Add CI workflow with sccache integration test (#2)

* Update CI for spiceio rename and sccache integration test

- Trigger on pull_request only (not push)
- Rename binary references spio → spiceio
- Add full lint pipeline: fmt, check, clippy, rustdoc
- Add sccache integration test step with UNAS SMB credentials
- Hardcode us-west-1 region, spiceio bucket, ai_platform_dev share
- Upload release artifact as spiceio

* Address CI PR review comments

- Remove workflow_dispatch trigger (PR-only)
- Add comment explaining self-hosted runner requirement
- Use repository variables with defaults for SMB config
- Skip integration test on fork PRs (secret unavailable)
- Assert cache hits > 0 and write errors == 0 in test script

* Add release workflow triggered on GitHub release creation

Builds an optimized release binary on the self-hosted macOS runner,
packages it as a tarball with SHA-256 checksum, and uploads both as
release assets.

* Add setup action for installing spiceio in other workflows

Composite action that downloads a released spiceio binary, adds it
to PATH, and starts the S3-to-SMB proxy in the background.

Usage from another repo:
  - uses: spiceai/spiceio/.github/actions/setup@trunk
    with:
      smb-server: 192.168.3.148
      smb-user: runner
      smb-pass: ${{ secrets.UNAS_SMB_PASS }}
      smb-share: ai_platform_dev

Outputs the endpoint URL and PID for use in subsequent steps.

* Address PR #2 review comments (round 2)

- Fix grep|awk pipelines in test script to not fail under set -e
- Add --clobber to gh release upload for safe re-runs
- Skip CI on fork PRs to protect self-hosted runner from untrusted code

* Trigger CI on PR sync (push to PR branch)

* Address PR #2 review comments (round 3)

- Make token input required (expression defaults don't evaluate in action metadata)
- Use RUNNER_OS/RUNNER_ARCH to match release asset naming convention
- Add cleanup step (if: always) to kill backgrounded spiceio process

* Skip setup if spiceio is already running on the bind address

* Use release-downloader action instead of gh CLI script

* Use gh CLI instead of third-party action for release download

* Address PR #2 review comments (round 4)

- Zero sccache stats before warm build so assertion is warm-only
- Verify SHA-256 checksum after downloading release asset
- Remove uname fallbacks (RUNNER_OS/RUNNER_ARCH always set in Actions)
- Fix CI: use env.SPICEIO_SMB_PASS instead of secrets context in if condition

* Fix formatting (cargo fmt)

* Fix CI failures and simplify setup action to use SMB URL syntax

- Fix rustdoc: escape brackets in der_wrap doc comment
- Fix integration test skip: check secret via env step, not secrets context
- Simplify setup action: accept smb://user:pass@server/share URL
  instead of separate inputs for each field
- smb-pass input overrides URL password (for secrets)

* Fix CI: install AWS CLI, harden setup action

- Install awscli via brew if missing on self-hosted runner
- Fix SMB URL parsing for smb://user@server/share (no password in URL)
- Check spiceio server header for skip detection, not just any HTTP response

Author: lukekim

.github/actions/setup/action.yml

@@ -0,0 +1,174 @@
+name: Setup spiceio
+description: Install a released version of spiceio and start the S3-to-SMB proxy
+
+inputs:
+  version:
+    description: Release tag to install (e.g. "v0.1.0"). Use "latest" for the most recent release.
+    required: false
+    default: latest
+  smb-url:
+    description: >
+      SMB connection URL: smb://user:pass@server/share or smb://user:pass@server:port/share.
+      Password can also be provided separately via smb-pass.
+    required: true
+  smb-pass:
+    description: SMB password (overrides password in smb-url if both provided)
+    required: false
+    default: ""
+  bucket:
+    description: Virtual S3 bucket name
+    required: false
+    default: spiceio
+  region:
+    description: AWS region to advertise
+    required: false
+    default: us-east-1
+  bind:
+    description: Listen address for the S3 endpoint
+    required: false
+    default: "127.0.0.1:8333"
+  token:
+    description: GitHub token for downloading release assets from private repos
+    required: true
+
+outputs:
+  endpoint:
+    description: The S3-compatible endpoint URL
+    value: ${{ steps.start.outputs.endpoint }}
+  pid:
+    description: PID of the spiceio background process (empty if skipped)
+    value: ${{ steps.start.outputs.pid }}
+
+runs:
+  using: composite
+  steps:
+    - name: Download and install spiceio
+      id: install
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token }}
+      run: |
+        set -euo pipefail
+
+        REPO="spiceai/spiceio"
+        INSTALL_DIR="${RUNNER_TEMP}/spiceio-bin"
+        ASSET="spiceio-${RUNNER_OS}-${RUNNER_ARCH}.tar.gz"
+        VERSION="${{ inputs.version }}"
+
+        mkdir -p "$INSTALL_DIR"
+
+        if [[ "$VERSION" == "latest" ]]; then
+          gh release download --repo "$REPO" --pattern "$ASSET" --pattern "${ASSET}.sha256" --dir "$INSTALL_DIR"
+        else
+          gh release download "$VERSION" --repo "$REPO" --pattern "$ASSET" --pattern "${ASSET}.sha256" --dir "$INSTALL_DIR"
+        fi
+
+        # Verify integrity
+        cd "$INSTALL_DIR"
+        shasum -a 256 -c "${ASSET}.sha256"
+
+        tar xzf "$ASSET" -C "$INSTALL_DIR"
+        chmod +x "$INSTALL_DIR/spiceio"
+        echo "$INSTALL_DIR" >> "$GITHUB_PATH"
+        echo "pid_file=${RUNNER_TEMP}/spiceio.pid" >> "$GITHUB_OUTPUT"
+
+    - name: Start spiceio
+      id: start
+      shell: bash
+      env:
+        SMB_URL: ${{ inputs.smb-url }}
+        SMB_PASS_OVERRIDE: ${{ inputs.smb-pass }}
+        SPICEIO_BUCKET: ${{ inputs.bucket }}
+        SPICEIO_REGION: ${{ inputs.region }}
+        SPICEIO_BIND: ${{ inputs.bind }}
+      run: |
+        set -euo pipefail
+
+        ENDPOINT="http://${SPICEIO_BIND}"
+        PID_FILE="${{ steps.install.outputs.pid_file }}"
+
+        # Skip if spiceio is already listening on the requested address
+        # Verify it's spiceio by checking for the "spiceio" server header
+        if curl -sf -I "$ENDPOINT/" 2>/dev/null | grep -qi "server: spiceio"; then
+          echo "spiceio already running at $ENDPOINT — skipping start"
+          echo "endpoint=$ENDPOINT" >> "$GITHUB_OUTPUT"
+          echo "pid=" >> "$GITHUB_OUTPUT"
+          echo "skipped=true" >> "$GITHUB_OUTPUT"
+          exit 0
+        fi
+
+        # Parse smb://user:pass@server:port/share
+        # Strips the smb:// prefix, then splits on :, @, /
+        URL="${SMB_URL#smb://}"
+
+        USERINFO="${URL%%@*}"
+        HOSTPATH="${URL#*@}"
+
+        SPICEIO_SMB_USER="${USERINFO%%:*}"
+        # Extract password from URL only if user:pass@ format is used
+        if [[ "$USERINFO" == *:* ]]; then
+          URL_PASS="${USERINFO#*:}"
+        else
+          URL_PASS=""
+        fi
+        # smb-pass input takes priority, then URL password
+        if [[ -n "$SMB_PASS_OVERRIDE" ]]; then
+          SPICEIO_SMB_PASS="$SMB_PASS_OVERRIDE"
+        elif [[ -n "$URL_PASS" ]]; then
+          SPICEIO_SMB_PASS="$URL_PASS"
+        else
+          echo "::error::No SMB password provided (use smb-pass input or include in smb-url)"
+          exit 1
+        fi
+
+        HOSTPORT="${HOSTPATH%%/*}"
+        SPICEIO_SMB_SHARE="${HOSTPATH#*/}"
+
+        if [[ "$HOSTPORT" == *:* ]]; then
+          SPICEIO_SMB_SERVER="${HOSTPORT%%:*}"
+          SPICEIO_SMB_PORT="${HOSTPORT#*:}"
+        else
+          SPICEIO_SMB_SERVER="$HOSTPORT"
+          SPICEIO_SMB_PORT="445"
+        fi
+
+        export SPICEIO_SMB_SERVER SPICEIO_SMB_PORT SPICEIO_SMB_USER SPICEIO_SMB_PASS SPICEIO_SMB_SHARE
+        export SPICEIO_BUCKET SPICEIO_REGION SPICEIO_BIND
+
+        spiceio &
+        PID=$!
+        echo "$PID" > "$PID_FILE"
+        echo "pid=$PID" >> "$GITHUB_OUTPUT"
+        echo "endpoint=$ENDPOINT" >> "$GITHUB_OUTPUT"
+        echo "skipped=false" >> "$GITHUB_OUTPUT"
+
+        # Wait for readiness
+        echo "Waiting for spiceio on ${SPICEIO_BIND}..."
+        for i in $(seq 1 30); do
+          if curl -sf -o /dev/null "$ENDPOINT/" 2>/dev/null; then
+            echo "spiceio ready at $ENDPOINT (PID $PID)"
+            exit 0
+          fi
+          if ! kill -0 "$PID" 2>/dev/null; then
+            echo "::error::spiceio exited unexpectedly"
+            exit 1
+          fi
+          sleep 1
+        done
+        echo "::error::spiceio failed to start within 30s"
+        exit 1
+
+    - name: Register cleanup
+      if: always() && steps.start.outputs.skipped != 'true'
+      shell: bash
+      run: |
+        PID_FILE="${{ steps.install.outputs.pid_file }}"
+        if [[ -f "$PID_FILE" ]]; then
+          PID=$(cat "$PID_FILE")
+          if kill -0 "$PID" 2>/dev/null; then
+            echo "Stopping spiceio (PID $PID)"
+            kill "$PID" 2>/dev/null || true
+            wait "$PID" 2>/dev/null || true
+          fi
+          rm -f "$PID_FILE"
+        fi

.github/workflows/ci.yml

@@ -0,0 +1,91 @@
+name: CI
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  CARGO_TERM_COLOR: always
+  CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse
+  CARGO_NET_GIT_FETCH_WITH_CLI: true
+
+jobs:
+  ci:
+    name: Format, lint, build, and test
+    # Self-hosted macOS runner required for CommonCrypto FFI and NAS access.
+    # Skip fork PRs to prevent untrusted code execution on self-hosted runners.
+    if: github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: spiceai-macos
+    permissions:
+      contents: read
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt,clippy
+
+      - name: Cache Rust build artifacts
+        uses: Swatinem/rust-cache@v2
+
+      - name: Check formatting
+        run: cargo fmt --all --check
+
+      - name: Run cargo check
+        run: cargo check --locked --all-targets --all-features
+
+      - name: Run clippy
+        run: cargo clippy --locked --all-targets --all-features -- -D warnings -D clippy::all -D clippy::cargo -A clippy::cargo-common-metadata
+
+      - name: Check rustdoc
+        run: RUSTDOCFLAGS="-D warnings" cargo doc --locked --workspace --no-deps --document-private-items
+
+      - name: Build debug binary
+        run: cargo build --locked
+
+      - name: Run unit tests
+        run: cargo test --locked
+
+      - name: Check SMB credentials
+        run: |
+          if [[ -n "$SPICEIO_SMB_PASS" ]]; then
+            echo "HAS_SMB_PASS=true" >> "$GITHUB_ENV"
+          fi
+        env:
+          SPICEIO_SMB_PASS: ${{ secrets.UNAS_SMB_PASS }}
+
+      - name: Install AWS CLI
+        if: ${{ env.HAS_SMB_PASS == 'true' }}
+        run: |
+          if ! command -v aws &>/dev/null; then
+            brew install awscli
+          fi
+
+      - name: Run sccache integration test
+        # Skipped when UNAS_SMB_PASS secret is not configured (e.g. fork PRs)
+        if: ${{ env.HAS_SMB_PASS == 'true' }}
+        env:
+          SPICEIO_SMB_SERVER: ${{ vars.SPICEIO_SMB_SERVER || '192.168.3.148' }}
+          SPICEIO_SMB_USER: ${{ vars.SPICEIO_SMB_USER || 'runner' }}
+          SPICEIO_SMB_PASS: ${{ secrets.UNAS_SMB_PASS }}
+          SPICEIO_SMB_SHARE: ${{ vars.SPICEIO_SMB_SHARE || 'ai_platform_dev' }}
+          SPICEIO_BUCKET: ${{ vars.SPICEIO_BUCKET || 'spiceio' }}
+          SPICEIO_REGION: ${{ vars.SPICEIO_REGION || 'us-west-1' }}
+        run: ./scripts/test-sccache.sh
+
+      - name: Build release artifact
+        run: cargo build --release --locked --bin spiceio
+
+      - name: Upload release artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: spiceio-${{ runner.os }}-${{ runner.arch }}
+          path: target/release/spiceio
+          if-no-files-found: error

.github/workflows/release.yml

@@ -0,0 +1,49 @@
+name: Release
+
+on:
+  release:
+    types: [created]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  CARGO_TERM_COLOR: always
+  CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse
+  CARGO_NET_GIT_FETCH_WITH_CLI: true
+
+jobs:
+  build:
+    name: Build release binary
+    # Self-hosted macOS runner required for CommonCrypto FFI
+    runs-on: spiceai-macos
+    permissions:
+      contents: write
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache Rust build artifacts
+        uses: Swatinem/rust-cache@v2
+
+      - name: Build release binary
+        run: cargo build --release --locked --bin spiceio
+
+      - name: Package binary
+        run: |
+          cd target/release
+          tar czf spiceio-${{ runner.os }}-${{ runner.arch }}.tar.gz spiceio
+          shasum -a 256 spiceio-${{ runner.os }}-${{ runner.arch }}.tar.gz > spiceio-${{ runner.os }}-${{ runner.arch }}.tar.gz.sha256
+
+      - name: Upload release assets
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release upload "${{ github.event.release.tag_name }}" --clobber \
+            target/release/spiceio-${{ runner.os }}-${{ runner.arch }}.tar.gz \
+            target/release/spiceio-${{ runner.os }}-${{ runner.arch }}.tar.gz.sha256

scripts/test-sccache.sh

@@ -259,6 +259,7 @@ CARGO_TARGET_DIR="$TEST_TARGET_DIR" cargo build 2>&1
 echo ""
 echo "[test] === warm build (should hit cache) ==="
 rm -rf "$TEST_TARGET_DIR"
+sccache --zero-stats 2>/dev/null || true
 CARGO_TARGET_DIR="$TEST_TARGET_DIR" cargo build 2>&1
 
 echo ""
@@ -267,3 +268,17 @@ echo "[test] sccache stats:"
 echo "======================================="
 sccache --show-stats
 echo "======================================="
+
+# ── Verify cache hits ───────────────────────────────────────────────────────
+
+STATS=$(sccache --show-stats 2>&1)
+CACHE_HITS=$(echo "$STATS" | grep -m1 "^Cache hits" | awk '{print $NF}' || echo "0")
+WRITE_ERRORS=$(echo "$STATS" | grep -m1 "Cache write errors" | awk '{print $NF}' || echo "0")
+
+echo ""
+if [[ "${CACHE_HITS:-0}" -gt 0 && "${WRITE_ERRORS:-0}" -eq 0 ]]; then
+    echo "[test] PASS: warm build got $CACHE_HITS cache hits, 0 write errors"
+else
+    echo "[test] FAIL: expected cache hits > 0 (got ${CACHE_HITS:-0}) and write errors == 0 (got ${WRITE_ERRORS:-0})"
+    exit 1
+fi

src/s3/router.rs

@@ -978,7 +978,9 @@ async fn handle_complete_multipart_upload(
             return error_response(
                 StatusCode::BAD_REQUEST,
                 "InvalidPart",
-                &format!("One or more of the specified parts could not be found. Part number: {pn}"),
+                &format!(
+                    "One or more of the specified parts could not be found. Part number: {pn}"
+                ),
             );
         }
     }

src/smb/auth.rs

@@ -346,7 +346,7 @@ pub fn wrap_spnego_auth(ntlmssp: &[u8]) -> Vec<u8> {
     der_wrap(0xa1, &seq)
 }
 
-/// Wrap data in a DER TLV: [tag][length][data].
+/// Wrap data in a DER TLV: `[tag][length][data]`.
 fn der_wrap(tag: u8, data: &[u8]) -> Vec<u8> {
     let mut buf = Vec::with_capacity(1 + 4 + data.len());
     buf.push(tag);

src/smb/ops.rs

@@ -558,4 +558,3 @@ fn guess_content_type(key: &str) -> String {
     }
     .into()
 }
-