Memscribe/.github/workflows/ci.yml at main · syncable-dev/Memscribe · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# Memscribe CI (whitepaper §8.9).
#
# Memscribe is deterministic and zero-LLM by construction, so CI is a hard gate,
# not a smoke test: the same input bytes must always produce the same nodes, the
# tree must be clippy- and rustfmt-clean, the dependency set must satisfy the
# license/advisory policy, and the crate must keep building on its MSRV.
#
# The toolchain is pinned to match rust-toolchain.toml (1.96.0). The fuzz job is
# best-effort: cargo-fuzz needs a nightly compiler, so it is allowed to fail
# without failing the workflow.

name: CI

on:
  push:
    branches: [main]
  pull_request:
  workflow_dispatch:

# Cancel superseded runs on the same ref to save CI minutes.
concurrency:
  group: ci-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1
  # Pinned toolchain — keep in lockstep with rust-toolchain.toml.
  RUST_PINNED: 1.96.0
  # Resilience against transient crates.io download blips (SSL EOFs, flaky
  # mirrors): retry network ops aggressively and fetch the index over the
  # sparse protocol with the git CLI, which recovers from partial transfers
  # better than the built-in downloader.
  CARGO_NET_RETRY: 10
  CARGO_NET_GIT_FETCH_WITH_CLI: "true"
  CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse

jobs:
  # 1. The deterministic test suite: unit + golden + conformance + property.
  test:
    name: test (workspace, all-features)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install pinned toolchain
        uses: dtolnay/rust-toolchain@master
        with:
          toolchain: 1.96.0
      - uses: Swatinem/rust-cache@v2
      - name: cargo test
        run: cargo test --workspace --all-features --locked

  # 2. Lints as errors. No warning escapes review.
  clippy:
    name: clippy (-D warnings)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install pinned toolchain
        uses: dtolnay/rust-toolchain@master
        with:
          toolchain: 1.96.0
          components: clippy
      - uses: Swatinem/rust-cache@v2
      - name: cargo clippy
        run: cargo clippy --workspace --all-targets --all-features -- -D warnings

  # 3. Formatting. The output is byte-stable, so the source should be too.
  fmt:
    name: rustfmt (--check)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install pinned toolchain
        uses: dtolnay/rust-toolchain@master
        with:
          toolchain: 1.96.0
          components: rustfmt
      - name: cargo fmt --check
        run: cargo fmt --all --check

  # 4. License + advisory gate (deny.toml).
  deny:
    name: cargo-deny
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: cargo-deny check
        uses: EmbarkStudios/cargo-deny-action@v2
        with:
          command: check
          arguments: --all-features

  # 5. MSRV — the crate must build on its declared minimum (1.96).
  #    Build + check only: tests pin newer dev-deps and run under `test`.
  msrv:
    name: MSRV (1.96)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install MSRV toolchain
        uses: dtolnay/rust-toolchain@master
        with:
          toolchain: 1.96.0
      - uses: Swatinem/rust-cache@v2
        with:
          key: msrv
      - name: cargo check (MSRV)
        run: cargo check --workspace --all-features --locked

  # 6. cargo-fuzz smoke build. Best-effort: cargo-fuzz needs nightly, and the
  #    fuzz/ targets may not be wired yet — never fail the workflow on this.
  fuzz:
    name: cargo-fuzz smoke build (best-effort)
    runs-on: ubuntu-latest
    continue-on-error: true
    steps:
      - uses: actions/checkout@v4
      - name: Install nightly toolchain
        uses: dtolnay/rust-toolchain@master
        with:
          toolchain: nightly
      - uses: Swatinem/rust-cache@v2
        with:
          key: fuzz
      - name: Install cargo-fuzz
        run: cargo install cargo-fuzz --locked
      - name: Build fuzz targets (no run)
        working-directory: fuzz
        run: |
          if [ -f Cargo.toml ]; then
            cargo +nightly fuzz build
          else
            echo "fuzz/ has no Cargo.toml yet — nothing to build (best-effort job)."
          fi