ci: harden PR pipeline (audit, MSRV, beta matrix, release + docker smoke)

[beardthelion]

Splits the single stable-only fmt + clippy + test job in pr-checks.yml into focused jobs and adds the coverage the pipeline was missing.

What runs on every PR now:

• fmt + clippy (stable): cargo fmt --all -- --check, cargo clippy --workspace --all-targets -- -D warnings
• test: matrix on stable and beta, cargo test --workspace. Beta is continue-on-error so an upstream beta regression warns instead of blocking merges; stable stays required.
• build --release: cargo build --release --workspace, so PRs get a release-profile signal (previously only the release workflow built release artifacts, and only on tags).
• cargo audit: installs cargo-audit with --locked and runs it against the committed Cargo.lock.
• MSRV (Rust 1.91): pins the 1.91 toolchain and runs cargo check --workspace --all-targets. Backed by a real rust-version = "1.91" in [workspace.package], inherited by all five crates, so the README/Dockerfile's stated minimum is now enforced instead of aspirational.
• Docker build smoke test: docker build plus a --version run, mirroring the release workflow's entrypoint, so a Dockerfile regression can't reach main and break docker compose up.

Also added a concurrency group that cancels superseded PR runs (never cancels main) and per-job timeouts. New actions follow the existing SHA-pinned convention.

Heads up on branch protection: the required status check changes from fmt + clippy + test to the new job names (fmt + clippy, test (stable), build --release, cargo audit, MSRV (Rust 1.91), Docker build smoke test). The required-checks list will need updating or PRs will wait on a check that no longer reports. test (beta) is intentionally non-blocking.

Summary by CodeRabbit

Release Notes

• Chores
  • Established minimum Rust version requirement (1.91) across all packages.
  • Enhanced CI/testing infrastructure with expanded toolchain coverage, automated security audits, minimum supported Rust version validation, and Docker image builds for improved reliability and compatibility assurance.

[coderabbitai]

Warning

Review limit reached

@beardthelion, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 14 minutes and 39 seconds. Learn how PR review limits work.

To continue reviewing without waiting, enable usage-based billing in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2cb092d2-6785-4468-80c5-491a4b48dd1e

📥 Commits

Reviewing files that changed from the base of the PR and between 9127834 and 909b4cb.

📒 Files selected for processing (1)

• .github/workflows/pr-checks.yml

📝 Walkthrough

Walkthrough

Rust 1.91 is declared as the workspace MSRV in the root Cargo.toml and propagated via rust-version.workspace = true to all five crate manifests. The CI workflow gains workflow-level concurrency cancellation, a dedicated test job with a stable/beta toolchain matrix, and four new jobs: build-release, audit, msrv, and docker-build.

Changes

MSRV Declaration and CI Expansion

Layer / File(s)	Summary
Workspace and crate MSRV declarations Cargo.toml, crates/git-remote-gitlawb/Cargo.toml, crates/gitlawb-attest/Cargo.toml, crates/gitlawb-core/Cargo.toml, crates/gitlawb-node/Cargo.toml, crates/gl/Cargo.toml	Sets rust-version = "1.91" in [workspace.package] and adds rust-version.workspace = true to each crate's [package] section.
CI workflow: concurrency, test matrix, and new jobs .github/workflows/pr-checks.yml	Adds PR-scoped concurrency cancellation, splits cargo test into a matrix job over stable/beta toolchains, and introduces build-release, audit (cargo-audit), msrv (pinned Rust 1.91 cargo check), and Docker smoke-test jobs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 A bunny hops through CI lanes,
Checking Rust with careful chains.
MSRV set to one-nine-one,
Stable, beta — all jobs run!
Docker tests and audits too —
Every crate knows what to do. 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly and concisely summarizes the main changes: hardening the CI pipeline with new audit, MSRV, toolchain matrix, and Docker smoke testing capabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/harden-pipeline

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pr-checks.yml:
- Around line 27-28: The actions/checkout action in this workflow defaults to
persisting GitHub credentials in the git config, which creates a security risk
since untrusted PR code runs via cargo and docker build commands. Add a with
block containing persist-credentials: false to each of the six checkout steps in
the workflow (each uses
actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683) to prevent the GitHub
token from being stored in the local git configuration and exposed to executing
code.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: ce913bf5-8799-4665-9528-4c69c514e9d4

📥 Commits

Reviewing files that changed from the base of the PR and between 8680d0f and 9127834.

📒 Files selected for processing (7)

• .github/workflows/pr-checks.yml
• Cargo.toml
• crates/git-remote-gitlawb/Cargo.toml
• crates/gitlawb-attest/Cargo.toml
• crates/gitlawb-core/Cargo.toml
• crates/gitlawb-node/Cargo.toml
• crates/gl/Cargo.toml