Skip to content

fix(tooling): satisfy fleet quality gates #16

fix(tooling): satisfy fleet quality gates

fix(tooling): satisfy fleet quality gates #16

Workflow file for this run

# abitious FAST push/PR CI build (the tier-1 subset).
#
# This is the fast feedback build for pushes to main + PRs: it builds only the TIER-1
# targets (native on their runner, no cross C toolchain). The full, all-target RELEASE
# build (incl. musl + Windows) that ships tarballs to a GitHub Release lives in
# github-release.yml, and the npm platform packages are built + published by
# npm-publish.yml — so this workflow does NOT trigger on `release: published`.
#
# The build MATRIX is DERIVED from the single source of truth (scripts/targets.mts) at CI
# time: the `prepare` job runs `gen-packages --print-matrix` (the tier-1 subset) and the
# `build` job consumes it via `fromJSON`, so adding/removing a target in targets.mts changes
# the matrix with no edit here (the cross-language coupling is genuine, never a duplicated
# triple list).
#
# Jobs:
# • check — the JS gates + gen-then-check (single-source guard): gen --check, node --test,
# and tsc typecheck.
# • prepare — emit the tier-1 matrix JSON from targets.mts.
# • build — per tier-1 target, cross-build the generic stub cdylib + the host `abi`
# producer and package them into the @abitious/<triple> layout; upload as an
# artifact. Darwin targets run on macOS runners so the host `abi` producer
# (which ad-hoc re-signs injected Mach-O via apple-codesign at
# `abi build --compress` time) is itself a macOS build, and the darwin stub
# links against the macOS SDK.
#
# Every action is pinned to a commit SHA (SocketDev sha_pinning_required), copied from the
# fleet's canonical pins (decmpfs for the JS actions, envrypt for the Rust actions).
name: build
on:
push:
branches: [main]
paths:
- 'Cargo.toml'
- 'Cargo.lock'
- 'crates/**'
- 'npm/**'
- 'scripts/**'
- 'package.json'
- 'pnpm-workspace.yaml'
- 'pnpm-lock.yaml'
- 'tsconfig.json'
- '.github/workflows/build.yml'
pull_request:
paths:
- 'Cargo.toml'
- 'Cargo.lock'
- 'crates/**'
- 'npm/**'
- 'scripts/**'
- 'package.json'
- 'pnpm-workspace.yaml'
- 'pnpm-lock.yaml'
- 'tsconfig.json'
- '.github/workflows/build.yml'
workflow_dispatch:
permissions:
contents: read
concurrency:
group: build-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
defaults:
run:
shell: bash
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
jobs:
# JS gates + the single-source-of-truth guard. No package install is needed for gen/tests
# (pure node builtins); typecheck installs the pinned devDeps via pnpm.
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
# No `cache:` input is set, so setup-node does not cache here; the release-trigger
# cache-poisoning heuristic is a low-confidence false positive.
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning]
with:
node-version: 24
- name: gen-packages --check (out-of-sync with targets.mts fails)
run: node scripts/gen-packages.mts --check
- name: node --test (loader-resolution + codegen unit tests)
run: node --test 'npm/cli/test/**/*.test.mjs'
# Fleet pnpm: a pinned, SRI-verified pnpm on PATH (sets
# npm_config_manage_package_manager_versions=false) — NOT corepack (a fleet-wide
# wheelhouse rule) and not `npm i -g pnpm`.
- uses: ./.github/actions/setup-pnpm
- name: install devDeps
run: pnpm install --frozen-lockfile
- name: typecheck (tsc --noEmit)
run: pnpm run typecheck
# Derive the CI matrix from the single source of truth.
prepare:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.gen.outputs.matrix }}
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
# No `cache:` input is set, so setup-node does not cache here; the release-trigger
# cache-poisoning heuristic is a low-confidence false positive.
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning]
with:
node-version: 24
- id: gen
name: derive matrix from scripts/targets.mts
run: |
set -euo pipefail
matrix="$(node scripts/gen-packages.mts --print-matrix)"
echo "matrix={\"include\":${matrix}}" >> "$GITHUB_OUTPUT"
# Cross-build the stub cdylib + host producer per target and package the @abitious/<triple>.
build:
needs: prepare
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.prepare.outputs.matrix) }}
runs-on: ${{ matrix.runner }}
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
# No `cache:` input is set, so setup-node does not cache here; the release-trigger
# cache-poisoning heuristic is a low-confidence false positive.
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning]
with:
node-version: 24
# Toolchain channel is pinned in rust-toolchain.toml (nightly-2026-07-12); keep the
# `toolchain:` here in lockstep with it. `targets:` adds the matrix cross target.
- uses: dtolnay/rust-toolchain@efcb852328a9f50117170cc43094fb6f09eaf1ae # nightly
with:
toolchain: nightly-2026-07-12
targets: ${{ matrix.rust }}
# save-if below is the real mitigation (only a push to main populates the shared
# cache, so a PR or the privileged `release` run can neither poison it nor bake a
# poisoned entry into a release); the restore-side heuristic is acknowledged here.
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 # zizmor: ignore[cache-poisoning]
with:
key: ${{ matrix.triple }}
save-if: ${{ github.ref == 'refs/heads/main' }}
- name: install musl toolchain (musl targets only)
if: ${{ matrix.libc == 'musl' }}
run: sudo apt-get update && sudo apt-get install -y musl-tools
- name: build the generic stub cdylib + the host abi producer
env:
RUST_TARGET: ${{ matrix.rust }}
run: |
set -euo pipefail
cargo build -p abitious-stub --release --target "$RUST_TARGET"
cargo build -p abitious --release --target "$RUST_TARGET"
- name: stage the @abitious/${{ matrix.triple }} package
env:
TRIPLE: ${{ matrix.triple }}
RUST_TARGET: ${{ matrix.rust }}
STUB_ARTIFACT: ${{ matrix.stubArtifact }}
BIN: ${{ matrix.bin }}
run: |
set -euo pipefail
node scripts/gen-packages.mts
dest="npm/${TRIPLE}"
out="target/${RUST_TARGET}/release"
cp "${out}/${STUB_ARTIFACT}" "${dest}/stub.node"
cp "${out}/${BIN}" "${dest}/${BIN}"
ls -la "${dest}"
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: abitious-${{ matrix.triple }}
path: npm/${{ matrix.triple }}
if-no-files-found: error