Skip to content

fix(policy): fail fast on missing policy references in role definitio… #130

fix(policy): fail fast on missing policy references in role definitio…

fix(policy): fail fast on missing policy references in role definitio… #130

Workflow file for this run

name: CI
on:
push:
branches: [ "main", "master" ]
pull_request:
branches: [ "main", "master" ]
# Cancel in-progress runs for the same branch
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
env:
CARGO_TERM_COLOR: always
jobs:
test:
name: Test (${{ matrix.edition }} edition)
runs-on: ubuntu-latest
strategy:
matrix:
include:
- edition: lite
features: ''
steps:
- uses: actions/checkout@v4
- name: Install system dependencies
run: sudo apt-get update && sudo apt-get install -y libseccomp-dev
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Cache dependencies
uses: Swatinem/rust-cache@v2
- name: Run tests
run: cargo test --workspace ${{ matrix.features }}
fmt:
name: Rustfmt
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@nightly
with:
components: rustfmt
- name: Check formatting
run: cargo fmt --all -- --check
clippy:
name: Clippy (${{ matrix.edition }} edition)
runs-on: ubuntu-latest
strategy:
matrix:
include:
- edition: lite
features: ''
steps:
- uses: actions/checkout@v4
- name: Install system dependencies
run: sudo apt-get update && sudo apt-get install -y libseccomp-dev
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- name: Cache dependencies
uses: Swatinem/rust-cache@v2
with:
prefix-key: "v2"
- name: Lint with Clippy
run: cargo clippy --workspace --exclude sevorix-ebpf ${{ matrix.features }} -- -D warnings
check-macos:
name: Check (macOS)
runs-on: macos-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Cache dependencies
uses: Swatinem/rust-cache@v2
with:
prefix-key: "macos"
- name: Check (no ebpf, no libseccomp)
run: cargo check --release --workspace --exclude sevorix-ebpf
coverage:
name: Coverage (${{ matrix.edition }} edition)
runs-on: ubuntu-latest
strategy:
matrix:
include:
- edition: lite
features: ''
steps:
- uses: actions/checkout@v4
- name: Install system dependencies
run: sudo apt-get update && sudo apt-get install -y libseccomp-dev
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-tarpaulin
uses: taiki-e/install-action@cargo-tarpaulin
- name: Generate code coverage
# NOTE: Coverage threshold history (must be raised incrementally as tests improve):
# Original target: 90% | Lowered to 40% (2026-03-18) to unblock CI at 39.27%
# Lowered to 39% (2026-03-19) because binary crate (src/main.rs) coverage is
# structurally 0% under tarpaulin (binary fns unreachable from lib test harness).
# Current actual: ~39.8%. Raise this threshold as coverage improves.
run: cargo tarpaulin --verbose ${{ matrix.features }} --workspace --timeout 120 --out Xml --fail-under 39 --exclude-files "sevorix-core/src/tracer.rs"
- name: Upload to Codecov
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: false
flags: ${{ matrix.edition }}
- name: Archive code coverage results
uses: actions/upload-artifact@v4
with:
name: code-coverage-report-${{ matrix.edition }}
path: cobertura.xml
hub-cloudbuild-dryrun:
name: sevorix-hub Docker build (cloudbuild dry-run)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# Mirrors the `build-image` step in cloudbuild.yaml exactly:
# same Dockerfile, same build context, no libseccomp-dev available.
# Catches linker errors that only surface in the cloud build environment.
- name: Build image
uses: docker/build-push-action@v6
with:
context: .
file: sevorix-hub/Dockerfile
push: false
tags: sevorix-hub:ci
cache-from: type=gha
cache-to: type=gha,mode=max