Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: ci

# Runs the quality gate on every push to main and every PR, so the checks that
# previously only ran on the maintainer's laptop (release_check.sh) produce
# independent, logged, reproducible evidence. Gate merges on this workflow.
on:
push:
branches: [main]
pull_request:

permissions:
contents: read

concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true

jobs:
rust:
name: rust · build · test · clippy · fmt
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy, rustfmt
- run: cargo fmt --all --check
- run: cargo build --workspace --locked
- run: cargo clippy --workspace --all-targets --locked -- -D warnings
- run: cargo test --workspace --locked

python:
name: python · tests · ruff
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
lfs: true # hydrate the vendored potion table for the forge self-tests
- uses: dtolnay/rust-toolchain@stable
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install --upgrade numpy tokenizers ruff
- name: build extension + cli
run: |
cargo build --release -p nest-cli --locked
PYO3_PYTHON="$(which python)" cargo build --release -p nest-python --locked
cp target/release/lib_nest.so python/_nest.so
- name: engine + builder tests
run: |
python tests/test_e2e.py
python tests/test_builder.py
python tests/test_search_text_model_hash.py
python tests/test_offline_guard.py
- name: forge self-tests (offline, socket-blocked)
run: |
python python/forge/test_embed_potion.py
python python/forge/test_retrieve.py
- run: ruff check python tests

audit:
name: cargo-audit (advisory)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- run: cargo install cargo-audit --locked
# Informational until the pre-existing advisory backlog is triaged: it
# surfaces vulnerable deps in the logs without blocking merges. Flip to a
# blocking check once the tree is clean.
- run: cargo audit
continue-on-error: true
3 changes: 2 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
/target
/Cargo.lock
# Cargo.lock IS tracked: nest ships a CLI binary, so a committed lockfile is
# required for reproducible builds and CVE triage against a pinned dep set.
**/*.rs.bk
*.pdb
*.so
Expand Down
Loading
Loading