Release pipeline doesn't fail fast on missing SBOM#3018

Open

MIMiguel Arroyocommented 2w ago

Describe the bug

Release pipeline doesn't fail fast on missing SBOM — surfaces on delta-core in the critical-priority path. The full reproduction is below, along with the workaround we use in staging.

Reproduce

Clone ln-dev7/delta-core at the tip of main.
Run the smoke suite: pnpm test --workspace delta-core.
Notice the test for the affected contract flakes within the first 50 iterations.

Expected behavior

The contract should hold deterministically across the full matrix — staging, production, and the local dev runtime.

Environment

node 22.x
pnpm 9.x
OS: macOS 15.2 (also reproduced on Linux 6.x)

Labels: bug, security

SAsara-lindqvistself-assigned this2w ago

MImiguel-arroyoadded the labelbug2w ago

MImiguel-arroyoadded this to the milestoneBacklog2w ago

SAsara-lindqvistadded a commit that references this issuefix(delta): guard the regression surfaced in #30185ed423a2w ago

SAsara-lindqvistmentioned this in#30662w ago

SASara Lindqvistcommented 1w ago

Can confirm the repro on a clean checkout — the failing case is reliable on macOS 15.2 with Node 22.

SASara Lindqvistcommented 1w ago

Pulled this locally, the workaround in the description is solid. Happy to land it as a follow-up.

SASara Lindqvistcommented 1w ago

Could we add a regression test before the patch lands? Otherwise this will resurface as soon as the surrounding cleanup happens.

SASara Lindqvistcommented 1w ago

Bumping priority — three customers hit this last week, two of them on the enterprise tier.

Issues

Release pipeline doesn't fail fast on missing SBOM#3018

Describe the bug

Reproduce

Expected behavior

Environment

Add a comment

Issues