-
Notifications
You must be signed in to change notification settings - Fork 1
261 lines (248 loc) · 10.1 KB
/
ci.yml
File metadata and controls
261 lines (248 loc) · 10.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
name: CI
# ── Trigger strategy ────────────────────────────────────────────────────────
# • push to main → full suite (Linux + macOS) + website deploy
# • pull_request → Linux-only fast gate (format, clippy, check, test, website)
# macOS is gated to main-push only to conserve Actions minutes (macOS = 10× cost)
# • workflow_dispatch → manual full run on any branch
#
# INTENTIONALLY omitted: push to feature/** branches.
# Every open PR already triggers the pull_request event on each push,
# adding a redundant push-event run would double consumption for zero benefit.
on:
push:
branches: [main]
paths-ignore:
- '**.md'
- 'docs/**'
- '.github/CODEOWNERS'
- 'scripts/TESTING.md'
- 'img/**'
pull_request:
branches: [main]
paths-ignore:
- '**.md'
- 'docs/**'
- 'img/**'
workflow_dispatch:
env:
CARGO_TERM_COLOR: always
# CI builds without color-science (momoto-* crates are local path deps unavailable in CI).
CARGO_FEATURES: "--no-default-features"
# Cancel in-progress runs for the same ref — prevents queued-up stale runs
# when multiple commits are pushed in quick succession.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
# ── Format (fastest gate, no compilation) ────────────────────────────────
fmt:
name: Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt
- name: Check formatting
run: cargo fmt --all -- --check
# ── Architecture boundary check (Ω-04) ────────────────────────────────────
# Enforces frontier architecture invariants from docs/architecture/halcon-v3-correction.md.
# Currently runs in WARN mode (no --strict) durante Ciclos 0-2; migrará a
# bloqueante strict tras Ciclo 2 (refactor de routing/LLM adapters a feature
# dev-providers). Ya bloquea regresiones nuevas vía I-H13 (feature flag integrity).
boundary-check:
name: Architecture boundaries
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run boundary check
run: bash scripts/check_boundaries.sh
# ── Clippy (compile once, lint) ───────────────────────────────────────────
clippy:
name: Clippy
runs-on: ubuntu-latest
needs: fmt
steps:
- uses: actions/checkout@v4
with:
submodules: false
- uses: ./.github/actions/setup-private-deps
with:
token: ${{ secrets.PALOMA_HTTPS_TOKEN }}
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- uses: Swatinem/rust-cache@v2
- name: Clippy
run: cargo clippy --workspace ${{ env.CARGO_FEATURES }} --exclude momoto-core --exclude momoto-metrics --exclude momoto-intelligence -- -D warnings
# ── cargo check (type-check without full codegen) ─────────────────────────
check:
name: Check
runs-on: ubuntu-latest
needs: fmt
steps:
- uses: actions/checkout@v4
with:
submodules: false
- uses: ./.github/actions/setup-private-deps
with:
token: ${{ secrets.PALOMA_HTTPS_TOKEN }}
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Check
run: cargo check --workspace ${{ env.CARGO_FEATURES }} --exclude momoto-core --exclude momoto-metrics --exclude momoto-intelligence
# ── Tests — Linux (always runs on PR and push) ───────────────────────────
# Tests use --no-default-features --features headless to avoid momoto (private
# submodule) while keeping enough code compiled for test targets to resolve.
test-linux:
name: Test (ubuntu)
runs-on: ubuntu-latest
needs: [clippy, check]
steps:
- uses: actions/checkout@v4
with:
submodules: false
- uses: ./.github/actions/setup-private-deps
with:
token: ${{ secrets.PALOMA_HTTPS_TOKEN }}
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Run tests
run: cargo test --workspace --no-default-features --features tui --exclude momoto-core --exclude momoto-metrics --exclude momoto-intelligence
# ── Tests — macOS (only on push to main, macOS runner = 10× cost) ────────
test-macos:
name: Test (macos)
runs-on: macos-latest
needs: [clippy, check]
# Run macOS only after merge to main. PRs are validated on Linux.
# This eliminates the single largest cost driver while keeping cross-platform
# coverage on every shipped commit.
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
with:
submodules: false
- uses: ./.github/actions/setup-private-deps
with:
token: ${{ secrets.PALOMA_HTTPS_TOKEN }}
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Run tests
run: cargo test --workspace --no-default-features --features tui --exclude momoto-core --exclude momoto-metrics --exclude momoto-intelligence
# ── Coverage (informational, non-gating) ──────────────────────────────────
# Reports line/branch coverage via cargo-llvm-cov. Stays informational
# in Phase 1; once we have a reliable baseline we can gate PRs at a
# threshold (e.g. ratchet upward). Excludes momoto + heavy SSRF tests
# to keep the runner under 30 minutes.
coverage:
name: Coverage (informational)
runs-on: ubuntu-latest
needs: [clippy, check]
continue-on-error: true
steps:
- uses: actions/checkout@v4
with:
submodules: false
- uses: ./.github/actions/setup-private-deps
with:
token: ${{ secrets.PALOMA_HTTPS_TOKEN }}
- uses: dtolnay/rust-toolchain@stable
with:
components: llvm-tools-preview
- uses: Swatinem/rust-cache@v2
- name: Install cargo-llvm-cov
uses: taiki-e/install-action@v2
with:
tool: cargo-llvm-cov
- name: Generate coverage (lcov + summary)
run: |
cargo llvm-cov --workspace \
--no-default-features --features tui \
--exclude momoto-core --exclude momoto-metrics --exclude momoto-intelligence \
--lcov --output-path lcov.info \
--ignore-filename-regex 'target/|tests/|tool_audit_tests'
cargo llvm-cov report --summary-only
- name: Upload lcov artifact
uses: actions/upload-artifact@v4
with:
name: coverage-lcov-${{ github.sha }}
path: lcov.info
retention-days: 14
# ── Color-science tests (informational, non-gating) ───────────────────────
# Runs only when the momoto-ui submodule is available.
# continue-on-error: true → never blocks the PR.
test-color-science:
name: Test color-science (submodule)
runs-on: ubuntu-latest
needs: test-linux
continue-on-error: true
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
token: ${{ secrets.GITHUB_TOKEN }}
- name: Check momoto-ui submodule presence
id: submodule_check
run: |
if [ -f "vendor/momoto-ui/momoto/crates/momoto-core/Cargo.toml" ]; then
echo "present=true" >> "$GITHUB_OUTPUT"
else
echo "present=false" >> "$GITHUB_OUTPUT"
echo "::notice::momoto-ui submodule not present — skipping color-science tests"
fi
- uses: dtolnay/rust-toolchain@stable
if: steps.submodule_check.outputs.present == 'true'
- uses: Swatinem/rust-cache@v2
if: steps.submodule_check.outputs.present == 'true'
- name: Test color-science
if: steps.submodule_check.outputs.present == 'true'
run: cargo test -p halcon-cli --features "color-science,tui" --lib 2>&1 | tail -20
# ── Website build (path-filtered: only when website/ changes) ────────────
build-website:
name: Build Website
runs-on: ubuntu-latest
# Only rebuild website when website source actually changes
if: |
contains(github.event.head_commit.modified, 'website/') ||
github.event_name == 'pull_request' ||
github.event_name == 'workflow_dispatch'
defaults:
run:
working-directory: website
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
cache-dependency-path: website/package-lock.json
- name: Install deps
run: npm ci
- name: Build Astro (static)
run: npm run build
- name: Upload dist artifact
uses: actions/upload-artifact@v4
with:
name: website-dist-${{ github.sha }}
path: website/dist
retention-days: 3
# ── Website deploy (main push only, after all gates pass) ─────────────────
deploy-website:
name: Deploy Website → Cloudflare Pages
needs: [test-linux, clippy, fmt, build-website]
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
runs-on: ubuntu-latest
environment: production
steps:
- name: Download dist artifact
uses: actions/download-artifact@v4
with:
name: website-dist-${{ github.sha }}
path: website/dist
- name: Deploy via Wrangler
uses: cloudflare/wrangler-action@v3
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
command: pages deploy dist --project-name=halcon-website
workingDirectory: website