Use bazel mirror due to expired cert

See https://github.com/DataDog/datadog-agent/pull/44621
and the original issue in
https://github.com/bazelbuild/bazel/issues/28101

.bazeliskrc

@@ -0,0 +1 @@
+BAZELISK_BASE_URL=https://github.com/bazelbuild/bazel/releases/download

.buildkite-bazelrc

@@ -32,6 +32,10 @@ import %workspace%/.bazelrc
 # startup --digest_function=blake3
 
 startup --host_jvm_args=-Xmx8g --host_jvm_args=-Xms4g
+
+# Disable bzlmod to avoid BCR registry access (certificate issues)
+common --noenable_bzlmod
+
 build --experimental_strict_action_env
 build --sandbox_tmpfs_path=/tmp
 build --verbose_failures

BUILD.bazel

@@ -193,7 +193,7 @@ nogo(
         "//tools/analyzers/featureconfig:go_default_library",
         "//tools/analyzers/gocognit:go_default_library",
         "//tools/analyzers/ineffassign:go_default_library",
-        "//tools/analyzers/httperror:go_default_library",
+        "//tools/analyzers/httpwriter:go_default_library",
         "//tools/analyzers/interfacechecker:go_default_library",
         "//tools/analyzers/logcapitalization:go_default_library",
         "//tools/analyzers/logruswitherror:go_default_library",

bazel.sh

@@ -8,4 +8,5 @@ env -i \
  PATH=/usr/bin:/bin \
  HOME="$HOME" \
  GOOGLE_APPLICATION_CREDENTIALS="$GOOGLE_APPLICATION_CREDENTIALS" \
+ BAZELISK_BASE_URL="https://github.com/bazelbuild/bazel/releases/download" \
  bazel "$@"

beacon-chain/blockchain/execution_engine.go

@@ -323,14 +323,17 @@ func (s *Service) getPayloadAttribute(ctx context.Context, st state.BeaconState,
 	var ok bool
 	e := slots.ToEpoch(slot)
 	stateEpoch := slots.ToEpoch(st.Slot())
-	if e == stateEpoch {
+	fuluAndNextEpoch := st.Version() >= version.Fulu && e == stateEpoch+1
+	if e == stateEpoch || fuluAndNextEpoch {
 		val, ok = s.trackedProposer(st, slot)
 		if !ok {
 			return emptyAttri
 		}
 	}
-	st = st.Copy()
 	if slot > st.Slot() {
+		// At this point either we know we are proposing on a future slot or we need to still compute the
+		// right proposer index pre-Fulu, either way we need to copy the state to process it.
+		st = st.Copy()
 		var err error
 		st, err = transition.ProcessSlotsUsingNextSlotCache(ctx, st, headRoot, slot)
 		if err != nil {
@@ -338,7 +341,7 @@ func (s *Service) getPayloadAttribute(ctx context.Context, st state.BeaconState,
 			return emptyAttri
 		}
 	}
-	if e > stateEpoch {
+	if e > stateEpoch && !fuluAndNextEpoch {
 		emptyAttri := payloadattribute.EmptyWithVersion(st.Version())
 		val, ok = s.trackedProposer(st, slot)
 		if !ok {

beacon-chain/core/electra/consolidations.go

@@ -278,12 +278,12 @@ func ProcessConsolidationRequests(ctx context.Context, st state.BeaconState, req
 		if uint64(curEpoch) < e {
 			continue
 		}
-		bal, err := st.PendingBalanceToWithdraw(srcIdx)
+		hasBal, err := st.HasPendingBalanceToWithdraw(srcIdx)
 		if err != nil {
 			log.WithError(err).Error("Failed to fetch pending balance to withdraw")
 			continue
 		}
-		if bal > 0 {
+		if hasBal {
 			continue
 		}
 

beacon-chain/rpc/eth/config/handlers.go

@@ -40,6 +40,7 @@ func GetForkSchedule(w http.ResponseWriter, r *http.Request) {
 		httputil.WriteJson(w, &structs.GetForkScheduleResponse{
 			Data: data,
 		})
+		return
 	}
 	previous := schedule[0]
 	for _, entry := range schedule {

changelog/builder-index.md

@@ -0,0 +1,3 @@
+### Added
+
+- `primitives.BuilderIndex`: SSZ `uint64` wrapper for builder registry indices.

changelog/potuz_next_epoch_attributes.md

@@ -0,0 +1,3 @@
+### Fixed
+
+- Do not process slots and copy states for next epoch proposers after Fulu

changelog/potuz_use_baze_mirror.md

@@ -0,0 +1,2 @@
+### Ignored
+- Use bazel mirror due to expired certificate.

changelog/radek_extend-http-analyzer.md

@@ -0,0 +1,3 @@
+### Changed
+
+- Extend `httperror` analyzer to more functions.

changelog/sashass1315_fix-panic.md

@@ -0,0 +1,3 @@
+### Fixed
+
+- avoid panic when fork schedule is empty [#16175](https://github.com/OffchainLabs/prysm/pull/16175)

changelog/satushh-consolidation.md

@@ -0,0 +1,3 @@
+### Changed
+
+- Performance improvement in ProcessConsolidationRequests: Use more performance HasPendingBalanceToWithdraw instead of PendingBalanceToWithdraw as no need to calculate full total pending balance. 

consensus-types/primitives/BUILD.bazel

@@ -4,6 +4,7 @@ go_library(
     name = "go_default_library",
     srcs = [
         "basis_points.go",
+        "builder_index.go",
         "committee_bits_mainnet.go",
         "committee_bits_minimal.go",  # keep
         "committee_index.go",
@@ -31,6 +32,7 @@ go_library(
 go_test(
     name = "go_default_test",
     srcs = [
+        "builder_index_test.go",
         "committee_index_test.go",
         "domain_test.go",
         "epoch_test.go",

consensus-types/primitives/builder_index.go

@@ -0,0 +1,54 @@
+package primitives
+
+import (
+	"fmt"
+
+	fssz "github.com/prysmaticlabs/fastssz"
+)
+
+var _ fssz.HashRoot = (BuilderIndex)(0)
+var _ fssz.Marshaler = (*BuilderIndex)(nil)
+var _ fssz.Unmarshaler = (*BuilderIndex)(nil)
+
+// BuilderIndex is an index into the builder registry.
+type BuilderIndex uint64
+
+// HashTreeRoot returns the SSZ hash tree root of the index.
+func (b BuilderIndex) HashTreeRoot() ([32]byte, error) {
+	return fssz.HashWithDefaultHasher(b)
+}
+
+// HashTreeRootWith appends the SSZ uint64 representation of the index to the given hasher.
+func (b BuilderIndex) HashTreeRootWith(hh *fssz.Hasher) error {
+	hh.PutUint64(uint64(b))
+	return nil
+}
+
+// UnmarshalSSZ decodes the SSZ-encoded uint64 index from buf.
+func (b *BuilderIndex) UnmarshalSSZ(buf []byte) error {
+	if len(buf) != b.SizeSSZ() {
+		return fmt.Errorf("expected buffer of length %d received %d", b.SizeSSZ(), len(buf))
+	}
+	*b = BuilderIndex(fssz.UnmarshallUint64(buf))
+	return nil
+}
+
+// MarshalSSZTo appends the SSZ-encoded index to dst and returns the extended buffer.
+func (b *BuilderIndex) MarshalSSZTo(dst []byte) ([]byte, error) {
+	marshalled, err := b.MarshalSSZ()
+	if err != nil {
+		return nil, err
+	}
+	return append(dst, marshalled...), nil
+}
+
+// MarshalSSZ encodes the index as an SSZ uint64.
+func (b *BuilderIndex) MarshalSSZ() ([]byte, error) {
+	marshalled := fssz.MarshalUint64([]byte{}, uint64(*b))
+	return marshalled, nil
+}
+
+// SizeSSZ returns the size of the SSZ-encoded index in bytes.
+func (b *BuilderIndex) SizeSSZ() int {
+	return 8
+}

consensus-types/primitives/builder_index_test.go

@@ -0,0 +1,86 @@
+package primitives_test
+
+import (
+	"encoding/binary"
+	"slices"
+	"strconv"
+	"testing"
+
+	"github.com/OffchainLabs/prysm/v7/consensus-types/primitives"
+	"github.com/OffchainLabs/prysm/v7/testing/require"
+)
+
+func TestBuilderIndex_SSZRoundTripAndHashRoot(t *testing.T) {
+	cases := []uint64{
+		0,
+		1,
+		42,
+		(1 << 32) - 1,
+		1 << 32,
+		^uint64(0),
+	}
+
+	for _, v := range cases {
+		t.Run("v="+u64name(v), func(t *testing.T) {
+			t.Parallel()
+
+			val := primitives.BuilderIndex(v)
+			require.Equal(t, 8, (&val).SizeSSZ())
+
+			enc, err := (&val).MarshalSSZ()
+			require.NoError(t, err)
+			require.Equal(t, 8, len(enc))
+
+			wantEnc := make([]byte, 8)
+			binary.LittleEndian.PutUint64(wantEnc, v)
+			require.DeepEqual(t, wantEnc, enc)
+
+			dstPrefix := []byte("prefix:")
+			dst, err := (&val).MarshalSSZTo(slices.Clone(dstPrefix))
+			require.NoError(t, err)
+			wantDst := append(dstPrefix, wantEnc...)
+			require.DeepEqual(t, wantDst, dst)
+
+			var decoded primitives.BuilderIndex
+			require.NoError(t, (&decoded).UnmarshalSSZ(enc))
+			require.Equal(t, val, decoded)
+
+			root, err := val.HashTreeRoot()
+			require.NoError(t, err)
+
+			var wantRoot [32]byte
+			binary.LittleEndian.PutUint64(wantRoot[:8], v)
+			require.Equal(t, wantRoot, root)
+		})
+	}
+}
+
+func TestBuilderIndex_UnmarshalSSZRejectsWrongSize(t *testing.T) {
+	for _, size := range []int{7, 9} {
+		t.Run("size="+strconv.Itoa(size), func(t *testing.T) {
+			t.Parallel()
+			var v primitives.BuilderIndex
+			err := (&v).UnmarshalSSZ(make([]byte, size))
+			require.ErrorContains(t, "expected buffer of length 8", err)
+		})
+	}
+}
+
+func u64name(v uint64) string {
+	switch v {
+	case 0:
+		return "0"
+	case 1:
+		return "1"
+	case 42:
+		return "42"
+	case (1 << 32) - 1:
+		return "2^32-1"
+	case 1 << 32:
+		return "2^32"
+	case ^uint64(0):
+		return "max"
+	default:
+		return "custom"
+	}
+}

network/httputil/writer.go

@@ -43,6 +43,7 @@ func WriteJson(w http.ResponseWriter, v any) {
 func WriteSsz(w http.ResponseWriter, respSsz []byte) {
 	w.Header().Set("Content-Length", strconv.Itoa(len(respSsz)))
 	w.Header().Set("Content-Type", api.OctetStreamMediaType)
+	w.WriteHeader(http.StatusOK)
 	if _, err := io.Copy(w, io.NopCloser(bytes.NewReader(respSsz))); err != nil {
 		log.WithError(err).Error("Could not write response message")
 	}

tools/analyzers/httpwriter/BUILD.bazel

@@ -3,7 +3,7 @@ load("@prysm//tools/go:def.bzl", "go_library")
 go_library(
     name = "go_default_library",
     srcs = ["analyzer.go"],
-    importpath = "github.com/OffchainLabs/prysm/v7/tools/analyzers/httperror",
+    importpath = "github.com/OffchainLabs/prysm/v7/tools/analyzers/httpwriter",
     visibility = ["//visibility:public"],
     deps = [
         "@org_golang_x_tools//go/analysis:go_default_library",

tools/analyzers/httpwriter/analyzer.go

@@ -1,4 +1,4 @@
-package httperror
+package httpwriter
 
 import (
 	"go/ast"
@@ -9,8 +9,8 @@ import (
 )
 
 var Analyzer = &analysis.Analyzer{
-	Name: "httperror",
-	Doc:  "Ensures calls to httputil.HandleError are immediately followed by a return statement.",
+	Name: "httpwriter",
+	Doc:  "Ensures that httputil functions which make use of the writer are immediately followed by a return statement.",
 	Requires: []*analysis.Analyzer{
 		inspect.Analyzer,
 	},
@@ -99,7 +99,7 @@ func checkBlock(pass *analysis.Pass, fn *ast.FuncDecl, block *ast.BlockStmt, nex
 
 		// Now check the current statement itself: is it (or does it contain) a direct call to httputil.HandleError?
 		// We only consider ExprStmt that are direct CallExpr to httputil.HandleError.
-		call := findHandleErrorCall(stmt)
+		call, name := findHandleErrorCall(stmt)
 		if call == nil {
 			continue
 		}
@@ -121,7 +121,7 @@ func checkBlock(pass *analysis.Pass, fn *ast.FuncDecl, block *ast.BlockStmt, nex
 				continue
 			}
 			// otherwise it's not a return (even if it's an if/for etc) -> violation
-			pass.Reportf(stmt.Pos(), "call to httputil.HandleError must be immediately followed by a return statement")
+			pass.Reportf(stmt.Pos(), "call to httputil.%s must be immediately followed by a return statement", name)
 			continue
 		}
 
@@ -133,31 +133,33 @@ func checkBlock(pass *analysis.Pass, fn *ast.FuncDecl, block *ast.BlockStmt, nex
 		}
 
 		// Non-void function and it's the last statement → violation
-		pass.Reportf(stmt.Pos(), "call to httputil.HandleError must be followed by return because function has return values")
+		pass.Reportf(stmt.Pos(), "call to httputil.%s must be immediately followed by a return statement", name)
 	}
 }
 
 // findHandleErrorCall returns the call expression if stmt is a direct call to httputil.HandleError(...),
 // otherwise nil. We only match direct ExprStmt -> CallExpr -> SelectorExpr where selector is httputil.HandleError.
-func findHandleErrorCall(stmt ast.Stmt) *ast.CallExpr {
+func findHandleErrorCall(stmt ast.Stmt) (*ast.CallExpr, string) {
 	es, ok := stmt.(*ast.ExprStmt)
 	if !ok {
-		return nil
+		return nil, ""
 	}
 	call, ok := es.X.(*ast.CallExpr)
 	if !ok {
-		return nil
+		return nil, ""
 	}
 	sel, ok := call.Fun.(*ast.SelectorExpr)
 	if !ok {
-		return nil
+		return nil, ""
 	}
 	pkgIdent, ok := sel.X.(*ast.Ident)
 	if !ok {
-		return nil
+		return nil, ""
 	}
-	if pkgIdent.Name == "httputil" && sel.Sel.Name == "HandleError" {
-		return call
+	selectorName := sel.Sel.Name
+	if pkgIdent.Name == "httputil" &&
+		(selectorName == "HandleError" || selectorName == "WriteError" || selectorName == "WriteJson" || selectorName == "WriteSSZ") {
+		return call, selectorName
 	}
-	return nil
+	return nil, ""
 }