Skip to content

Wrorflows #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kromsten wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Wrorflows #5

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
ff6f0fa
clippy fix attempt
kromsten Sep 10, 2025
92cac14
fix GHAPH
kromsten Sep 11, 2025
2dcb597
clippy fix attemp
kromsten Sep 11, 2025
c46ba86
clippy fix attempt #2
kromsten Sep 11, 2025
ac8655f
clippy fix attempt #3
kromsten Sep 11, 2025
4d364bb
clippy fix attempt #4
kromsten Sep 11, 2025
0066822
clippy fix attempt #5
kromsten Sep 11, 2025
d4b87c1
clippy fix attempt #6
kromsten Sep 11, 2025
a281bef
clippy fix attempt #7
kromsten Sep 11, 2025
52aa02b
clippy fix attempt #8
kromsten Sep 11, 2025
025f4e4
clippy fix attempt #9
kromsten Sep 11, 2025
8b633e8
clippy fix attempt #10
kromsten Sep 11, 2025
d68411c
vitest and other tweasks
kromsten Sep 11, 2025
ea3f08a
added vite coverate
kromsten Sep 11, 2025
b7670c5
ignore glows
kromsten Sep 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions .cargo/config.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,3 @@
unit-test = "test --lib"
wasm-debug = "build --target wasm32-unknown-unknown"
wasm = "build --release --target wasm32-unknown-unknown --lib"
integration-test = "test --package e2e -- --ignored --test-threads 1"

[env]
RUST_LOG = "info"
CONFIG = "configs/cosm-orc.yaml"
42 changes: 33 additions & 9 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,41 @@
name: Rust-Build
name: Build Package CI

on:
push:
branches:
- main
branches: [main]
pull_request:
types: [opened, synchronize, reopened]
workflow_dispatch:
inputs:
beta_release:
description: Create beta release
type: boolean
default: false
required: false

concurrency:
group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && 'main' || github.ref_name }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

jobs:
optimize_ci:
runs-on: ubuntu-latest
outputs:
skip: ${{ steps.check_skip.outputs.skip }}
steps:
Comment on lines +23 to +25

@coderabbitai coderabbitai Bot Sep 11, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix outputs reference to undefined step (breaks evaluation).

steps.defaults doesn’t exist; actionlint flags it and GitHub will treat it as invalid. Default to 'false' directly.

   outputs:
-      skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }}
+      skip: ${{ steps.check_skip.outputs.skip || 'false' }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
outputs:
skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }}
steps:
outputs:
skip: ${{ steps.check_skip.outputs.skip || 'false' }}
steps:
🧰 Tools
🪛 actionlint (1.7.7)

24-24: property "defaults" is not defined in object type {check_skip: {conclusion: string; outcome: string; outputs: {string => string}}}

(expression)

🤖 Prompt for AI Agents 
.github/workflows/build.yml lines 23-25: the outputs expression references a
non-existent step "steps.defaults", causing actionlint/GitHub validation to
fail; replace that reference with a literal false default so the line becomes an
OR against false (i.e. use ${{ steps.check_skip.outputs.skip || false }}),
ensuring the workflow evaluates correctly without relying on an undefined step.

- uses: withgraphite/graphite-ci-action@1.4.0

Check warning on line 26 in .github/workflows/build.yml

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

.github/workflows/build.yml#L26 

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}

Check warning on line 29 in .github/workflows/build.yml

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

.github/workflows/build.yml#L29 

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
Comment on lines +22 to +30

@coderabbitai coderabbitai Bot Sep 11, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Harden optimize_ci: pin action, add least-privilege perms, handle forks/no secret, and default skip=false.

Prevents supply-chain, missing-secret, and output issues that would block downstream jobs.

  optimize_ci:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
    outputs:
-      skip: ${{ steps.check_skip.outputs.skip }}
+      skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }}
    steps:
+      - name: Default skip=false
+        id: defaults
+        run: echo "skip=false" >> "$GITHUB_OUTPUT"
-      - uses: withgraphite/graphite-ci-action@v0.0.9
+      - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
+        if: ${{ secrets.GRAPHITE_TOKEN != '' }}
         id: check_skip
         with:
           graphite_token: ${{ secrets.GRAPHITE_TOKEN }}

Follow-up: replace <PINNED_COMMIT_SHA> with the exact commit SHA you trust.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
runs-on: ubuntu-latest
outputs:
skip: ${{ steps.check_skip.outputs.skip }}
steps:
- uses: withgraphite/graphite-ci-action@v0.0.9
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
outputs:
skip: ${{ steps.check_skip.outputs.skip || steps.defaults.outputs.skip }}
steps:
- name: Default skip=false
id: defaults
run: echo "skip=false" >> "$GITHUB_OUTPUT"
- uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
if: ${{ secrets.GRAPHITE_TOKEN != '' }}
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
🧰 Tools
🪛 GitHub Check: Codacy Static Code Analysis

[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.

[warning] 26-26: .github/workflows/build.yml#L26
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.

[warning] 29-29: .github/workflows/build.yml#L29
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.


Comment on lines +24 to +31

@coderabbitai coderabbitai Bot Sep 11, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Pin external action and wire permissions; also ensure optimize_ci output is actually used.

  • withgraphite/graphite-ci-action is referenced via @main. Pin to a commit SHA for supply-chain safety.
  • Set least-privilege permissions explicitly (contents: read, pull-requests: read).
  • Right now, no downstream job depends on this output; add needs/if in other jobs.

Would you like me to open a follow-up PR to pin all third‑party actions to SHAs and add a permissions block?

   optimize_ci:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     outputs:
       skip: ${{ steps.check_skip.outputs.skip }}
     steps:
-      - uses: withgraphite/graphite-ci-action@main
+      - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
         id: check_skip
         with:
           graphite_token: ${{ secrets.GRAPHITE_TOKEN }}

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== SHOW: .github/workflows/build.yml (up to 400 lines) ==="
if [ -f ".github/workflows/build.yml" ]; then
  sed -n '1,400p' .github/workflows/build.yml || true
else
  echo "FILE NOT FOUND: .github/workflows/build.yml"
fi

echo
echo "=== SEARCH: occurrences of 'optimize_ci' in .github/workflows ==="
rg -n --hidden -S "optimize_ci" .github || true

echo
echo "=== SEARCH: occurrences of withgraphite action across repo ==="
rg -n --hidden -S "withgraphite/graphite-ci-action" || true

echo
echo "=== SEARCH: workflows referencing '@main' for actions under .github ==="
rg -n --hidden -S "@main" .github || true

echo
echo "=== SEARCH: any 'permissions:' blocks in .github workflows (with context) ==="
rg -n --hidden -S "permissions:" .github -C3 || true

echo
echo "=== SEARCH: references to optimize_ci outputs (needs.optimize_ci.outputs or check_skip.outputs.skip) across repo ==="
rg -n --hidden -S "needs\.optimize_ci\.outputs|check_skip\.outputs\.skip|steps\.check_skip\.outputs\.skip" || true

echo
echo "=== SEARCH: any uses of 'graphite_token' or GRAPHITE_TOKEN secret ==="
rg -n --hidden -S "GRAPHITE_TOKEN|graphite_token" || true

Length of output: 4220

Pin third‑party actions, add least‑privilege permissions, and wire optimize_ci output

  • withgraphite/graphite-ci-action@main is unpinned — pin to a commit SHA for supply‑chain safety. Also pin other @main usages (e.g., qltysh/qlty-action/coverage@main).
  • Add explicit, least‑privilege permissions to the optimize_ci job (contents: read, pull-requests: read).
  • optimize_ci.outputs.skip is not consumed by any downstream job; either make downstream jobs depend on it (needs/if) or remove the output/step.

File: .github/workflows/build.yml (optimize_ci block)

  optimize_ci:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
    outputs:
      skip: ${{ steps.check_skip.outputs.skip }}
    steps:
-      - uses: withgraphite/graphite-ci-action@main
+      - uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
         id: check_skip
         with:
           graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
optimize_ci:
runs-on: ubuntu-latest
outputs:
skip: ${{ steps.check_skip.outputs.skip }}
steps:
- uses: withgraphite/graphite-ci-action@main
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
optimize_ci:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
outputs:
skip: ${{ steps.check_skip.outputs.skip }}
steps:
- uses: withgraphite/graphite-ci-action@<PINNED_COMMIT_SHA>
id: check_skip
with:
graphite_token: ${{ secrets.GRAPHITE_TOKEN }}
🤖 Prompt for AI Agents 
.github/workflows/build.yml around lines 24-33: the optimize_ci job uses
third-party actions pinned to @main, lacks least-privilege permissions, and
exposes an outputs.skip value that no downstream job consumes; update the action
references to use specific commit SHAs (replace @main with the corresponding
commit SHAs for withgraphite/graphite-ci-action and any other @main usages like
qltysh/qlty-action/coverage), add a permissions block to the optimize_ci job
with minimal rights (e.g., permissions: contents: read, pull-requests: read),
and either wire optimize_ci.outputs.skip into downstream jobs by adding needs:
optimize_ci and using if: ${{ needs.optimize_ci.outputs.skip == 'false' }} (or
similar) on consumers, or remove the outputs and the check_skip step if it is
not used.

check:
name: Check
runs-on: ubuntu-latest
needs: [optimize_ci]
if: ${{ needs.optimize_ci.outputs.skip != 'true' }}
steps:
- name: Checkout sources
uses: actions/checkout@v2
uses: actions/checkout@v4

- name: Install toolchain
uses: actions-rs/toolchain@v1
Expand All @@ -32,9 +55,11 @@
test:
name: Test
runs-on: ubuntu-latest
needs: [optimize_ci]
if: ${{ needs.optimize_ci.outputs.skip != 'true' }}
steps:
- name: Checkout sources
uses: actions/checkout@v2
uses: actions/checkout@v4

- name: Install toolchain
uses: actions-rs/toolchain@v1
Expand Down Expand Up @@ -81,10 +106,9 @@
components: clippy

- name: Run clippy
uses: actions-rs/cargo@v1
with:
command: clippy
args: --tests -- -D warnings --message-format=json &> clippy_report.json
shell: bash

@codoki-pr-intelligence codoki-pr-intelligence Bot Sep 11, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ High: This captures only stdout and does not fail on warnings. Clippy diagnostics may be emitted to stderr and Sonar may miss issues; also, removing '-D warnings' means CI won't fail on lint violations.

Suggested change
shell: bash
cargo clippy --tests --message-format=json -- -D warnings &> clippy_report.json

run: |
cargo clippy --tests --message-format=json -- -D warnings > clippy_report.json

Comment thread
coderabbitai[bot] marked this conversation as resolved.
- name: Setup sonarqube
uses: warchant/setup-sonar-scanner@v3

@coderabbitai coderabbitai Bot Sep 11, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Pin Sonar scanner action to a commit SHA

Another third-party action that should be immutable.

-        uses: warchant/setup-sonar-scanner@v3
+        uses: warchant/setup-sonar-scanner@<PINNED_COMMIT_SHA>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: warchant/setup-sonar-scanner@v3
uses: warchant/setup-sonar-scanner@<PINNED_COMMIT_SHA>
🤖 Prompt for AI Agents 
In .github/workflows/build.yml around line 115, the workflow uses the
third-party action via a mutable tag ("warchant/setup-sonar-scanner@v3"); change
this to an immutable commit SHA by replacing the tag with the specific commit
hash for the v3 release (e.g., "warchant/setup-sonar-scanner@<commit-sha>"),
fetching the latest commit SHA from the action's GitHub repository or release
and updating the workflow file accordingly so the action is pinned to that exact
commit.

Expand Down
Loading