name: CI on: push: branches: [main] pull_request: # v0.19.1 supply-chain hardening (H5): every third-party action is pinned # by full commit SHA. A floating tag like @v4 can be re-pointed by a # compromised maintainer (CVE-2025-30066 class). The `# vN.m.k` comment # next to each SHA is a human-readable hint only — the SHA is the load- # bearing identifier. When Dependabot proposes a bump, review the new SHA # against the release tag before merging. jobs: rust-assembler: runs-on: ${{ matrix.os }} strategy: matrix: os: [ubuntu-latest, macos-latest] steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - uses: dtolnay/rust-toolchain@stable # exception to SHA-pin rule: this action uses named-branch convention (stable/nightly/beta/1.NN.0) — pinning a SHA locks to a specific Rust version (validator V-2026-04-22 confirmed 3c5f7ea was rust 1.94.1 branch tip, not generic "install stable"). dtolnay is a trusted maintainer (author of serde/anyhow/cxx). Supply-chain risk of @stable re-point is LOW and accepted here. - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 with: workspaces: _assembler - run: cd _assembler && cargo test --release rust-primitives: runs-on: ${{ matrix.os }} strategy: matrix: os: [ubuntu-latest, macos-latest] steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - uses: dtolnay/rust-toolchain@stable # exception to SHA-pin rule: this action uses named-branch convention (stable/nightly/beta/1.NN.0) — pinning a SHA locks to a specific Rust version (validator V-2026-04-22 confirmed 3c5f7ea was rust 1.94.1 branch tip, not generic "install stable"). dtolnay is a trusted maintainer (author of serde/anyhow/cxx). Supply-chain risk of @stable re-point is LOW and accepted here. - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 with: workspaces: _primitives/_rust - run: cd _primitives/_rust && cargo test --workspace --release ts-packages: runs-on: ${{ matrix.os }} strategy: matrix: os: [ubuntu-latest, macos-latest] node: ['20', '22'] steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ matrix.node }} - run: cd _ts_packages && npm ci - run: cd _ts_packages && npm run build --workspaces - run: cd _ts_packages && npm test --workspaces --if-present install-dry-run: runs-on: ${{ matrix.os }} strategy: matrix: os: [ubuntu-latest, macos-latest] steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - uses: dtolnay/rust-toolchain@stable # exception to SHA-pin rule: this action uses named-branch convention (stable/nightly/beta/1.NN.0) — pinning a SHA locks to a specific Rust version (validator V-2026-04-22 confirmed 3c5f7ea was rust 1.94.1 branch tip, not generic "install stable"). dtolnay is a trusted maintainer (author of serde/anyhow/cxx). Supply-chain risk of @stable re-point is LOW and accepted here. - name: Install hard deps (Ubuntu) if: matrix.os == 'ubuntu-latest' run: sudo apt-get update && sudo apt-get install -y jq pandoc - name: Install hard deps (macOS) if: matrix.os == 'macos-latest' run: brew install jq pandoc - run: bash -n install.sh - run: ./install.sh --no-execute --profile=minimal - run: ./install.sh --no-execute --profile=dev - run: ./install.sh --no-execute --profile=full shell-lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - run: sudo apt-get update && sudo apt-get install -y shellcheck - name: shellcheck (advisory) # v0.15.1: kept advisory because local shellcheck sweep not yet clean # (quoted-var nits in hooks). Flip to fatal once the sweep is committed; # planned for v0.16. # v0.20.1: explicit `|| true` in addition to continue-on-error — the # latter doesn't always suppress the step-level exit-1 in the GH # Actions annotation stream. run: | find hooks _primitives -name '*.sh' -exec shellcheck -S warning {} + || \ echo "shellcheck emitted warnings (advisory-only, not blocking)" continue-on-error: true