KeiSei84
2ffb3a8b1e
Some checks are pending
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / preflight (push) Waiting to run
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / vps-smoke (push) Waiting to run
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:frustration-matrix,kei-frustration-loop,kei-skill-importer,kei-projects-index,kei-projects-watcher,kei-gdrive-import,kei-leak-matrix,kei-skills,kei-gateway,kei-cron-scheduler,kei-export-trajectories,kei-backend-daytona,kei-d… (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-compute-baremetal,kei-compute-vultr,kei-compute-linode,kei-compute-digitalocean,kei-svc-systemd,kei-llm-bridge-mlx name:hosted-sleep-compute]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-diff,kei-scheduler,kei-watch,kei-prune,kei-discover,kei-brain-view,kei-hibernate,kei-ledger-sign,kei-fork name:wave13-15]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-git-gitea,kei-git-forgejo,kei-git-gitlab,kei-git-bitbucket,kei-memory-sled,kei-memory-redis,kei-memory-postgres,kei-memory-sqlite,kei-auth-google,kei-auth-apple,kei-auth-magiclink,kei-auth-webauthn,kei-notify-slack,kei-n… (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-ledger,kei-migrate,kei-changelog,kei-memory,kei-store,kei-conflict-scan,kei-refactor-engine,kei-graph-check,kei-shared,kei-dna-index,kei-pet name:core]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-machine-probe,kei-llm-ollama,kei-llm-llamacpp,kei-llm-mlx,kei-llm-router,kei-model name:llm-stack]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-router,kei-sage,kei-task,kei-chat-store,kei-crossdomain,kei-search-core,kei-content-store,kei-social-store,kei-curator,kei-auth,kei-artifact name:mcp-lbm]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:keisei,kei-forge,kei-runtime,kei-runtime-core,kei-atom-discovery,kei-agent-runtime,kei-capability,kei-provision,kei-entity-store,kei-pipe,kei-cache,kei-spawn,kei-replay name:atom-substrate]) (push) Blocked by required conditions
Pre-public Phase 1. Remove personal/IP traces that should not ship in a general-purpose kit; keep only intended author attribution. - no-github-push.sh + hooks-and-blocks.md + ci-scaffold: drop "KeiTech unfiled patent IP / trade secrets / priority date" wording; reword as a generic opt-in guard for keeping code on a private remote. - check-error-patterns.sh: remove author-local absolute path from the tombstone comment. - graph-export-watcher.sh: default viz dir to ~/.local/share/kei/graph-viz (was a personal project path). - agent manifests (cost-guardian, modal-runner, infra/ml/code-implementer) + ci.yml: strip private memory references and dated personal incidents; keep the generic cost/ops lessons. Snapshots regenerated; golden 3/3. Kept intentionally: author attribution (NOTICE / README / Cargo / plugin). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
159 lines
8 KiB
YAML
159 lines
8 KiB
YAML
name: CI
|
||
|
||
on:
|
||
push:
|
||
branches: [main]
|
||
pull_request:
|
||
paths-ignore:
|
||
- 'docs/**'
|
||
- '**/*.md'
|
||
- 'CHANGELOG.md'
|
||
|
||
# v0.21.0 cost optimisation (W15): cancel superseded runs on the same ref.
|
||
# A rapid push train (common during batch work) used to launch one full
|
||
# 12-job matrix per commit, even though only the last matters. This
|
||
# top-level concurrency group cancels the older run as soon as a newer
|
||
# one is queued. Effect: 60-80% saving on "rapid pushes" work days.
|
||
concurrency:
|
||
group: ci-${{ github.ref }}
|
||
cancel-in-progress: true
|
||
|
||
# v0.19.1 supply-chain hardening (H5): every third-party action is pinned
|
||
# by full commit SHA. A floating tag like @v4 can be re-pointed by a
|
||
# compromised maintainer (CVE-2025-30066 class). The `# vN.m.k` comment
|
||
# next to each SHA is a human-readable hint only — the SHA is the load-
|
||
# bearing identifier. When Dependabot proposes a bump, review the new SHA
|
||
# against the release tag before merging.
|
||
|
||
jobs:
|
||
rust-assembler:
|
||
runs-on: ${{ matrix.os }}
|
||
strategy:
|
||
# v0.21.0: macOS only on push-to-main (10x billing multiplier). PRs get ubuntu-only.
|
||
matrix:
|
||
os: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') && fromJSON('["ubuntu-latest","macos-latest"]') || fromJSON('["ubuntu-latest"]') }}
|
||
steps:
|
||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
||
- uses: dtolnay/rust-toolchain@stable # exception to SHA-pin rule: this action uses named-branch convention (stable/nightly/beta/1.NN.0) — pinning a SHA locks to a specific Rust version (validator V-2026-04-22 confirmed 3c5f7ea was rust 1.94.1 branch tip, not generic "install stable"). dtolnay is a trusted maintainer (author of serde/anyhow/cxx). Supply-chain risk of @stable re-point is LOW and accepted here.
|
||
- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
|
||
with:
|
||
workspaces: _assembler
|
||
- run: cd _assembler && cargo test --release
|
||
|
||
rust-primitives:
|
||
runs-on: ${{ matrix.os }}
|
||
strategy:
|
||
# v0.21.0: macOS only on push-to-main. --release dropped — debug mode
|
||
# runs 2-3× faster and still catches architectural breakage. Release-
|
||
# build regressions (debug_assertions!) caught by rust-assembler above.
|
||
matrix:
|
||
os: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') && fromJSON('["ubuntu-latest","macos-latest"]') || fromJSON('["ubuntu-latest"]') }}
|
||
steps:
|
||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
||
- uses: dtolnay/rust-toolchain@stable # exception to SHA-pin rule: this action uses named-branch convention (stable/nightly/beta/1.NN.0) — pinning a SHA locks to a specific Rust version (validator V-2026-04-22 confirmed 3c5f7ea was rust 1.94.1 branch tip, not generic "install stable"). dtolnay is a trusted maintainer (author of serde/anyhow/cxx). Supply-chain risk of @stable re-point is LOW and accepted here.
|
||
- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
|
||
with:
|
||
workspaces: _primitives/_rust
|
||
# v0.30+ CI fix (2026-04-29): 98-crate workspace OOMs the default
|
||
# GHA runner's 7 GB at link time. Iteration 2 (after lld+jobs=2 still
|
||
# OOM'd at signal 7): add 12 GB swap on Linux + use `mold` (smaller
|
||
# peak RSS than lld for large workspaces) + drop to JOBS=1 for the
|
||
# link phase. macOS runner has 14 GB RAM and was already passing.
|
||
- name: Free disk + resize swap (Linux runners only)
|
||
if: runner.os == 'Linux'
|
||
run: |
|
||
# Iter 4 fix: iter 3's 12 GB swap on /mnt filled the disk
|
||
# (`No space left on device` on syn rlib). GHA /mnt has only
|
||
# ~14 GB; cargo target/ + 12 GB swap = bust. Strategy now:
|
||
# (a) free ~30 GB on / by removing pre-installed bloat
|
||
# (Android SDK, .NET, GHC, CodeQL — none used by Rust+Node);
|
||
# (b) resize the existing /swapfile (4 GB → 8 GB) in place.
|
||
df -h
|
||
sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache/CodeQL
|
||
echo "--- after rm ---"
|
||
df -h
|
||
sudo swapoff /swapfile
|
||
sudo rm /swapfile
|
||
sudo fallocate -l 8G /swapfile
|
||
sudo chmod 600 /swapfile
|
||
sudo mkswap /swapfile
|
||
sudo swapon /swapfile
|
||
echo "--- after swap ---"
|
||
free -h
|
||
df -h
|
||
- name: Install mold (Linux runners only)
|
||
if: runner.os == 'Linux'
|
||
run: sudo apt-get update && sudo apt-get install -y mold
|
||
- name: cargo test --workspace (Linux)
|
||
if: runner.os == 'Linux'
|
||
run: cd _primitives/_rust && cargo test --workspace
|
||
env:
|
||
CARGO_BUILD_JOBS: '1'
|
||
RUSTFLAGS: '-C link-arg=-fuse-ld=mold'
|
||
- name: cargo test --workspace (macOS)
|
||
if: runner.os == 'macOS'
|
||
run: cd _primitives/_rust && cargo test --workspace
|
||
env:
|
||
CARGO_BUILD_JOBS: '2'
|
||
|
||
ts-packages:
|
||
# v0.21.0: ubuntu-only. Node is x-plat; no macOS-specific behaviour to
|
||
# test. Matrix: 2 jobs (ubuntu × 2 nodes) instead of 4. Saves 2 macOS jobs.
|
||
runs-on: ubuntu-latest
|
||
strategy:
|
||
matrix:
|
||
node: ['20', '22']
|
||
steps:
|
||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
||
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
|
||
with:
|
||
node-version: ${{ matrix.node }}
|
||
- run: cd _ts_packages && npm ci
|
||
- run: cd _ts_packages && npm run build --workspaces
|
||
- run: cd _ts_packages && npm test --workspaces --if-present
|
||
|
||
install-dry-run:
|
||
# v0.21.0: ubuntu-only. All 3 profiles on main push; PRs get minimal-only
|
||
# (full profile pulls everything, rarely signals PR-specific regressions).
|
||
runs-on: ubuntu-latest
|
||
strategy:
|
||
matrix:
|
||
profile: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') && fromJSON('["minimal","dev","full"]') || fromJSON('["minimal"]') }}
|
||
steps:
|
||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
||
- uses: dtolnay/rust-toolchain@stable # exception to SHA-pin rule: this action uses named-branch convention (stable/nightly/beta/1.NN.0) — pinning a SHA locks to a specific Rust version (validator V-2026-04-22 confirmed 3c5f7ea was rust 1.94.1 branch tip, not generic "install stable"). dtolnay is a trusted maintainer (author of serde/anyhow/cxx). Supply-chain risk of @stable re-point is LOW and accepted here.
|
||
- name: Install hard deps
|
||
run: sudo apt-get update && sudo apt-get install -y jq pandoc
|
||
- run: bash -n install.sh
|
||
- run: ./install.sh --no-execute --profile=${{ matrix.profile }}
|
||
|
||
shell-lint:
|
||
runs-on: ubuntu-latest
|
||
steps:
|
||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
||
- run: sudo apt-get update && sudo apt-get install -y shellcheck
|
||
- name: shellcheck (advisory)
|
||
# v0.15.1: kept advisory because local shellcheck sweep not yet clean
|
||
# (quoted-var nits in hooks). Flip to fatal once the sweep is committed;
|
||
# planned for v0.16.
|
||
# v0.20.1: explicit `|| true` in addition to continue-on-error — the
|
||
# latter doesn't always suppress the step-level exit-1 in the GH
|
||
# Actions annotation stream.
|
||
run: |
|
||
find hooks _primitives -name '*.sh' -exec shellcheck -S warning {} + || \
|
||
echo "shellcheck emitted warnings (advisory-only, not blocking)"
|
||
continue-on-error: true
|
||
|
||
workflow-lint:
|
||
# v0.20.1: guards against the dtolnay-SHA-class incident.
|
||
# actionlint catches workflow syntax; validate-workflow-shas.sh catches
|
||
# fabricated / force-pushed SHA pins. Runs fast (<30s).
|
||
runs-on: ubuntu-latest
|
||
steps:
|
||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
||
- name: Install actionlint
|
||
run: bash scripts/install-actionlint.sh
|
||
- name: Lint workflows (actionlint)
|
||
run: PATH="${HOME}/.local/bin:${PATH}" bash scripts/lint-workflows.sh
|
||
- name: Validate pinned SHAs
|
||
run: bash scripts/validate-workflow-shas.sh
|