not publish official checksums, GitHub computes and exposes SHA-256 digests for all release assets via the Releases API (available since June 2025). Use either:
-
GitHub CLI verification (simpler):
- Download the file separately (not piped)
- Run
gh release verify-assetwith the release tag and file
-
Manual API digest check (if CLI unavailable):
- Fetch the expected digest from
GET /repos/microsoft/onnxruntime/releases/tags/v{ORT_VERSION}→assets[].digest - Compute local SHA256 and compare
- Fetch the expected digest from
This eliminates the supply-chain risk without relying on externally-pinned checksums that ONNX Runtime doesn't provide.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/release.yml around lines 100 - 110, Replace the direct
curl | tar extraction for ORT_VERSION/ORT_ROOT with a two-step verified
download: first download the tarball to a local file (using the ORT_VERSION and
ORT_ROOT variables), then verify its SHA256 digest either by running `gh release
verify-asset` for the tag v${ORT_VERSION} or by calling the GitHub Releases API
GET /repos/microsoft/onnxruntime/releases/tags/v{ORT_VERSION} and comparing
assets[].digest to a computed local sha256; only after the digest matches should
you extract into ORT_ROOT and export ORT_LIB_LOCATION and ORT_SKIP_DOWNLOAD into
GITHUB_ENV.
Deploying maple with
|
| Latest commit: |
984a206
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://571eeacb.maple-ca8.pages.dev |
| Branch Preview URL: | https://fix-linux-onnxruntime-ci.maple-ca8.pages.dev |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/desktop-build.yml:
- Around line 175-177: The workflow downloads and extracts onnxruntime using
curl | tar without verifying integrity; change the steps around the curl + tar
pipeline to first download the artifact to a temporary file (using the
ORT_VERSION to form the filename), then verify its SHA-256 against a pinned
value (e.g. an environment variable ORT_TGZ_SHA256 or a lookup table keyed by
ORT_VERSION), and only call tar -xz -C "$ORT_ROOT" after the checksum matches;
alternatively support verifying a detached signature if provided. Ensure the
pipeline fails the job on checksum mismatch and remove the direct curl | tar
streaming to prevent extracting unverified bytes.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: b2324233-3a30-474b-ad78-3d83471288b4
📒 Files selected for processing (2)
.github/workflows/desktop-build.yml.github/workflows/release.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/release.yml
| curl -fL --retry 5 --retry-delay 2 --retry-all-errors \ | ||
| "https://github.com/microsoft/onnxruntime/releases/download/v${ORT_VERSION}/onnxruntime-linux-x64-${ORT_VERSION}.tgz" \ | ||
| | tar -xz -C "$ORT_ROOT" |
There was a problem hiding this comment.
Add integrity verification for downloaded ONNX Runtime archive.
This downloads and extracts unverified bytes directly into the build pipeline. Please pin and verify SHA-256 (or signature) before extraction to prevent artifact poisoning in CI.
🔒 Suggested hardening
- name: Provide ONNX Runtime (Linux)
run: |
ORT_VERSION=1.22.0
ORT_ROOT="$RUNNER_TEMP/onnxruntime"
+ ORT_ARCHIVE="$RUNNER_TEMP/onnxruntime-linux-x64-${ORT_VERSION}.tgz"
+ ORT_SHA256="<pin_official_sha256_here>"
mkdir -p "$ORT_ROOT"
curl -fL --retry 5 --retry-delay 2 --retry-all-errors \
"https://github.com/microsoft/onnxruntime/releases/download/v${ORT_VERSION}/onnxruntime-linux-x64-${ORT_VERSION}.tgz" \
- | tar -xz -C "$ORT_ROOT"
+ -o "$ORT_ARCHIVE"
+ echo "${ORT_SHA256} ${ORT_ARCHIVE}" | sha256sum -c -
+ tar -xzf "$ORT_ARCHIVE" -C "$ORT_ROOT"
echo "ORT_LIB_LOCATION=$ORT_ROOT/onnxruntime-linux-x64-${ORT_VERSION}" >> "$GITHUB_ENV"
echo "ORT_SKIP_DOWNLOAD=true" >> "$GITHUB_ENV"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/desktop-build.yml around lines 175 - 177, The workflow
downloads and extracts onnxruntime using curl | tar without verifying integrity;
change the steps around the curl + tar pipeline to first download the artifact
to a temporary file (using the ORT_VERSION to form the filename), then verify
its SHA-256 against a pinned value (e.g. an environment variable ORT_TGZ_SHA256
or a lookup table keyed by ORT_VERSION), and only call tar -xz -C "$ORT_ROOT"
after the checksum matches; alternatively support verifying a detached signature
if provided. Ensure the pipeline fails the job on checksum mismatch and remove
the direct curl | tar streaming to prevent extracting unverified bytes.
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/rust-tests.yml (1)
50-60: Consider extracting this ONNX setup into a shared reusable workflow/action.This block now appears in multiple workflows with near-identical logic, which increases version/env drift risk.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/rust-tests.yml around lines 50 - 60, The ONNX setup block (step named "Provide ONNX Runtime (Linux)" that defines ORT_VERSION, ORT_ROOT, sets ORT_LIB_LOCATION, ORT_SKIP_DOWNLOAD and LD_LIBRARY_PATH) is duplicated across workflows—extract it into a reusable GitHub Actions component (either a reusable workflow or a composite action) that accepts ORT_VERSION (and optionally platform/arch) as inputs and performs the curl+tar and environment exports; then replace each duplicated block with a single call to that reusable_workflow/action, passing ORT_VERSION and any platform-specific inputs to keep behavior identical and centralize version/env management.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/rust-tests.yml:
- Around line 50-60: The ONNX setup block (step named "Provide ONNX Runtime
(Linux)" that defines ORT_VERSION, ORT_ROOT, sets ORT_LIB_LOCATION,
ORT_SKIP_DOWNLOAD and LD_LIBRARY_PATH) is duplicated across workflows—extract it
into a reusable GitHub Actions component (either a reusable workflow or a
composite action) that accepts ORT_VERSION (and optionally platform/arch) as
inputs and performs the curl+tar and environment exports; then replace each
duplicated block with a single call to that reusable_workflow/action, passing
ORT_VERSION and any platform-specific inputs to keep behavior identical and
centralize version/env management.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: a9187bbd-8f07-4d3c-a683-a80b6e4351bd
📒 Files selected for processing (3)
.github/workflows/desktop-build.yml.github/workflows/release.yml.github/workflows/rust-tests.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/desktop-build.yml
Preload official ONNX Runtime in Linux workflows so ort-sys stops relying on flaky Pyke CDN downloads. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com> Work around Linux AppImage strip failures Set NO_STRIP for Linux desktop bundling so linuxdeploy stops choking on newer bundled system libraries. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com> Improve Linux AppImage CI diagnostics Set APPIMAGE_EXTRACT_AND_RUN and enable verbose Linux bundling so linuxdeploy failures surface clearly in CI. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com> Expose ONNX Runtime libs to Linux bundlers Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
AnthonyRonning
force-pushed
the
fix/linux-onnxruntime-ci
branch
from
63c83be to
984a206
Compare
1 participant
Summary
ORT_LIB_LOCATIONandORT_SKIP_DOWNLOADsoort-sysdoes not fall back to the flaky Pyke CDNValidation
git diff --checkbun testSummary by CodeRabbit