ci: add CI/CD scaffolding, repo hygiene, and supply-chain config#3
Open
tolgakaratas wants to merge 1 commit intomasterfrom
Open
ci: add CI/CD scaffolding, repo hygiene, and supply-chain config#3tolgakaratas wants to merge 1 commit intomasterfrom
tolgakaratas wants to merge 1 commit intomasterfrom
Conversation
Pure-additive infrastructure pass — no existing files modified, no
source-code touches. Brings the repository up to a baseline for
contributor visibility, supply-chain transparency, and PR review
ergonomics. Scoped intentionally to artefacts that work on master
as it stands today; the workflows that depend on a green build
(per-PR build/test, release pipelines, container image) come in a
follow-up after the codebase compiles cleanly for the static-musl
target.
Workflows
* `.github/workflows/security-scan.yml` — weekly cargo-audit +
cargo-deny + CodeQL on the same runner. Catches new advisories
on Cargo.lock and any CodeQL findings without paging the
maintainer for a full CI redesign.
* `.github/workflows/lint-meta.yml` — commit-message lint
(Conventional Commits) + Markdown lint over `docs/**` and
root-level `*.md`. Both runs are pinned to Node 24 so the
workflow is unaffected by the Node 20 deprecation rollout.
* `.github/workflows/labeler.yml` — `actions/labeler@v6` with
per-area labels (area:ci / docs / vmm / virtio / net / storage
/ tests / e2e / deps / build) auto-applied to PRs by changed
paths. Labels are provisioned idempotently with
`gh label create --force` so the action works in fresh repos.
* `.github/workflows/dependabot-auto-merge.yml` — auto-merges
Dependabot patch + minor updates and comments on majors.
Configs
* `.commitlintrc.json` — Conventional Commits with a fixed
type-enum (build/chore/ci/docs/feat/fix/perf/refactor/revert/
style/test). Length and case rules are warning-only so the
gate is structural, not stylistic.
* `.markdownlint.json` — sensible defaults disabling layout
nits incompatible with the project's docs style (long lines,
inline HTML, bare URLs, leading-H1, blockquote spacing,
emphasis-as-heading).
* `.pre-commit-config.yaml` — local hook stack mirroring the CI
gates (cargo-fmt-check, cargo-clippy, cargo-machete on
`Cargo.toml` change, cargo-test + cargo-deny pre-push,
Conventional Commits validator, markdownlint).
* `.config/nextest.toml` — emits a JUnit XML report at
`target/nextest/default/junit.xml` so downstream test
reporters can publish inline annotations on PRs.
* `deny.toml` — cargo-deny rules: licenses (allow-list of
permissive OSS), advisories (deny vulnerable deps), bans
(no duplicate roots), sources (only crates.io + workspace).
* `.editorconfig` — universal whitespace / line-ending /
charset baseline for editors that respect it.
* `.mise.toml` — `[tools]` pinning Rust + cargo-binstall +
pre-commit, plus `[tasks.setup]` and `[tasks.ci]` for one-line
contributor onboarding via mise.
* `rustfmt.toml` — workspace formatting baseline.
* `release-please-config.json` + `.release-please-manifest.json`
— config files for the release-please workflow that lands
in a follow-up PR; included now so that PR is purely a
workflow change.
Repo metadata
* `.github/CODEOWNERS` — default reviewer pair.
* `.github/dependabot.yml` — daily Cargo + GitHub Actions
ecosystems with grouped minor-and-patch updates.
* `.github/labeler.yml` — area-label rules consumed by the
labeler workflow.
* `.github/pull_request_template.md` — PR template covering
summary, test plan, conventional-commits hint.
* `.github/ISSUE_TEMPLATE/{bug_report,feature_request}.yml`
— structured GitHub Issue forms.
Governance
* `SECURITY.md` — vulnerability disclosure channel and
expected response window.
* `CHANGELOG.md` — Keep-a-Changelog skeleton ready for
release-please to populate.
Tests
* `crates/guest-agent/tests/sleep_deadline.rs` — regression
guard for Bug #1 from the Phase 0 vsock work: timing
primitives the agent relies on must return promptly. Doesn't
reproduce the in-guest scheduler problem (would need a real
KVM context) but catches the class of mistake where a sleep
call is replaced with something that doesn't actually sleep
AND doesn't return.
Deferred to follow-up PRs (each touches the source tree and is
intentionally separated for review):
- per-PR build/test workflow on x86_64-unknown-linux-musl (the
static-musl target currently fails to compile on master with
37 errors; ship after the cross-platform-gating fix lands)
- clippy-strict + per-file coverage ratchet workflow
- release / release-please / Dockerfile pipeline
- src/* bug fixes (vsock / serial / timer / block) and the
shift-left regression tests that exercise them
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Internal validation PR — verifies CI runs cleanly on upstream baseline before opening upstream PR. Will close once upstream PR is merged.