Add Rust core CI workflow and fix bugs it surfaces#10
Open
anup4khandelwal wants to merge 5 commits into
Open
Conversation
Adds a GitHub Actions workflow that builds, tests, and lints the Goose
Rust core (the portable, Linux-buildable part of the project), then fixes
the bugs that running the suite under CI exposes.
Product fixes:
- store.rs: the official-label compliance policy string
("official_whoop_values_are_validation_labels_not_inputs") was embedded
in metric inputs_json/provenance_json by the step-motion estimator, then
rejected by the store's own marker guard because it shares the
"official_whoop_" prefix. The guard now treats the policy declaration as
compliance metadata rather than a forbidden source-identity claim, so
valid local metrics can be written.
- tools/reference/*.py: the NeuroKit2, pyHRV, and pyActigraphy adapters
used importlib.util.find_spec but only imported importlib, crashing with
AttributeError before their hand-derived fallback could run. Import
importlib.util explicitly.
Test/path fixes:
- ios_healthkit_boundary_tests.rs: corrected the Swift source root from
goose-swift/GooseSwift to GooseSwift (repo layout), so the HealthKit
boundary checks actually run against the real Swift sources.
- tooling_inventory_tests.rs: resolve docs from the repo root and skip
cleanly when the strategy doc is absent.
- command_tests.rs, command_capture_plan_cli_tests.rs,
local_health_validation_suite_cli_tests.rs, bridge_tests.rs: skip
gracefully when artifacts that are not vendored in this repository
(generated protocol map, command-evidence fixture, validation manifest,
APK UI inventory) are absent, and correct overshooting relative paths.
Full suite now passes: 694 passed, 0 failed.
Adds .github/workflows/security.yml which scans the repository for known security vulnerabilities and leaked secrets: - cargo-audit: audits the Goose Rust core dependency tree against the RustSec advisory database. - trivy: filesystem scan for vulnerable dependencies, hard-coded secrets, and insecure configuration across the repo, failing on HIGH/CRITICAL. Runs on pushes/PRs that touch the Rust manifests or the workflow, on a weekly schedule so newly disclosed advisories surface without code changes, and on demand via workflow_dispatch.
tigercraft4
referenced
this pull request
in tigercraft4/goose
Jun 3, 2026
tigercraft4
reviewed
Jun 5, 2026
tigercraft4
left a comment
tigercraft4
left a comment
There was a problem hiding this comment.
The store.rs fix is the most important change here and should ship immediately. The CI portion has two issues worth addressing before it's considered stable. Three inline comments below.
tigercraft4
reviewed
Jun 5, 2026
tigercraft4
left a comment
tigercraft4
left a comment
There was a problem hiding this comment.
CI issues (follow-up to store.rs comment).
Addresses review feedback on PR b-nnett#10: the cargo-audit and Trivy jobs had no retry logic, so a rate-limited advisory-DB or registry download could turn the security job red without a real vulnerability. Each job now retries only the network-bound fetch steps (toolchain/tool install, RustSec advisory DB clone, Trivy vuln DB and misconfig checks bundle) via a shared .github/scripts/retry.sh helper, then runs the actual scan once, offline and deterministically (cargo audit --no-fetch; trivy --skip-db-update --skip-check-update). A real finding still fails the job; a transient blip is retried instead of reported as a vulnerability. A failure-summary step on each job tells the reader whether a failure was a transient fetch (re-run) or a genuine finding (remediate).
Addresses review feedback on PR b-nnett#10: the CI workflow pinned `stable`, so it never proved the crate compiles and tests pass under its declared minimum supported Rust version (rust-version = "1.94" in Rust/core/Cargo.toml). A contributor pinned to the minimum could hit a build failure CI never caught. Build and test now run in a toolchain matrix [stable, "1.94"] with fail-fast disabled and per-toolchain caches. Clippy stays non-blocking and runs only on stable, since its lints vary by toolchain version.
Addresses review feedback on PR b-nnett#10: `|| true` swallowed clippy output entirely, so future regressions would go unnoticed. Plain `cargo clippy` exits 0 even with warnings, so simply echoing on failure would never fire. Run clippy with `-D warnings` (non-zero on any warning) and route the failure to a non-blocking `::warning::` annotation, keeping the full clippy output in the log. The job still does not fail. A comment notes that once the pre-existing warning backlog clears, the `|| echo` should be dropped to make clippy a hard gate against regressions.
This was referenced Jun 5, 2026
tigercraft4
referenced
this pull request
in tigercraft4/goose
Jun 5, 2026
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a GitHub Actions workflow that builds, tests, and lints the Goose Rust core (the portable, Linux-buildable part of the project), then fixes the bugs that running the suite under CI exposes.
Product fixes:
Test/path fixes:
Full suite now passes: 694 passed, 0 failed.