01e607dced
- proptest-fuzz the untrusted frame parsers (sbx/ai/perm/users/decode_msg) so a hostile relay/peer can never panic a client; fixes a decode_msg timestamp byte-slice that panicked on a non-ASCII stamp (now char-boundary safe) - extract a pure classify_vtx_holders() out of vtx_holders() and unit-test the KVM/QEMU/multipass detection and stoppability rules - headless cross-stack smoke test (smoke-e2e.sh): real relay + two TUI clients in tmux, asserting SRP join, Fernet chat round-trip, and command dispatch - CI: macOS matrix for the Rust client, cargo-audit + pip-audit, gitleaks secret scan, llvm-cov/pytest-cov coverage, and a smoke-test job Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
130 lines
3.4 KiB
YAML
130 lines
3.4 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main, hack-house]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
rust:
|
|
name: rust client (hh)
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
runs-on: ${{ matrix.os }}
|
|
defaults:
|
|
run:
|
|
working-directory: hh
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
with:
|
|
components: clippy, rustfmt
|
|
- uses: Swatinem/rust-cache@v2
|
|
with:
|
|
workspaces: hh
|
|
# fmt is platform-independent; only run it once to avoid duplicate noise.
|
|
- if: matrix.os == 'ubuntu-latest'
|
|
run: cargo fmt --all --check
|
|
- run: cargo clippy --all-targets -- -D warnings
|
|
- run: cargo build --verbose
|
|
- run: cargo test --verbose
|
|
|
|
rust-coverage:
|
|
name: rust coverage
|
|
runs-on: ubuntu-latest
|
|
defaults:
|
|
run:
|
|
working-directory: hh
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
with:
|
|
components: llvm-tools-preview
|
|
- uses: Swatinem/rust-cache@v2
|
|
with:
|
|
workspaces: hh
|
|
- uses: taiki-e/install-action@cargo-llvm-cov
|
|
- run: cargo llvm-cov --lcov --output-path lcov.info
|
|
- uses: codecov/codecov-action@v4
|
|
with:
|
|
files: hh/lcov.info
|
|
flags: rust
|
|
token: ${{ secrets.CODECOV_TOKEN }}
|
|
fail_ci_if_error: false
|
|
|
|
python:
|
|
name: python server
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
python-version: ["3.10", "3.11", "3.12"]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: ${{ matrix.python-version }}
|
|
cache: pip
|
|
- run: pip install -r requirements.txt pytest-cov
|
|
- run: pytest -q --cov=cmd_chat --cov-report=xml
|
|
- if: matrix.python-version == '3.12'
|
|
uses: codecov/codecov-action@v4
|
|
with:
|
|
files: coverage.xml
|
|
flags: python
|
|
token: ${{ secrets.CODECOV_TOKEN }}
|
|
fail_ci_if_error: false
|
|
|
|
smoke:
|
|
name: headless e2e smoke
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
- uses: Swatinem/rust-cache@v2
|
|
with:
|
|
workspaces: hh
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
cache: pip
|
|
- run: pip install -r requirements.txt
|
|
- name: install tmux
|
|
run: sudo apt-get update && sudo apt-get install -y tmux
|
|
- name: build client
|
|
run: cargo build
|
|
working-directory: hh
|
|
- name: run cross-stack smoke test
|
|
run: bash hh/smoke-e2e.sh
|
|
|
|
audit:
|
|
name: dependency audit
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
- uses: taiki-e/install-action@cargo-audit
|
|
- name: cargo audit (rust client)
|
|
run: cargo audit
|
|
working-directory: hh
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
- name: pip-audit (python server)
|
|
run: |
|
|
pip install pip-audit
|
|
pip-audit -r requirements.txt
|
|
|
|
secrets:
|
|
name: secret scanning
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- uses: gitleaks/gitleaks-action@v2
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|