fix(tooling): satisfy fleet quality gates #16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # abitious FAST push/PR CI build (the tier-1 subset). | |
| # | |
| # This is the fast feedback build for pushes to main + PRs: it builds only the TIER-1 | |
| # targets (native on their runner, no cross C toolchain). The full, all-target RELEASE | |
| # build (incl. musl + Windows) that ships tarballs to a GitHub Release lives in | |
| # github-release.yml, and the npm platform packages are built + published by | |
| # npm-publish.yml — so this workflow does NOT trigger on `release: published`. | |
| # | |
| # The build MATRIX is DERIVED from the single source of truth (scripts/targets.mts) at CI | |
| # time: the `prepare` job runs `gen-packages --print-matrix` (the tier-1 subset) and the | |
| # `build` job consumes it via `fromJSON`, so adding/removing a target in targets.mts changes | |
| # the matrix with no edit here (the cross-language coupling is genuine, never a duplicated | |
| # triple list). | |
| # | |
| # Jobs: | |
| # • check — the JS gates + gen-then-check (single-source guard): gen --check, node --test, | |
| # and tsc typecheck. | |
| # • prepare — emit the tier-1 matrix JSON from targets.mts. | |
| # • build — per tier-1 target, cross-build the generic stub cdylib + the host `abi` | |
| # producer and package them into the @abitious/<triple> layout; upload as an | |
| # artifact. Darwin targets run on macOS runners so the host `abi` producer | |
| # (which ad-hoc re-signs injected Mach-O via apple-codesign at | |
| # `abi build --compress` time) is itself a macOS build, and the darwin stub | |
| # links against the macOS SDK. | |
| # | |
| # Every action is pinned to a commit SHA (SocketDev sha_pinning_required), copied from the | |
| # fleet's canonical pins (decmpfs for the JS actions, envrypt for the Rust actions). | |
| name: build | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'Cargo.toml' | |
| - 'Cargo.lock' | |
| - 'crates/**' | |
| - 'npm/**' | |
| - 'scripts/**' | |
| - 'package.json' | |
| - 'pnpm-workspace.yaml' | |
| - 'pnpm-lock.yaml' | |
| - 'tsconfig.json' | |
| - '.github/workflows/build.yml' | |
| pull_request: | |
| paths: | |
| - 'Cargo.toml' | |
| - 'Cargo.lock' | |
| - 'crates/**' | |
| - 'npm/**' | |
| - 'scripts/**' | |
| - 'package.json' | |
| - 'pnpm-workspace.yaml' | |
| - 'pnpm-lock.yaml' | |
| - 'tsconfig.json' | |
| - '.github/workflows/build.yml' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: build-${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| jobs: | |
| # JS gates + the single-source-of-truth guard. No package install is needed for gen/tests | |
| # (pure node builtins); typecheck installs the pinned devDeps via pnpm. | |
| check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| # No `cache:` input is set, so setup-node does not cache here; the release-trigger | |
| # cache-poisoning heuristic is a low-confidence false positive. | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning] | |
| with: | |
| node-version: 24 | |
| - name: gen-packages --check (out-of-sync with targets.mts fails) | |
| run: node scripts/gen-packages.mts --check | |
| - name: node --test (loader-resolution + codegen unit tests) | |
| run: node --test 'npm/cli/test/**/*.test.mjs' | |
| # Fleet pnpm: a pinned, SRI-verified pnpm on PATH (sets | |
| # npm_config_manage_package_manager_versions=false) — NOT corepack (a fleet-wide | |
| # wheelhouse rule) and not `npm i -g pnpm`. | |
| - uses: ./.github/actions/setup-pnpm | |
| - name: install devDeps | |
| run: pnpm install --frozen-lockfile | |
| - name: typecheck (tsc --noEmit) | |
| run: pnpm run typecheck | |
| # Derive the CI matrix from the single source of truth. | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.gen.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| # No `cache:` input is set, so setup-node does not cache here; the release-trigger | |
| # cache-poisoning heuristic is a low-confidence false positive. | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning] | |
| with: | |
| node-version: 24 | |
| - id: gen | |
| name: derive matrix from scripts/targets.mts | |
| run: | | |
| set -euo pipefail | |
| matrix="$(node scripts/gen-packages.mts --print-matrix)" | |
| echo "matrix={\"include\":${matrix}}" >> "$GITHUB_OUTPUT" | |
| # Cross-build the stub cdylib + host producer per target and package the @abitious/<triple>. | |
| build: | |
| needs: prepare | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON(needs.prepare.outputs.matrix) }} | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| # No `cache:` input is set, so setup-node does not cache here; the release-trigger | |
| # cache-poisoning heuristic is a low-confidence false positive. | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 # zizmor: ignore[cache-poisoning] | |
| with: | |
| node-version: 24 | |
| # Toolchain channel is pinned in rust-toolchain.toml (nightly-2026-07-12); keep the | |
| # `toolchain:` here in lockstep with it. `targets:` adds the matrix cross target. | |
| - uses: dtolnay/rust-toolchain@efcb852328a9f50117170cc43094fb6f09eaf1ae # nightly | |
| with: | |
| toolchain: nightly-2026-07-12 | |
| targets: ${{ matrix.rust }} | |
| # save-if below is the real mitigation (only a push to main populates the shared | |
| # cache, so a PR or the privileged `release` run can neither poison it nor bake a | |
| # poisoned entry into a release); the restore-side heuristic is acknowledged here. | |
| - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 # zizmor: ignore[cache-poisoning] | |
| with: | |
| key: ${{ matrix.triple }} | |
| save-if: ${{ github.ref == 'refs/heads/main' }} | |
| - name: install musl toolchain (musl targets only) | |
| if: ${{ matrix.libc == 'musl' }} | |
| run: sudo apt-get update && sudo apt-get install -y musl-tools | |
| - name: build the generic stub cdylib + the host abi producer | |
| env: | |
| RUST_TARGET: ${{ matrix.rust }} | |
| run: | | |
| set -euo pipefail | |
| cargo build -p abitious-stub --release --target "$RUST_TARGET" | |
| cargo build -p abitious --release --target "$RUST_TARGET" | |
| - name: stage the @abitious/${{ matrix.triple }} package | |
| env: | |
| TRIPLE: ${{ matrix.triple }} | |
| RUST_TARGET: ${{ matrix.rust }} | |
| STUB_ARTIFACT: ${{ matrix.stubArtifact }} | |
| BIN: ${{ matrix.bin }} | |
| run: | | |
| set -euo pipefail | |
| node scripts/gen-packages.mts | |
| dest="npm/${TRIPLE}" | |
| out="target/${RUST_TARGET}/release" | |
| cp "${out}/${STUB_ARTIFACT}" "${dest}/stub.node" | |
| cp "${out}/${BIN}" "${dest}/${BIN}" | |
| ls -la "${dest}" | |
| - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: abitious-${{ matrix.triple }} | |
| path: npm/${{ matrix.triple }} | |
| if-no-files-found: error |