Skip to content
CI

security: preserve cron argv and release OPFS namespaces (#1491) #149

Sign in to view logs

security: preserve cron argv and release OPFS namespaces (#1491)

security: preserve cron argv and release OPFS namespaces (#1491) #149

Workflow file for this run

.github/workflows/ci.yml at 12664b9
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Check out the secure-exec sibling repo that packages/core links to via
# `"@secure-exec/core": "link:../../../secure-exec/packages/core"`. That
# link resolves to `<agent-os-root>/../secure-exec/packages/core`, i.e.
# `$GITHUB_WORKSPACE/../secure-exec/packages/core`. actions/checkout can
# only write inside the workspace, so we check out into a subdir and then
# symlink it to the sibling path the link expects.
- uses: actions/checkout@v4
with:
repository: rivet-dev/secure-exec
ref: main
path: _secure-exec-sibling
- name: Place secure-exec at the sibling path the link expects
run: ln -s "$GITHUB_WORKSPACE/_secure-exec-sibling" "$GITHUB_WORKSPACE/../secure-exec"
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version: 22
- uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt, clippy
- uses: Swatinem/rust-cache@v2
with:
workspaces: |
. -> target
# Build the link target so its dist/ exists. The `@secure-exec/core`
# subpath exports (./descriptors, ./vm-config, ./sidecar-client) resolve
# to dist/*.{js,d.ts}; without these the agent-os tsc build cannot find
# the module. The core build = protocol compile (Node) + a lightweight
# `cargo test -p secure-exec-vm-config` (pure serde/ts-rs crate, no V8
# bridge / native build) + tsc, so this stays cheap in CI.
- name: Install + build @secure-exec/core (link target)
run: |
find "$GITHUB_WORKSPACE/_secure-exec-sibling" -name node_modules -prune -exec rm -rf {} +
pnpm -C "$GITHUB_WORKSPACE/_secure-exec-sibling" install --frozen-lockfile
pnpm -C "$GITHUB_WORKSPACE/_secure-exec-sibling" --filter @secure-exec/core build
- run: find . -path ./_secure-exec-sibling -prune -o -name node_modules -prune -exec rm -rf {} +
- run: pnpm install --frozen-lockfile
- run: pnpm build
- run: pnpm --dir scripts/publish run check-types
- run: pnpm --dir scripts/publish test
- run: bash scripts/check-secure-exec-rust-boundary.test.sh
- run: bash scripts/check-secure-exec-rust-boundary.sh
- run: node --test scripts/check-rust-package-metadata.test.mjs
- run: node scripts/check-rust-package-metadata.mjs
- run: node --test scripts/check-stale-split-names.test.mjs
- run: node scripts/check-stale-split-names.mjs
- run: node --test scripts/check-agent-os-client-protocol-compat.test.mjs
- run: node scripts/check-agent-os-client-protocol-compat.mjs
- run: node --test scripts/check-registry-test-runtime-boundary.test.mjs
- run: node scripts/check-registry-test-runtime-boundary.mjs
- run: node --test scripts/check-registry-software-split.test.mjs
- run: node scripts/check-registry-software-split.mjs
- run: node --test scripts/check-secure-exec-package-boundary.test.mjs
- run: node scripts/check-secure-exec-package-boundary.mjs
- run: cargo fmt --check
- run: cargo clippy --workspace --all-targets -- -D warnings
- run: cargo test -p agent-os-protocol -- --test-threads=1
- run: cargo test -p agent-os-sidecar -- --test-threads=1
- run: cargo test -p agent-os-sidecar-browser -- --test-threads=1
- run: cargo test -p agent-os-client -- --test-threads=1
env:
AGENT_OS_CLIENT_ALLOW_E2E_SKIPS: '1'
- run: pnpm check-types
- run: pnpm lint
continue-on-error: true
- if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
run: pnpm test
env:
AGENTOS_E2E_NETWORK: '1'
SECURE_EXEC_E2E_NETWORK: '1'
- if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }}
run: pnpm test