-
Notifications
You must be signed in to change notification settings - Fork 16
268 lines (223 loc) · 9.3 KB
/
ci.yml
File metadata and controls
268 lines (223 loc) · 9.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_call:
permissions:
contents: read
checks: write
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
RG_VERSION: 15.1.0
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@1.95.0
with:
components: rustfmt, clippy
- uses: Swatinem/rust-cache@v2
- name: Check formatting
run: cargo fmt --all -- --check
- name: Run clippy
run: cargo clippy --all-targets --all-features -- -D warnings
- name: Build documentation
run: cargo doc --no-deps --all-features
env:
RUSTDOCFLAGS: "-D warnings"
audit:
name: Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@1.95.0
- name: Security audit (cargo-audit)
uses: rustsec/audit-check@v2.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
ignore: RUSTSEC-2023-0071
- name: License check (cargo-deny)
uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check licenses sources
- name: Install cargo-vet
uses: taiki-e/install-action@v2
with:
tool: cargo-vet
- name: Supply chain audit (cargo-vet)
run: cargo vet --locked
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@1.95.0
- uses: Swatinem/rust-cache@v2
# Pre-installed on `ubuntu-latest` images, but make the dependency
# explicit so a future runner image change can't silently turn the
# `sqlite_differential_tests` suite into a no-op (it skips when
# `sqlite3` isn't on PATH).
- name: Install host sqlite3 for differential tests
run: |
which sqlite3 || sudo apt-get update && sudo apt-get install -y sqlite3
sqlite3 --version
# Install the uutils multicall binary for
# `coreutils_differential_tests`. The harness gracefully skips when
# the binary is unavailable, so `continue-on-error` keeps the
# regular Test job green when the upstream install action has a
# bad day — the drift workflow (`coreutils-args-drift.yml`) is the
# authoritative body-drift gate, building uutils from the pinned
# tree before running the harness.
- name: Install uutils coreutils multicall for differential tests
id: install_uutils
continue-on-error: true
uses: taiki-e/install-action@v2
with:
tool: coreutils
- name: Verify uutils on PATH
if: steps.install_uutils.outcome == 'success'
run: coreutils --version
# `rg` differential tests compare against real ripgrep. Pin the
# binary so upstream formatting/path semantics cannot drift under CI.
- name: Install pinned ripgrep for differential tests
run: scripts/install-ripgrep-ci.sh "$RG_VERSION"
# Examples have a dedicated job below; skipping them here avoids
# duplicated example links that can exhaust runner disk on main.
- name: Run tests
run: cargo test --workspace --lib --bins --tests --features http_client,ssh,sqlite
- name: Run strict bash parity tests
run: cargo test -p bashkit --test integration --features http_client,ssh -- spec_tests::bash_comparison_tests --ignored
- name: Run doc tests
run: cargo test --workspace --doc --features http_client,ssh,sqlite
- name: Run realfs tests
run: cargo test --features realfs -p bashkit --test realfs_tests -p bashkit-cli
- name: Run fail-point tests (single-threaded)
run: cargo test --features failpoints --test security_failpoint_tests -- --test-threads=1
- name: Run property-based security tests (proptest)
run: cargo test --test proptest_security -- --test-threads=1
env:
PROPTEST_CASES: 50
examples:
name: Examples
runs-on: ubuntu-latest
# Fork-PR secret exfiltration guard: secrets are NOT exposed at job
# level here, because PR-controlled code (examples, build.rs, scripts)
# executes in this job. Steps that need real secrets gate on
# `github.event.pull_request.head.repo.fork != true` and only set the
# secret in their own step `env:`. See response in PR discussion;
# mirrors the pattern in `coverage.yml` and `js.yml`.
steps:
- uses: actions/checkout@v6
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@1.95.0
- uses: Swatinem/rust-cache@v2
- name: Build examples
run: cargo build --examples --features "git,http_client,ssh,sqlite"
- name: Run examples
run: |
cargo run --example basic
cargo run --example custom_fs
cargo run --example clap_builtin
cargo run --example clap_builtin_subcommands
cargo run --example resource_limits
cargo run --example text_processing
cargo run --example live_mounts
cargo run --example git_workflow --features git
cargo run --example python_external_functions --features python
cargo run --example typescript_external_functions --features typescript
cargo run --example realfs_readonly --features realfs
cargo run --example realfs_readwrite --features realfs
cargo run --example sqlite_basic --features sqlite
cargo run --example sqlite_workflow --features sqlite
# SSH tests
- name: Run ssh builtin tests (mock handler)
run: cargo test --features ssh -p bashkit --test ssh_builtin_tests
- name: Run ssh supabase.sh example and tests
run: |
cargo run --example ssh_supabase --features ssh
cargo test --features ssh -p bashkit --test ssh_supabase_tests
- name: Run realfs bash example
run: |
cargo build -p bashkit-cli --features realfs
bash examples/realfs_mount.sh
- name: Run ticket CLI example
env:
TICKET_REF: 194b71a8bbc3771da1ce9f579395937c976bbddc
run: bash examples/ticket-cli.sh
# Detect whether DOPPLER_TOKEN is configured. Only set on non-fork
# PRs/pushes; fork PRs never see the secret. Subsequent Doppler
# steps gate on `env.DOPPLER_AVAILABLE` so this job stays green
# in repos/forks without the secret configured.
- name: Detect Doppler availability (trusted runs only)
if: github.event.pull_request.head.repo.fork != true
env:
DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
run: |
if [ -n "$DOPPLER_TOKEN" ]; then
echo "DOPPLER_AVAILABLE=true" >> "$GITHUB_ENV"
fi
- name: Install Doppler CLI
if: github.event.pull_request.head.repo.fork != true && env.DOPPLER_AVAILABLE == 'true'
env:
DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
uses: dopplerhq/cli-action@v4
# External API dependency — don't block CI on Anthropic outages.
# ANTHROPIC_API_KEY is sourced from Doppler (single source of truth
# for non-GitHub secrets), so this step also requires Doppler to be
# available, which already implies a non-fork event.
# `--only-secrets` keeps the principle of least privilege: the
# PR-controlled cargo step sees ANTHROPIC_API_KEY only, not every
# secret in the Doppler config.
- name: Run LLM agent example
if: github.event.pull_request.head.repo.fork != true && env.DOPPLER_AVAILABLE == 'true'
continue-on-error: true
env:
DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
run: doppler run --only-secrets ANTHROPIC_API_KEY -- cargo run --example agent_tool --features http_client
- name: Run harness OpenAI joke example
if: github.event.pull_request.head.repo.fork != true && env.DOPPLER_AVAILABLE == 'true'
env:
DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
run: |
cargo build -p bashkit-cli --features realfs --quiet
doppler run --only-secrets OPENAI_API_KEY -- bash examples/harness-openai-joke.sh
fuzz-check:
name: Fuzz Compile Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Rust nightly
uses: dtolnay/rust-toolchain@nightly
- name: Install cargo-fuzz
uses: taiki-e/cache-cargo-install-action@v3
with:
tool: cargo-fuzz
locked: true
- name: Verify fuzz targets compile
working-directory: crates/bashkit
run: cargo +nightly fuzz build
# Gate job for branch protection — name must stay "Check"
check:
name: Check
if: always()
needs: [lint, audit, test, examples, fuzz-check]
runs-on: ubuntu-latest
steps:
- name: Verify all jobs passed
run: |
if [[ "${{ needs.lint.result }}" != "success" ]] || \
[[ "${{ needs.audit.result }}" != "success" ]] || \
[[ "${{ needs.test.result }}" != "success" ]] || \
[[ "${{ needs.examples.result }}" != "success" ]] || \
[[ "${{ needs.fuzz-check.result }}" != "success" ]]; then
echo "One or more required jobs failed"
exit 1
fi