Add Clippy SARIF code scanning

[nisavid]

Summary

• Add a workflow-defined Clippy SARIF code-scanning integration for Rust.
• Align Clippy coverage with CI using --workspace --all-targets while leaving warning enforcement in the existing CI workflow.
• Pin and cache clippy-sarif and sarif-fmt, use rustup directly, and skip SARIF upload for forked pull requests without repository security-event permission.

Verification

• python3 -c 'import yaml, pathlib; yaml.safe_load(pathlib.Path(".github/workflows/rust-clippy.yml").read_text()); print("yaml ok")'
• git diff --check

Co-authored-by: Codex noreply@openai.com

Summary by CodeRabbit

• Chores
  • Automated code quality analysis has been integrated into the continuous integration pipeline. Code analysis now runs automatically on all pull requests and changes, with results uploaded to GitHub code scanning for enhanced visibility of potential code quality issues.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 17317f89-0d3b-41ed-8197-4f0f471da381

📥 Commits

Reviewing files that changed from the base of the PR and between f0b2016 and cee664f.

📒 Files selected for processing (1)

• .github/workflows/rust-clippy.yml

---

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow that runs cargo clippy (workspace/all targets), converts JSON output to SARIF via clippy-sarif and sarif-fmt, caches those tools, and uploads the SARIF to GitHub Code Scanning on pushes/PRs to main, scheduled runs, and manual dispatch.

Changes

Rust Clippy CI Workflow

Layer / File(s)	Summary
Workflow Triggers .github/workflows/rust-clippy.yml	Workflow name, triggers (push/PR to main, weekly cron, workflow_dispatch), permissions, and SARIF tool version env vars.
Job Configuration .github/workflows/rust-clippy.yml	Defines clippy-sarif job on ubuntu-latest with a 30-minute timeout.
Toolchain & Checkout .github/workflows/rust-clippy.yml	Checks out repository and installs Rust clippy component.
SARIF Tools Cache .github/workflows/rust-clippy.yml	Caches clippy-sarif and sarif-fmt binaries keyed by OS and pinned versions.
Conditional Tool Installation .github/workflows/rust-clippy.yml	Runs cargo install for clippy-sarif/sarif-fmt only when cache is missing.
Clippy Run & SARIF Conversion .github/workflows/rust-clippy.yml	Runs cargo clippy with JSON messages across workspace/all targets, pipes through clippy-sarif and sarif-fmt to produce rust-clippy-results.sarif.
SARIF Results Upload .github/workflows/rust-clippy.yml	Uploads SARIF using github/codeql-action/upload-sarif@v4, gated for fork PR origin and waits for processing.

Sequence Diagram(s)

sequenceDiagram
  participant GitHub as GitHub Actions
  participant Runner as ubuntu-latest
  participant Clippy as cargo clippy
  participant Converter as clippy-sarif & sarif-fmt
  participant Upload as upload-sarif@v4

  GitHub->>Runner: start clippy-sarif job
  Runner->>Clippy: install clippy component / run `cargo clippy --message-format=json --workspace --all-targets`
  Clippy->>Converter: stream JSON messages
  Converter->>Runner: write `rust-clippy-results.sarif`
  Runner->>Upload: upload `rust-clippy-results.sarif` (wait-for-processing)
  Upload->>GitHub: register code scanning results

Loading

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 A linting hop, so spry and quick,
I chase each warning, sniff each stick,
SARIF wrapped up neat and bright,
Uploaded for the team’s delight. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add Clippy SARIF code scanning' accurately and concisely summarizes the primary change: adding a GitHub Actions workflow for Rust Clippy static analysis with SARIF code scanning integration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR introduces a new .github/workflows/rust-clippy.yml workflow that runs cargo clippy on every push/PR to main, on a weekly schedule, and on demand, converting output to SARIF and uploading it to GitHub code scanning. It addresses all three concerns raised in a prior review round (archived action, missing version pins/cache, and the run: | consistency).

• Installs Rust's clippy component directly with rustup, pins clippy-sarif and sarif-fmt via env-var versions, and caches the compiled binaries to avoid redundant source builds.
• Uses always() combined with a fork-PR guard on the SARIF upload step to ensure results are uploaded after Clippy exits non-zero while correctly skipping upload for fork PRs that lack security-events: write permission.
• Mirrors the existing codeql.yml structure (same permissions block, actions/checkout@v6, github/codeql-action/upload-sarif@v4) so the new workflow is visually consistent with the rest of the repo.

Confidence Score: 5/5

Safe to merge — adds a read-only code-scanning workflow with no changes to build, test, or deployment logic.

The change is purely additive (a new workflow file), the SARIF tooling is version-pinned and cached, the fork-PR guard is correctly implemented, and the workflow structure mirrors the already-working codeql.yml in the repo. No production code paths are affected.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/rust-clippy.yml	New Clippy SARIF scanning workflow; correctly pins versions, caches SARIF tools, guards SARIF upload against fork PRs, and is structurally consistent with the existing codeql.yml.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Event
    participant Checkout as actions/checkout
    participant Rustup as rustup
    participant Cache as actions/cache
    participant CargoInstall as cargo install
    participant Clippy as cargo clippy
    participant SARIF as clippy-sarif / sarif-fmt
    participant Upload as upload-sarif

    GH->>Checkout: trigger workflow
    Checkout->>Rustup: rustup component add clippy
    Rustup->>Cache: restore ~/.cargo/bin/clippy-sarif and sarif-fmt
    alt cache miss
        Cache->>CargoInstall: cargo install --locked clippy-sarif sarif-fmt
    end
    Rustup->>Clippy: "cargo clippy --workspace --all-targets --message-format=json"
    Clippy->>SARIF: "JSON diagnostics piped to clippy-sarif | tee | sarif-fmt"
    SARIF-->>SARIF: writes rust-clippy-results.sarif
    alt not fork PR
        SARIF->>Upload: "github/codeql-action/upload-sarif@v4"
    end

Loading

_{Reviews (3): Last reviewed commit: "ci(clippy): add SARIF code scanning" | Re-trigger Greptile}

[Copilot]

Pull request overview

Adds a new GitHub Actions workflow intended to run Rust Clippy and upload results to GitHub as SARIF for code scanning visibility.

Changes:

• Introduces .github/workflows/rust-clippy.yml to run cargo clippy and convert JSON output into SARIF.
• Uploads the generated rust-clippy-results.sarif via github/codeql-action/upload-sarif@v3.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f413a9a041

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/rust-clippy.yml (1)

51-56: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Guard SARIF upload for forked pull requests.

Fork pull requests have read-only permissions for security-events, causing SARIF upload to fail. Add a conditional to skip upload for forked PRs while allowing uploads on push, schedule, and non-fork pull requests.

Suggested change

       - name: Upload analysis results to GitHub
+        if: ${{ always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) }}
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: rust-clippy-results.sarif
           wait-for-processing: true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rust-clippy.yml around lines 51 - 56, The workflow step
"Upload analysis results to GitHub" (uses: github/codeql-action/upload-sarif@v3,
sarif_file: rust-clippy-results.sarif) needs a condition to skip SARIF upload
for forked pull requests; add an if: expression such as checking
github.event_name and validating the PR repo is the same as the base repo (for
example: if: github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.repository) so uploads
run on push/schedule and non-fork PRs but are skipped for forked PRs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/rust-clippy.yml:
- Around line 14-17: The YAML uses spaced array syntax `[ "main" ]` on the
branches keys, which triggers lint errors; replace those with the compact form
`["main"]` for both occurrences under the top-level branches and
pull_request.branches so the entries are parsed without extra spaces and satisfy
the linter (update the two array values that currently read `[ "main" ]`).
- Line 34: The workflow uses the archived action uses:
actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af; replace this with
the maintained action uses: actions-rust-lang/setup-rust-toolchain@v1 and adjust
any action inputs to the new action's names (e.g., map existing
toolchain/profile/component/target inputs to the setup-rust-toolchain
equivalents such as toolchain, profile, components, targets) so the step that
previously referenced actions-rs/toolchain continues to install the correct Rust
toolchain and components.
- Line 42: Update the GitHub Actions step that runs the Cargo installation
command so it uses the --locked flag to ensure deterministic installs;
specifically modify the command that currently runs cargo install clippy-sarif
sarif-fmt to include --locked (i.e., cargo install --locked clippy-sarif
sarif-fmt) so the build uses each crate's locked dependency versions.

---

Outside diff comments:
In @.github/workflows/rust-clippy.yml:
- Around line 51-56: The workflow step "Upload analysis results to GitHub"
(uses: github/codeql-action/upload-sarif@v3, sarif_file:
rust-clippy-results.sarif) needs a condition to skip SARIF upload for forked
pull requests; add an if: expression such as checking github.event_name and
validating the PR repo is the same as the base repo (for example: if:
github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.repository) so uploads
run on push/schedule and non-fork PRs but are skipped for forked PRs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 57d71953-960b-4362-a9b5-43fbd9c3f07e

📥 Commits

Reviewing files that changed from the base of the PR and between 37ccaae and f413a9a.

📒 Files selected for processing (1)

• .github/workflows/rust-clippy.yml