plsql-intelligence/.github/workflows/ci.yml at main · MuhDur/plsql-intelligence · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
name: CI

on:
  push:
    branches: [main, master]
  pull_request:
    branches: [main, master]

env:
  CARGO_TERM_COLOR: always

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  fmt:
    name: rustfmt
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt
      - run: cargo fmt --all -- --check

  clippy:
    name: clippy (-D warnings)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
        with:
          components: clippy
      - uses: Swatinem/rust-cache@v2
      - run: cargo clippy --workspace --all-targets -- -D warnings

  test:
    name: cargo test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - run: cargo test --workspace --all-targets
      - run: cargo test --workspace --doc

  # `oracle-qmwz.1.1` (P0-0) — the one-way dependency boundary: the engine-free
  # oraclemcp-* core crates must never import a plsql-* engine crate, so the
  # eventual Phase-E extraction is a mechanical git-filter-repo, not a rewrite.
  oraclemcp-boundary:
    name: oraclemcp boundary lint (one-way dependency)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: bash scripts/oraclemcp_boundary_lint.sh

  # `oracle-qmwz.6.2` (T-CORPUS) — keep the classifier cargo-fuzz target building
  # (the differential adversarial corpus itself runs in the `test` job via the
  # oraclemcp-guard integration test).
  classifier-fuzz-smoke:
    name: classifier fuzz target builds (nightly)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@nightly
      - uses: Swatinem/rust-cache@v2
      - run: cargo install --locked cargo-fuzz || true
      - run: cargo +nightly fuzz build classify_fuzz
        working-directory: crates/oraclemcp-guard

  # `oracle-qmwz.1.2` (P0-1) — supply-chain gates for the oraclemcp build.
  supply-chain:
    name: cargo deny + audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - name: cargo deny (advisories, licenses, bans, sources)
        run: |
          cargo install --locked cargo-deny || true
          cargo deny check
      - name: cargo audit (RUSTSEC advisories)
        run: |
          cargo install --locked cargo-audit || true
          cargo audit || true

  bench-no-run:
    name: cargo bench --no-run
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - run: cargo bench --workspace --no-run

  corpus-license-check:
    name: corpus license check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - run: cargo run -p corpus-license-check

  # Surrogate for `PLSQL-PARSE-012` — once the parse-corpus harness lands it
  # will replace this job with structured parse-quality metrics (clean rate,
  # recovered rate, skipped-token ratio, top-level recognition).
  parse-success:
    name: parse-success (parser tests)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - run: cargo test -p plsql-parser -p plsql-parser-antlr

  # `PLSQL-LAB-010` — lab-as-release-gate. PR-blocking CI for drift
  # in `corpus/lab/expected/*.json` goldens. Fails if any golden is
  # invalid JSON, or if the lineage tests that consume the goldens
  # regress. Cheap (no Oracle, no docker); runs on every PR.
  lab-gate:
    name: lab-gate (corpus/lab goldens, PR-blocking)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - run: make lab-gate

  # `PLSQL-LAB-003` — sanity-check the L1 hero diff golden artifact
  # via `make demo-no-db-verify`. Cheap (no Oracle, no docker) so it
  # runs on every PR; it asserts the parse_change_file pipeline
  # consumes the diff and the golden JSON is present.
  demo-no-db:
    name: demo-no-db (hero-diff golden gate)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - run: make demo-no-db-verify

  # `PLSQL-PLAN-002` — run plan-lint on every push/PR. Now a blocking
  # gate (PLSQL-PLAN-003 closed all known error-severity drift); warnings
  # still surface but don't fail the build.
  plan-lint:
    name: plan-lint (structural integrity)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
      - name: Run plan-lint (human report)
        run: cargo run -p plan-lint -- --doctor
      - name: Run plan-lint (JSON report)
        run: cargo run -p plan-lint -- --robot-json > plan-lint-report.json
      - name: Upload JSON report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: plan-lint-report
          path: plan-lint-report.json
          if-no-files-found: ignore