fix(policy): fail fast on missing policy references in role definitio… #130
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ "main", "master" ] | |
| pull_request: | |
| branches: [ "main", "master" ] | |
| # Cancel in-progress runs for the same branch | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| test: | |
| name: Test (${{ matrix.edition }} edition) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - edition: lite | |
| features: '' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y libseccomp-dev | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Cache dependencies | |
| uses: Swatinem/rust-cache@v2 | |
| - name: Run tests | |
| run: cargo test --workspace ${{ matrix.features }} | |
| fmt: | |
| name: Rustfmt | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@nightly | |
| with: | |
| components: rustfmt | |
| - name: Check formatting | |
| run: cargo fmt --all -- --check | |
| clippy: | |
| name: Clippy (${{ matrix.edition }} edition) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - edition: lite | |
| features: '' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y libseccomp-dev | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - name: Cache dependencies | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| prefix-key: "v2" | |
| - name: Lint with Clippy | |
| run: cargo clippy --workspace --exclude sevorix-ebpf ${{ matrix.features }} -- -D warnings | |
| check-macos: | |
| name: Check (macOS) | |
| runs-on: macos-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Cache dependencies | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| prefix-key: "macos" | |
| - name: Check (no ebpf, no libseccomp) | |
| run: cargo check --release --workspace --exclude sevorix-ebpf | |
| coverage: | |
| name: Coverage (${{ matrix.edition }} edition) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| include: | |
| - edition: lite | |
| features: '' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install system dependencies | |
| run: sudo apt-get update && sudo apt-get install -y libseccomp-dev | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Install cargo-tarpaulin | |
| uses: taiki-e/install-action@cargo-tarpaulin | |
| - name: Generate code coverage | |
| # NOTE: Coverage threshold history (must be raised incrementally as tests improve): | |
| # Original target: 90% | Lowered to 40% (2026-03-18) to unblock CI at 39.27% | |
| # Lowered to 39% (2026-03-19) because binary crate (src/main.rs) coverage is | |
| # structurally 0% under tarpaulin (binary fns unreachable from lib test harness). | |
| # Current actual: ~39.8%. Raise this threshold as coverage improves. | |
| run: cargo tarpaulin --verbose ${{ matrix.features }} --workspace --timeout 120 --out Xml --fail-under 39 --exclude-files "sevorix-core/src/tracer.rs" | |
| - name: Upload to Codecov | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| fail_ci_if_error: false | |
| flags: ${{ matrix.edition }} | |
| - name: Archive code coverage results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: code-coverage-report-${{ matrix.edition }} | |
| path: cobertura.xml | |
| hub-cloudbuild-dryrun: | |
| name: sevorix-hub Docker build (cloudbuild dry-run) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| # Mirrors the `build-image` step in cloudbuild.yaml exactly: | |
| # same Dockerfile, same build context, no libseccomp-dev available. | |
| # Catches linker errors that only surface in the cloud build environment. | |
| - name: Build image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: sevorix-hub/Dockerfile | |
| push: false | |
| tags: sevorix-hub:ci | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |