[codex] Add shared proxy telemetry sinks #800
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, master] | |
| pull_request: | |
| branches: [main, master] | |
| permissions: | |
| contents: read | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| jobs: | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Documentation site checks | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| docs: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| fetch-depth: 0 | |
| - name: Check docs site links | |
| run: ruby scripts/check-docs-site.rb | |
| - name: Check packaging templates | |
| run: bash scripts/check-packaging.sh | |
| - name: Check installer config helpers | |
| run: python3 scripts/test-upsert-calciforge-agent.py | |
| - name: Check high-risk scenario catalog | |
| run: python3 scripts/check-scenarios.py | |
| - name: Check integration boundary registry | |
| run: python3 scripts/check-boundary-surfaces.py | |
| - name: Check architecture ratchets | |
| env: | |
| CALCIFORGE_ARCH_RATCHET_BASE: ${{ github.event.pull_request.base.sha }} | |
| run: ruby scripts/check-architecture-ratchets.rb | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Check formatting and linting | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| fmt-and-clippy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Install Rust toolchain | |
| run: | | |
| rustup toolchain install stable --profile minimal --component rustfmt --component clippy | |
| rustup default stable | |
| - name: Cache Cargo registry | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Check formatting | |
| run: cargo fmt --all -- --check | |
| - name: Run Clippy | |
| run: cargo clippy --workspace --all-targets -- -D warnings | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Run tests for all workspace crates | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| test-crates: | |
| name: Test Suite | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| crate: | |
| - calciforge | |
| - adversary-detector | |
| - host-agent | |
| - secrets-client | |
| - clashd | |
| - security-proxy | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Install Rust toolchain | |
| run: | | |
| rustup toolchain install stable --profile minimal | |
| rustup default stable | |
| - name: Cache Cargo registry | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Test ${{ matrix.crate }} | |
| run: cargo test -p ${{ matrix.crate }} | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Boundary aggression tests | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| boundary-aggression: | |
| name: Boundary Aggression | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Install Rust toolchain | |
| run: | | |
| rustup toolchain install stable --profile minimal | |
| rustup default stable | |
| - name: Cache Cargo registry | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: ${{ runner.os }}-cargo-boundary-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Run short PR boundary aggression | |
| run: bash scripts/boundary-aggression.sh pr | |
| # Aggregator job that reports a single `test` status check (required by ruleset) | |
| test: | |
| runs-on: ubuntu-latest | |
| needs: [test-crates, boundary-aggression] | |
| if: always() | |
| steps: | |
| - name: Verify all crate test jobs succeeded | |
| env: | |
| TEST_CRATES_RESULT: ${{ needs.test-crates.result }} | |
| BOUNDARY_AGGRESSION_RESULT: ${{ needs.boundary-aggression.result }} | |
| run: | | |
| if [ "$TEST_CRATES_RESULT" != "success" ]; then | |
| echo "One or more crate test jobs failed: $TEST_CRATES_RESULT" | |
| exit 1 | |
| fi | |
| if [ "$BOUNDARY_AGGRESSION_RESULT" != "success" ]; then | |
| echo "Boundary aggression tests failed: $BOUNDARY_AGGRESSION_RESULT" | |
| exit 1 | |
| fi | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Loom concurrency tests (exhaustive concurrency exploration) | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| loom: | |
| name: Loom Concurrency | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Install Rust toolchain | |
| run: | | |
| rustup toolchain install stable --profile minimal | |
| rustup default stable | |
| - name: Cache Cargo registry | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: ${{ runner.os }}-cargo-loom-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Run Loom tests | |
| run: cargo test -p loom-tests | |
| env: | |
| LOOM_MAX_PREEMPTIONS: 2 | |
| RUSTFLAGS: "--cfg loom" | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| # Build release binaries | |
| # ───────────────────────────────────────────────────────────────────────────── | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: [fmt-and-clippy, test] | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Install Rust toolchain | |
| run: | | |
| rustup toolchain install stable --profile minimal | |
| rustup default stable | |
| - name: Cache Cargo registry | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Build release binaries | |
| run: cargo build --release -p calciforge -p secrets-client -p security-proxy -p adversary-detector | |
| - name: Check binary sizes | |
| run: | | |
| ls -lh target/release/calciforge || true | |
| ls -lh target/release/secrets || true | |
| ls -lh target/release/security-proxy || true | |
| ls -lh target/release/adversary-detector || true |