- Remove stale root files: chain_spec.json, pezkuwi.gbp, publish.log,
test-asset-hub.toml (moved to .claude/)
- Move publish_batch.sh and publish_crates.sh to scripts/
- Remove hardcoded /home/mamostehp/res/ paths from scripts and comments
(WALLETS_FILE env var now required, no silent fallback)
- Update .gitignore: add protection entries for regenerable artifacts
and .claude/ experience files
- Add LICENSE-APACHE (Apache License 2.0 full text)
- Add LICENSE-GPL3 (GNU GPL 3.0 full text)
- Add NOTICE file with full attribution to original Polkadot SDK,
Parity Technologies (UK) Ltd., and Web3 Foundation, documenting
all significant changes made as required by Apache-2.0 Section 4(b)
- Update README License section to accurately reflect dual licensing
and link to NOTICE file
Re-add RUSTSEC-2023-0071 (rsa) and RUSTSEC-2025-0055 (tracing-subscriber)
which were incorrectly removed — they are still in transitive deps.
Add new advisories:
- RUSTSEC-2026-0067 (tar symlink traversal) — no 0.4.x patch available
- RUSTSEC-2026-0068 (tar link following) — no 0.4.x patch available
- Fix refund_cancelled_presale benchmark: add missing start_index and
batch_size arguments (0, 100) to match the 3-param extrinsic signature
- Remove 3 stale RUSTSEC advisories from deny.toml and security-audit.yml
(RUSTSEC-2023-0071, RUSTSEC-2025-0055, RUSTSEC-2026-0002 no longer in deps)
- Add RUSTSEC-2026-0049 (rustls-webpki) to ignore lists (upstream kube/jsonrpsee
haven't released compatible versions yet)
identity-kyc (H1):
- Add IdentityHashToAccount reverse mapping to prevent same identity hash
being used by multiple accounts
- Check uniqueness in apply_for_citizenship, populate on confirm_citizenship,
clean up on renounce_citizenship
pez-rewards (H2):
- Add EpochTotalClaimed storage to track claimed amounts per epoch
- do_close_epoch now only claws back unclaimed rewards (total_allocated -
total_claimed), not the entire pot balance
tiki (H3):
- Replace custom "locked" attribute with pezpallet_nfts::disable_transfer()
which sets the system-level PalletAttributes::TransferDisabled attribute
that is actually enforced during transfers
tiki (H4):
- Fix EnsureTiki to check UserTikis storage for non-unique roles (Wezir,
Parlementer) instead of TikiHolder which only stores unique roles
perwerde (H5):
- Add MaxPointsPerCourse config constant (1000 in runtime)
- Validate points in complete_course against the max
- Use saturating_add in get_perwerde_score to prevent u32 overflow
welati (H6):
- Add NativeCurrency: ReservableCurrency to Config
- Actually reserve candidacy deposit from candidate's balance
welati (H7):
- Add MaxEndorsers config constant (1000 in runtime)
- Validate endorsers count at the start of register_candidate before
any storage reads
presale:
- Split unbounded finalize_presale distribution into batched batch_distribute()
extrinsic (same pattern as batch_refund_failed_presale) to prevent block weight
exhaustion with many contributors
- Fix u128 overflow in calculate_reward_dynamic() by using
multiply_by_rational_with_rounding() for safe intermediate multiplication
- Fix pre-existing batch_refund test assertion (platform fee deduction was not
accounted for in expected refund amount)
validator-pool:
- Bound PoolMembers::iter() with .take(MaxPoolSize) in select_validators_for_era()
to prevent unbounded iteration in on_initialize
- Fix on_initialize weight accounting to include all DB reads/writes from
do_new_era() and select_validators_for_era() (was only counting 2 reads)
Zombienet tests are upstream Polkadot SDK tests without custom pallets.
They consume significant VPS resources (hours of build + test time) on
every push without providing project-specific value.
Removed from automatic CI:
- 4 zombienet artifact build jobs (prepare-*-zombienet-artifacts)
- bridges-zombienet-tests Docker image build
- 4 zombienet trigger jobs + confirmation gate
Zombienet workflows remain available for manual triggering:
gh workflow run zombienet_pezkuwi.yml
gh workflow run zombienet_pezcumulus.yml
gh workflow run zombienet_bizinikiwi.yml
gh workflow run zombienet_teyrchain-template.yml
Zombienet is a 3rd-party upstream tool — its Docker image should
reference paritytech/zombienet, not pezkuwi/zombienet which doesn't
exist on Docker Hub. This fixes all zombienet test failures caused
by image pull failures.
Docker Hub personal account namespace must match the username.
Updated all docker.io image references across workflows, actions,
docker-compose files, and zombienet configs.
The VPS runner's limited bandwidth causes upload-artifact to stall when
uploading hundreds of MB of individual HTML files. Compress crate-docs
into a tar.gz before upload and extract on the publish side.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Regenerate EQUIVOCATION_PROOF_BLOB in pezpallet-babe benchmarking:
the old blob contained stale header hashes that caused
check_equivocation_proof to fail with assertion error
- Exclude pezpallet_revive from quick-benchmarks via
--exclude-pezpallets flag: revive benchmarks require PolkaVM
toolchain (riscv64emac-unknown-none-polkavm) for fixture compilation
which is not available in CI. This removes continue-on-error so
real benchmark failures are now visible
- Increase build-rustdoc timeout from 180 to 240 minutes for VPS runner
- Add NCSA and CDLA-Permissive-2.0 to allowed licenses in deny.toml
(both are permissive open-source licenses used by transitive deps)
- Set fail-fast: false on cargo-deny matrix so all checks run
independently even if one fails
All unmaintained crate warnings are transitive upstream dependencies
that we cannot replace. Disable unmaintained checks in cargo-deny
to prevent false CI failures. Track via quarterly review instead.
- Mark shell command doc block as ```text to fix rustdoc parsing
- Remove duplicated #![cfg(feature = "runtime-benchmarks")] (already gated in lib.rs)
- Use let _ = for unused MultiRemovalResults from clear_prefix
End-to-end encrypted messaging pallet with citizenship and trust score
verification. Integrated into People Chain runtime as pallet index 55.
spec_version bumped to 1_020_009.
GHCR packages are created as private by default and the visibility
cannot be changed via the REST API. Reverting to docker.io/paritytech
until the package visibility is changed to public via GitHub UI at:
https://github.com/orgs/pezkuwichain/packages/container/ci-unified/settings
The mirror-ci-image.yml workflow has already populated GHCR - just
need to make it public, then update this file to use GHCR.
Now that the mirror-ci-image workflow has populated GHCR, switch
.github/env from docker.io/paritytech/ci-unified to our own
ghcr.io/pezkuwichain/ci-unified mirror.
- Fix Docker image tag fallback from 'master' to 'main' to match our default branch
- Bump docker/login-action from v3.5.0 to v3.7.0 for consistency with other workflows
- build-publish-images: replace silent sudo chown failure (2>/dev/null || true)
with proper error handling and fallback cleanup for all 7 push jobs.
Root cause: container build jobs create root-owned files, non-container push
jobs on runner2 couldn't sudo chown without sudoers config.
- tests-misc: add disk cleanup step to cargo-check-all-crate-macos job to free
space before cargo check (remove Android SDK, old CLT SDKs, etc.)
- security-audit: truncate cargo-audit output to 500 lines before writing to
GITHUB_STEP_SUMMARY to avoid the 1MB size limit crash.
- Remove forklift cargo wrapper from build-only-wasm.sh (direct cause of
build-linux-stable failures in container jobs)
- Add .env_remove("RUSTC_WRAPPER") to wasm-builder cargo subprocess to
prevent inheriting forklift from Parity CI container images
- Remove forklift from cargo-check-runtimes action and cmd.py benchmark
build command
- Update test_cmd.py expectations to match forklift removal
- Update no_feature_gated_method.stderr for rebrand: substrate_runtime →
bizinikiwi_runtime, sp_runtime_interface_proc_macro →
pezsp_runtime_interface_proc_macro, and expanded feature list
The Parity CI Docker image sets RUSTC_WRAPPER=/usr/local/bin/forklift
for GCS cache optimization. On our VPS runners without GCP credentials,
forklift crashes with nil pointer dereference when trying to create
GCS client. The global env RUSTC_WRAPPER="" doesn't reliably propagate
into Docker containers.
Fix: Add explicit "Disable forklift cache wrapper" step in every
container job that runs cargo commands, using $GITHUB_ENV to ensure
the empty RUSTC_WRAPPER persists across all steps within the job.
Affected workflows: build-publish-images, checks, tests, tests-misc,
build-misc, docs (32 container jobs total).
Observed run times show previous timeouts still too tight:
- test-node-metrics: timed out at 90min → increased to 180min
- cargo-check-each-crate: timed out at 140min → increased to 240min (4h)
- cargo-check-all-crate-macos: timed out at 90min → increased to 150min
- test-pezframe-ui: preemptively increased 90→150min
- test-deterministic-wasm: preemptively increased 75→180min
pezkuwichain
SatoshiQaziMuhammed