Codex/milestone b evidence audit fixes #33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ci.yml — every PR (plan §9). Red = no merge. | |
| name: ci | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| fmt: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: rustup show # installs the pinned toolchain from rust-toolchain.toml | |
| - run: cargo fmt --all --check | |
| clippy: | |
| # includes the disallowed network API lints from clippy.toml (invariant 5b) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: rustup show | |
| - run: cargo clippy --locked --workspace --all-targets --all-features -- -D warnings | |
| deny: | |
| # ADR-0004 license allowlist + network-crate bans + advisories (invariant 5a, 6) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: EmbarkStudios/cargo-deny-action@v2 | |
| with: | |
| command: check | |
| test: | |
| # unit + fixture tests, c14n idempotence property tests, contract vectors, | |
| # deterministic-profile pin, same-platform double-parse (engine-gated below) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: rustup show | |
| - run: cargo test --locked --workspace --all-features | |
| - name: fixture manifest validation | |
| run: python3 fixtures/validate_fixtures.py | |
| - name: readiness gate tests | |
| run: python3 .github/scripts/test_readiness_gate.py | |
| - name: Gate Zero evidence preflight tests | |
| run: python3 .github/scripts/test_gate_zero_evidence_preflight.py | |
| - name: Gate Zero harness tests | |
| run: python3 benchmarks/harness/test_run_gate_zero.py | |
| - name: same-platform double-parse byte-diff | |
| run: | | |
| echo "skipped: PDFium runtime is not configured in base CI yet" | |
| verify-portability: | |
| # Invariant 4: ethos-verify compiles against the grounding trait module alone and | |
| # its dependency tree never contains parser internals. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: rustup show | |
| - run: cargo check --locked -p ethos-verify | |
| - run: cargo check --locked -p ethos-grounding-opendataloader-json | |
| - name: no parser internals in the verify tree | |
| run: | | |
| tree=$(cargo tree -p ethos-verify -e normal) | |
| echo "$tree" | |
| if echo "$tree" | grep -qiE 'ethos-pdf|ethos-layout|ethos-tables|ethos-render|pdfium'; then | |
| echo "ethos-verify depends on parser internals (invariant 4 violated)"; exit 1 | |
| fi | |
| - name: grounding feature really is minimal | |
| run: | | |
| # the trait module must build without serde_json/sha2/thiserror | |
| cargo check --locked -p ethos-core --no-default-features --features grounding | |
| cargo check --locked -p ethos-core --no-default-features --features verify-types | |
| schema-validate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - run: pip install "jsonschema>=4.18" | |
| - run: python3 schemas/validate_examples.py | |
| - name: Gate Zero result schema validation | |
| run: | | |
| python3 - <<'PY' | |
| import json | |
| from pathlib import Path | |
| from jsonschema import Draft202012Validator | |
| schema = json.loads(Path("benchmarks/gate-zero/result.schema.json").read_text()) | |
| Draft202012Validator.check_schema(schema) | |
| PY | |
| - run: python3 fixtures/validate_fixtures.py | |
| no-network-runtime: | |
| # Invariant 5c: the base CLI functions with zero network egress. Runs the CLI inside | |
| # a no-net namespace; any egress attempt fails hard. Extends to full parses when the | |
| # engine lands. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: rustup show | |
| - run: cargo build --locked -p ethos-cli | |
| - name: run CLI under network-denied namespace | |
| run: | | |
| sudo unshare -n -- ./target/debug/ethos fingerprint schemas/examples/document.example.json | |
| sudo unshare -n -- ./target/debug/ethos rag chunk schemas/examples/document.example.json > /tmp/chunks.jsonl | |
| test -s /tmp/chunks.jsonl | |
| claims-gate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: python3 .github/scripts/claims_gate.py | |
| dco: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: check DCO sign-offs | |
| run: | | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| python3 .github/scripts/check_dco.py "${{ github.event.pull_request.base.sha }}" "${{ github.event.pull_request.head.sha }}" | |
| else | |
| python3 .github/scripts/check_dco.py "${{ github.event.before }}" "${{ github.sha }}" | |
| fi |