sentinel: harden FFI strict parsing for trust boundary 🛡️ #1153
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Plan | |
| on: | |
| pull_request: | |
| branches: ["main"] | |
| types: [opened, synchronize, reopened, labeled, unlabeled] | |
| permissions: | |
| actions: read | |
| contents: read | |
| pull-requests: read | |
| concurrency: | |
| group: pr-plan-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' && github.event.action == 'synchronize' }} | |
| env: | |
| CARGO_TERM_COLOR: always | |
| CARGO_INCREMENTAL: 0 | |
| RUSTFLAGS: -C debuginfo=0 | |
| jobs: | |
| pr-plan: | |
| name: PR Plan (advisory) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| save-if: ${{ github.ref == 'refs/heads/main' }} | |
| - name: Fetch base ref | |
| run: git fetch origin "${{ github.base_ref }}":"refs/remotes/origin/${{ github.base_ref }}" || true | |
| - name: Download recent CI actuals cache | |
| continue-on-error: true | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| set -euo pipefail | |
| mkdir -p target/ci/actuals-cache | |
| count=0 | |
| while IFS= read -r run_id; do | |
| [ -n "$run_id" ] || continue | |
| out="target/ci/actuals-cache/${run_id}" | |
| mkdir -p "$out" | |
| if gh run download "${run_id}" --name ci-actuals --dir "$out" >/tmp/ci-actuals-download.log 2>&1; then | |
| if [ -s "$out/ci-actuals.json" ]; then | |
| count=$((count + 1)) | |
| fi | |
| fi | |
| done < <(gh run list --workflow CI --branch main --status success --limit 5 --json databaseId --jq '.[].databaseId') | |
| echo "Downloaded ${count} CI actuals receipt(s) for advisory learned estimates." | |
| { | |
| echo "## CI actuals cache (advisory)" | |
| echo "" | |
| echo "Downloaded ${count} recent \`ci-actuals\` receipt(s) from successful \`main\` CI runs." | |
| echo "If this is zero, PR Plan falls back to static \`base_lem\` estimates." | |
| echo "" | |
| } >> "$GITHUB_STEP_SUMMARY" | |
| - name: Generate PR plan | |
| env: | |
| LABELS_JSON: ${{ toJson(github.event.pull_request.labels) }} | |
| run: | | |
| mkdir -p target/ci | |
| actuals_args=() | |
| if [ -d target/ci/actuals-cache ] && find target/ci/actuals-cache -name '*.json' -print -quit | grep -q .; then | |
| actuals_args=(--actuals-dir target/ci/actuals-cache) | |
| fi | |
| cargo xtask ci-plan \ | |
| --base "origin/${{ github.base_ref }}" \ | |
| --head HEAD \ | |
| --labels-json "$LABELS_JSON" \ | |
| --lanes policy/ci-lane-whitelist.toml \ | |
| --risk-packs policy/ci-risk-packs.toml \ | |
| "${actuals_args[@]}" \ | |
| --json-out target/ci/ci-plan.json \ | |
| --route-json-out target/ci/proof-pack-route.json \ | |
| --github-summary "$GITHUB_STEP_SUMMARY" \ | |
| --enforce | |
| - name: Verify PR plan receipts | |
| if: always() | |
| run: | | |
| status=0 | |
| for receipt in target/ci/ci-plan.json target/ci/proof-pack-route.json; do | |
| if [ ! -s "$receipt" ]; then | |
| echo "::error::Missing or empty PR plan receipt: $receipt" | |
| status=1 | |
| fi | |
| done | |
| exit "$status" | |
| - name: Upload PR plan receipts | |
| if: always() | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: pr-plan | |
| path: | | |
| target/ci/ci-plan.json | |
| target/ci/proof-pack-route.json | |
| if-no-files-found: error | |
| retention-days: 7 |