presale:
- Split unbounded finalize_presale distribution into batched batch_distribute()
extrinsic (same pattern as batch_refund_failed_presale) to prevent block weight
exhaustion with many contributors
- Fix u128 overflow in calculate_reward_dynamic() by using
multiply_by_rational_with_rounding() for safe intermediate multiplication
- Fix pre-existing batch_refund test assertion (platform fee deduction was not
accounted for in expected refund amount)
validator-pool:
- Bound PoolMembers::iter() with .take(MaxPoolSize) in select_validators_for_era()
to prevent unbounded iteration in on_initialize
- Fix on_initialize weight accounting to include all DB reads/writes from
do_new_era() and select_validators_for_era() (was only counting 2 reads)
Zombienet tests are upstream Polkadot SDK tests without custom pallets.
They consume significant VPS resources (hours of build + test time) on
every push without providing project-specific value.
Removed from automatic CI:
- 4 zombienet artifact build jobs (prepare-*-zombienet-artifacts)
- bridges-zombienet-tests Docker image build
- 4 zombienet trigger jobs + confirmation gate
Zombienet workflows remain available for manual triggering:
gh workflow run zombienet_pezkuwi.yml
gh workflow run zombienet_pezcumulus.yml
gh workflow run zombienet_bizinikiwi.yml
gh workflow run zombienet_teyrchain-template.yml
Zombienet is a 3rd-party upstream tool — its Docker image should
reference paritytech/zombienet, not pezkuwi/zombienet which doesn't
exist on Docker Hub. This fixes all zombienet test failures caused
by image pull failures.
Docker Hub personal account namespace must match the username.
Updated all docker.io image references across workflows, actions,
docker-compose files, and zombienet configs.
The VPS runner's limited bandwidth causes upload-artifact to stall when
uploading hundreds of MB of individual HTML files. Compress crate-docs
into a tar.gz before upload and extract on the publish side.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Regenerate EQUIVOCATION_PROOF_BLOB in pezpallet-babe benchmarking:
the old blob contained stale header hashes that caused
check_equivocation_proof to fail with assertion error
- Exclude pezpallet_revive from quick-benchmarks via
--exclude-pezpallets flag: revive benchmarks require PolkaVM
toolchain (riscv64emac-unknown-none-polkavm) for fixture compilation
which is not available in CI. This removes continue-on-error so
real benchmark failures are now visible
- Increase build-rustdoc timeout from 180 to 240 minutes for VPS runner
- Add NCSA and CDLA-Permissive-2.0 to allowed licenses in deny.toml
(both are permissive open-source licenses used by transitive deps)
- Set fail-fast: false on cargo-deny matrix so all checks run
independently even if one fails
All unmaintained crate warnings are transitive upstream dependencies
that we cannot replace. Disable unmaintained checks in cargo-deny
to prevent false CI failures. Track via quarterly review instead.
- Mark shell command doc block as ```text to fix rustdoc parsing
- Remove duplicated #![cfg(feature = "runtime-benchmarks")] (already gated in lib.rs)
- Use let _ = for unused MultiRemovalResults from clear_prefix
End-to-end encrypted messaging pallet with citizenship and trust score
verification. Integrated into People Chain runtime as pallet index 55.
spec_version bumped to 1_020_009.
GHCR packages are created as private by default and the visibility
cannot be changed via the REST API. Reverting to docker.io/paritytech
until the package visibility is changed to public via GitHub UI at:
https://github.com/orgs/pezkuwichain/packages/container/ci-unified/settings
The mirror-ci-image.yml workflow has already populated GHCR - just
need to make it public, then update this file to use GHCR.
Now that the mirror-ci-image workflow has populated GHCR, switch
.github/env from docker.io/paritytech/ci-unified to our own
ghcr.io/pezkuwichain/ci-unified mirror.
- Fix Docker image tag fallback from 'master' to 'main' to match our default branch
- Bump docker/login-action from v3.5.0 to v3.7.0 for consistency with other workflows
- build-publish-images: replace silent sudo chown failure (2>/dev/null || true)
with proper error handling and fallback cleanup for all 7 push jobs.
Root cause: container build jobs create root-owned files, non-container push
jobs on runner2 couldn't sudo chown without sudoers config.
- tests-misc: add disk cleanup step to cargo-check-all-crate-macos job to free
space before cargo check (remove Android SDK, old CLT SDKs, etc.)
- security-audit: truncate cargo-audit output to 500 lines before writing to
GITHUB_STEP_SUMMARY to avoid the 1MB size limit crash.
- Remove forklift cargo wrapper from build-only-wasm.sh (direct cause of
build-linux-stable failures in container jobs)
- Add .env_remove("RUSTC_WRAPPER") to wasm-builder cargo subprocess to
prevent inheriting forklift from Parity CI container images
- Remove forklift from cargo-check-runtimes action and cmd.py benchmark
build command
- Update test_cmd.py expectations to match forklift removal
- Update no_feature_gated_method.stderr for rebrand: substrate_runtime →
bizinikiwi_runtime, sp_runtime_interface_proc_macro →
pezsp_runtime_interface_proc_macro, and expanded feature list
The Parity CI Docker image sets RUSTC_WRAPPER=/usr/local/bin/forklift
for GCS cache optimization. On our VPS runners without GCP credentials,
forklift crashes with nil pointer dereference when trying to create
GCS client. The global env RUSTC_WRAPPER="" doesn't reliably propagate
into Docker containers.
Fix: Add explicit "Disable forklift cache wrapper" step in every
container job that runs cargo commands, using $GITHUB_ENV to ensure
the empty RUSTC_WRAPPER persists across all steps within the job.
Affected workflows: build-publish-images, checks, tests, tests-misc,
build-misc, docs (32 container jobs total).
Observed run times show previous timeouts still too tight:
- test-node-metrics: timed out at 90min → increased to 180min
- cargo-check-each-crate: timed out at 140min → increased to 240min (4h)
- cargo-check-all-crate-macos: timed out at 90min → increased to 150min
- test-pezframe-ui: preemptively increased 90→150min
- test-deterministic-wasm: preemptively increased 75→180min
- build-linux-stable: disable forklift GCS cache (RUSTC_WRAPPER="")
that panics without GCP credentials on VPS runners
- prepare-bridges-zombienet-artifacts: fix bridges/testing path to
pezbridges/testing (rebrand path was not updated in workflow)
- build-rustdoc: use CARGO_TARGET_DIR instead of ./target for doc
output path (docs generated at /cache/target/doc, not ./target/doc)
- build-push-image-*: add workspace permission fix step before checkout
to handle root-owned files left by Docker container jobs
- All build jobs: increase timeout from 120 to 180 minutes for VPS
- Add cargo-deny + cargo-audit security audit workflow (weekly + on PR)
- Add deny.toml with license, advisory, and source checks
The workspace defines pezkuwi-subxt with default-features = false, which
excludes the jsonrpsee feature. The zombienet-orchestrator uses
OnlineClient::from_url and RpcClient::from_url which are gated behind
the jsonrpsee feature, causing a compilation failure.
The pez-kitchensink-runtime wasm build was failing because pezkuwi-subxt-signer
(a client-side signing utility) was included in the umbrella's runtime-full
feature. This pulled in regex with workspace-inherited default features (std)
and thiserror v1 which doesn't support no-std, both causing compilation failures
on the wasm32v1-none target.
Changes:
- Exclude pezkuwi-subxt-{signer,core,macro,metadata} from runtime-full in the
umbrella generator script (they are client-side crates, not runtime crates)
- Fix pezkuwi-subxt-signer's regex dependency to use explicit version with
default-features=false (Cargo 2021 edition silently ignores default-features
override with workspace=true when workspace has defaults enabled)
- Add regex/perf to signer's std feature for full performance when std is on
The WASM_BUILD_STD=0 approach caused panic_impl duplicate errors because
wasm32-unknown-unknown pre-built sysroot includes std, conflicting with
pezsp-io's panic handler in wasm runtime builds.
Local testing confirmed that wasm32v1-none + no build-std + serde fork
works correctly. The wasm-builder creates a separate cargo project that:
- Excludes std/default features from the runtime
- Has no client crates in the dependency tree
- Properly uses the serde fork for target_os="none" handling
Restore rustup target add wasm32v1-none in all 14 CI build jobs and
remove all WASM_BUILD_STD=0 overrides.
wasm32v1-none pre-built sysroot lacks std, causing memchr compilation
failure. Instead, disable build-std via WASM_BUILD_STD=0 and let
wasm-builder use the pre-built wasm32-unknown-unknown sysroot which
includes std.
Affected: 11 build jobs in build-publish-images.yml, 2 benchmark jobs
in check-pezframe-omni-bencher.yml.
Without this env var, wasm-builder cannot find Cargo.lock when
CARGO_TARGET_DIR is outside the workspace (/cache/target). This causes
the nested wasm build to resolve fresh dependencies, pulling alloy-eips
1.7.3 which requires rustc 1.91 (CI has 1.88.0).
The workspace-level pezkuwi-subxt dependency uses default-features = false,
which disables the native feature. The orchestrator and sdk crates inherited
this without explicitly enabling native, causing compile_error in the
prepare-pezcumulus-zombienet-artifacts CI job.
pezkuwichain
SatoshiQaziMuhammed