Skip to content

ci: add clippy and cargo test gates via self-hosted macOS runner#14

Merged
inureyes merged 1 commit into
mainfrom
feature/issue-5-clippy-test-ci-gate
May 18, 2026
Merged

ci: add clippy and cargo test gates via self-hosted macOS runner#14
inureyes merged 1 commit into
mainfrom
feature/issue-5-clippy-test-ci-gate

Conversation

@inureyes
Copy link
Copy Markdown
Member

@inureyes inureyes commented May 18, 2026

Summary

  • Add clippy-and-test job to .github/workflows/ci.yml running on self-hosted-macos-26-arm64
  • Gate with same path-filter (needs.changes.outputs.rust == 'true') as deny and fmt jobs
  • Apply fork-PR security guard from release.yml / pipeline-parallel-ci.yml to prevent fork-authored code from reaching the canonical self-hosted runner pool
  • Update CONTRIBUTING.md local quality-gate list to match CI enforcement

What changed

  • .github/workflows/ci.yml: added clippy-and-test job with three steps: cargo build --release, cargo clippy --all-targets -- -D warnings, cargo test --release (all with --features metal,accelerate); updated file header comment to document the CUDA decision
  • CONTRIBUTING.md: expanded the local quality-gate list to include --features metal,accelerate on clippy and test commands, with a note that these are now enforced by CI on the macOS self-hosted runner

CUDA decision

CUDA verification stays exclusive to release.yml and is not gated at PR time for two reasons:

  1. It requires a Linux self-hosted runner — currently only the GB10 node used for release builds is available with a working CUDA toolchain.
  2. PR-level CUDA gating would double runner cost for limited additional safety on PRs that do not touch CUDA-specific code paths.

Test plan

  • YAML syntax validated (python3 -c "import yaml; yaml.safe_load(open('.github/workflows/ci.yml'))" — passes)
  • Job if: condition mirrors release.yml fork-PR guard exactly
  • persist-credentials: false on checkout, permissions: contents: read at job level
  • First run of the new job will fire on the self-hosted runner after this PR is opened (build time 15-30+ min for cold MLX C++ compile; orchestrator is aware and will wait)

Closes #5

@inureyes
ci: add clippy and cargo test gate to ci.yml via self-hosted macOS ru…
abbc76b 
…nner

Add a clippy-and-test job to ci.yml that runs on self-hosted-macos-26-arm64, gated by the same path-filter as the existing deny and fmt jobs. Applies the fork-PR security guard (github.repository + head.repo.full_name checks) from release.yml and pipeline-parallel-ci.yml to block fork-authored code from executing on the canonical self-hosted runner pool. Steps: cargo build --release, cargo clippy --all-targets -- -D warnings, cargo test --release (all with --features metal,accelerate). CUDA verification stays exclusive to release.yml. Update CONTRIBUTING.md local quality-gate list to match.
@inureyes inureyes added type:chore Maintenance tasks (build, CI, etc.) priority:medium Medium priority area:core mlxcel-core: MLX FFI, primitives, KV cache, layers status:review Under review labels May 18, 2026
@inureyes inureyes self-assigned this May 18, 2026
@inureyes inureyes merged commit da31861 into main May 18, 2026
4 of 5 checks passed
@inureyes inureyes deleted the feature/issue-5-clippy-test-ci-gate branch May 18, 2026 08:31
inureyes added a commit that referenced this pull request May 18, 2026
@inureyes
refactor: convert mlxcel-core and mlxcel-surgery into workspace membe…
db35c68 
…rs (#15)

Closes #7.

Adds `[workspace]` section to root `Cargo.toml` with Layout A: the
root `mlxcel` crate is simultaneously the workspace root and a member,
alongside `mlxcel-core` and `mlxcel-surgery`. `cargo metadata`
confirms all three crates enumerate as workspace members.

`.github/dependabot.yml` collapsed from 3 separate cargo entries
(root, mlxcel-core, mlxcel-surgery) to 1 root-level entry — the
unified workspace lock makes per-directory entries redundant. The
`github-actions` entry is unchanged.

Pre-flight finding: per-crate Cargo.lock files referenced in #7
task list were already absent. Actual scope reduced to `[workspace]`
addition + dependabot.yml simplification. The Cargo.lock gained 7
mlxcel-core dev-dependencies (sha2 0.11, block-buffer 0.12,
const-oid 0.10.2, crypto-common 0.2.1, hybrid-array 0.4.12,
tracing-test 0.2.6, tracing-test-macro 0.2.6) that were previously
invisible to the root lock and are now properly unified — this is
what fixes the long-standing `cargo test -p mlxcel-core` from-root
dev-dep resolution failure.

Verified locally: `cargo deny check` clean, `cargo check --lib
-p mlxcel-core --no-default-features` clean. Self-hosted clippy +
test gate (added in #14) is queued at merge time — will run on
main after the runner clears the PR #14 cold-build backlog.
inureyes added a commit that referenced this pull request May 18, 2026
@inureyes
refactor(core): migrate lang_analyzer cache from bincode to postcard (#…
a84284e 
…16)

Closes #8.

Migrates `mlxcel-core`'s `TokenLanguageIndex` on-disk cache off the
unmaintained `bincode` 1.x (RUSTSEC-2025-0141 — project permanently
ceased development) to `postcard` 1.x.

## Architectural choice — postcard

- Drop-in serde-based API (`postcard::to_allocvec(&v)?` /
  `postcard::from_bytes::<T>(&bytes)?`) — minimal call-site change.
- 1.0+ stable with frozen wire format — protects production users'
  cache compatibility across future dependency upgrades.
- Embedded Rust ecosystem standard — natural fit for an
  inference-runtime cache.

Alternatives considered: `bitcode` (faster but pre-1.0, wire-format
changes between minors), `rkyv` (zero-copy over-engineering for a
startup-time cache), `bincode` 2.x / 3.x (different maintainer team,
name-confusion risk — Dependabot's auto-PR #10 to bincode 3.x was
explicitly closed in favor of this approach).

## Cache compatibility — graceful degradation

`lang_analyzer/cache.rs` already has corrupt-detection: a
deserialization failure renames the existing bincode-format file to
`*.broken.<epoch>.bak` and rebuilds the cache from source. Users
upgrading from a prior mlxcel release will trip this path
automatically on the first cache read — no explicit migration code
needed.

## Scope (3 files + Cargo.lock)

- `src/lib/mlxcel-core/Cargo.toml` — `bincode = "1"` → `postcard = { version = "1", features = ["alloc"] }`
- `src/lib/mlxcel-core/src/lang_analyzer/cache.rs` — 3 call sites + doc comments
- `src/lib/mlxcel-core/src/lang_analyzer/mod.rs` — error variant `Bincode` → `Postcard` (no external match-arms on it, safe rename)
- `deny.toml` — RUSTSEC-2025-0141 `[advisories.ignore]` entry removed (no longer applicable)

Verified locally: `cargo deny check` clean (advisories ok, bans ok,
licenses ok, sources ok); `cargo tree -p mlxcel-core -i bincode`
returns "package not found" — bincode is fully removed from the
dependency tree.

Self-hosted clippy + test gate is queued behind the PR #14 cold-build
backlog at merge time; will run on main after the runner clears.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@inureyes inureyes

Labels

area:core mlxcel-core: MLX FFI, primitives, KV cache, layers priority:medium Medium priority status:review Under review type:chore Maintenance tasks (build, CI, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ci: add clippy and cargo test gates to ci.yml via self-hosted macOS runner

1 participant

@inureyes