azcomputerguru/guru-connect
1
0
Fork 0
Code Issues 18 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
f8bd4d1dab3c7d41ceaace9e5a67e7e092fa7d82
guru-connect/.gitea/workflows/build-and-test.yml
Mike Swanson ccc6ba9c02
All checks were successful
Build and Test / Build Agent (Windows) (push) Successful in 12m18s
Details
Build and Test / Build Server (Linux) (push) Successful in 14m11s
Details
Build and Test / Security Audit (push) Successful in 5m32s
Details
Build and Test / Build Summary (push) Successful in 9s
Details
ci: enforce clippy -D warnings and cargo audit as hard gates 
Flip both CI gates from informational to hard-fail (SPEC-001 quality gates):
- clippy: `-- -D warnings` on the server crate. Cleared the debt via clippy --fix
  (unused imports/style), targeted #[allow(dead_code)] on native-remote-control
  future API, and #[allow(clippy::too_many_arguments)] on 3 protocol-mirroring fns.
- cargo audit: hard-fail with documented per-ID --ignore flags (rsa RUSTSEC-2023-0071
  unfixable/unreachable in active tree; gtk-rs + glib Linux-only tray backend not
  compiled into the Windows agent; proc-macro-error build-time). New advisories fail.
- Move [profile.release] to the workspace root (it was silently ignored in the server
  member), activating lto/codegen-units/strip.

No behavioral changes. Reviewed and gates verified passing on the build host.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 00:18:50 +00:00

169 lines
6.5 KiB
YAML
Raw Blame History

name: Build and Test
# PR/push CI gate (SPEC-001): fmt, clippy -D warnings, build, test, cargo-audit.
# This workflow does NOT version, sign, or release — that is release.yml's job. The agent build
# here is a compile gate only (it produces an unsigned artifact for inspection). Release commits
# carry `[skip ci]` so this workflow does not re-run on the version-bump commit.
on:
push:
branches:
- main
- develop
pull_request:
branches:
- main
workflow_dispatch: # allow manual re-runs (Actions -> Build and Test -> Run workflow)
jobs:
build-server:
name: Build Server (Linux)
runs-on: ubuntu-latest
# .cargo/config.toml defaults to the windows-msvc target for local Windows dev.
# On the Linux runner, force the host target so clippy/test (which do not pass
# an explicit --target) build for Linux instead of an uninstalled cross target.
env:
CARGO_BUILD_TARGET: x86_64-unknown-linux-gnu
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: stable
target: x86_64-unknown-linux-gnu
override: true
components: rustfmt, clippy
- name: Cache Cargo dependencies
uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-server-${{ hashFiles('server/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-server-
- name: Install system dependencies
run: |
sudo apt-get update
sudo apt-get install -y pkg-config libssl-dev protobuf-compiler
- name: Check formatting
run: cd server && cargo fmt --all -- --check
# Hard gate: clippy must pass with zero warnings (-D warnings). Dead-code that is
# future API surface for native-remote-control carries targeted #[allow(dead_code)].
- name: Run Clippy
run: cd server && cargo clippy --all-targets --all-features -- -D warnings
- name: Build server
run: |
cd server
cargo build --release --target x86_64-unknown-linux-gnu
- name: Run tests
run: |
cd server
cargo test --release
- name: Upload server binary
uses: actions/upload-artifact@v3
with:
name: guruconnect-server-linux
path: server/target/x86_64-unknown-linux-gnu/release/guruconnect-server
retention-days: 30
build-agent:
name: Build Agent (Windows)
# Native build on the Pluto Gitea Actions runner (host-mode, Windows Server 2019).
# The MSVC toolchain (x86_64-pc-windows-msvc target + crt-static via .cargo/config.toml)
# is pre-installed under the Administrator profile; the runner itself runs as SYSTEM, so
# the job points CARGO_HOME/RUSTUP_HOME at the Administrator homes.
runs-on: windows-msvc
env:
CARGO_HOME: C:\Users\Administrator\.cargo
RUSTUP_HOME: C:\Users\Administrator\.rustup
# prost-build (agent build.rs) needs protoc; set it explicitly rather than rely on the
# runner inheriting the machine env. protoc + bin are installed on the Pluto host.
PROTOC: C:\protoc\bin\protoc.exe
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Add toolchain dirs to PATH
shell: pwsh
run: |
# Make cargo/rustc (Administrator toolchain) and protoc visible to later steps.
"C:\Users\Administrator\.cargo\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
"C:\protoc\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
- name: Toolchain sanity check
shell: pwsh
run: |
# Fail early with a clear marker if the pre-installed toolchain is not reachable.
cargo --version
rustc --version
- name: Build agent (native x86_64-pc-windows-msvc)
shell: pwsh
run: |
# crt-static and the default target come from .cargo/config.toml; we pass --target
# explicitly so the artifact path is deterministic regardless of host defaults.
Set-Location agent
cargo build --release --target x86_64-pc-windows-msvc
Write-Host "[OK] Built agent for x86_64-pc-windows-msvc"
- name: Upload agent binary
uses: actions/upload-artifact@v3
with:
name: guruconnect-agent-windows
# Cargo workspace: built binary lands in the workspace-root target/, not agent/target/.
path: target/x86_64-pc-windows-msvc/release/guruconnect.exe
retention-days: 30
security-audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: actions-rs/toolchain@v1
with:
toolchain: stable
- name: Install cargo-audit
run: cargo install cargo-audit
# Hard gate: cargo audit must pass. GuruConnect is a single Cargo workspace, so one
# `cargo audit` at the root covers all members (agent + server) via the shared Cargo.lock.
# The advisories below are explicitly ignored with documented justifications; any NEW
# advisory fails the build.
# RUSTSEC-2023-0071 (rsa) ............. no fixed upgrade; optional/unreachable in active tree
# RUSTSEC-2024-0413/-0416/-0412/-0418/
# -0415/-0420/-0419 (gtk-rs GTK3) ..... Linux-only tray-icon backend, not compiled into shipping Windows agent
# RUSTSEC-2024-0429 (glib) ............ Linux-only tray-icon backend, not compiled into shipping Windows agent
# RUSTSEC-2024-0370 (proc-macro-error) build-time proc-macro dependency, no runtime impact
- name: Run security audit
run: |
cargo audit --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2024-0413 --ignore RUSTSEC-2024-0416 --ignore RUSTSEC-2024-0412 --ignore RUSTSEC-2024-0418 --ignore RUSTSEC-2024-0415 --ignore RUSTSEC-2024-0420 --ignore RUSTSEC-2024-0419 --ignore RUSTSEC-2024-0429 --ignore RUSTSEC-2024-0370
build-summary:
name: Build Summary
runs-on: ubuntu-latest
needs: [build-server, build-agent, security-audit]
steps:
- name: Build succeeded
run: |
echo "All builds completed successfully"
echo "Server: Linux x86_64"
echo "Agent: Windows x86_64"
echo "Security: Passed"
Reference in New Issue View Git Blame Copy Permalink