-
Notifications
You must be signed in to change notification settings - Fork 0
157 lines (145 loc) · 5.98 KB
/
Copy pathci.yml
File metadata and controls
157 lines (145 loc) · 5.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# ci.yml — every PR (plan §9). Red = no merge.
name: ci
on:
pull_request:
push:
branches: [main]
env:
CARGO_TERM_COLOR: always
jobs:
fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: rustup show # installs the pinned toolchain from rust-toolchain.toml
- run: cargo fmt --all --check
clippy:
# includes the disallowed network API lints from clippy.toml (invariant 5b)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: rustup show
- run: cargo clippy --locked --workspace --all-targets --all-features -- -D warnings
deny:
# ADR-0004 license allowlist + network-crate bans + advisories (invariant 5a, 6)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check
test:
# unit + fixture tests, c14n idempotence property tests, contract vectors,
# deterministic-profile pin, same-platform double-parse (engine-gated below)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: rustup show
- run: cargo test --locked --workspace --all-features
- name: fixture manifest validation
run: python3 fixtures/validate_fixtures.py
- name: layout evaluator alpha
run: make layout-evaluator-alpha
- name: Python surface tests
run: PYTHONPATH=python python3 -m unittest discover -s python/tests
- name: readiness gate tests
run: python3 .github/scripts/test_readiness_gate.py
- name: Gate Zero evidence preflight tests
run: python3 .github/scripts/test_gate_zero_evidence_preflight.py
- name: determinism workflow tests
run: python3 .github/scripts/test_determinism_workflow.py
- name: CI workflow tests
run: python3 .github/scripts/test_ci_workflow.py
- name: Milestone B internal check target tests
run: python3 .github/scripts/test_milestone_b_internal_checks.py
- name: RAG chunk alpha target tests
run: python3 .github/scripts/test_rag_chunk_alpha.py
- name: Security report alpha target tests
run: python3 .github/scripts/test_security_report_alpha.py
- name: execution status tests
run: python3 .github/scripts/test_execution_status.py
- name: roadmap status tests
run: python3 .github/scripts/test_roadmap_status.py
- name: Milestone B closeout validation record tests
run: python3 .github/scripts/test_milestone_b_closeout_record.py
- name: Milestone B exit checklist tests
run: python3 .github/scripts/test_milestone_b_exit_checklist.py
- name: Gate Zero harness tests
run: python3 benchmarks/harness/test_run_gate_zero.py
- name: same-platform double-parse byte-diff
run: |
echo "skipped: PDFium runtime is not configured in base CI yet"
verify-portability:
# Invariant 4: ethos-verify compiles against the grounding trait module alone and
# its dependency tree never contains parser internals.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: rustup show
- run: cargo check --locked -p ethos-verify
- run: cargo check --locked -p ethos-grounding-opendataloader-json
- name: no parser internals in the verify tree
run: |
tree=$(cargo tree -p ethos-verify -e normal)
echo "$tree"
if echo "$tree" | grep -qiE 'ethos-pdf|ethos-layout|ethos-tables|ethos-render|pdfium'; then
echo "ethos-verify depends on parser internals (invariant 4 violated)"; exit 1
fi
- name: grounding feature really is minimal
run: |
# the trait module must build without serde_json/sha2/thiserror
cargo check --locked -p ethos-core --no-default-features --features grounding
cargo check --locked -p ethos-core --no-default-features --features verify-types
schema-validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install "jsonschema>=4.18"
- run: python3 schemas/validate_examples.py
- run: python3 schemas/test_security_report_validation.py
- run: python3 schemas/test_table_model_validation.py
- name: Gate Zero result schema validation
run: |
python3 - <<'PY'
import json
from pathlib import Path
from jsonschema import Draft202012Validator
schema = json.loads(Path("benchmarks/gate-zero/result.schema.json").read_text())
Draft202012Validator.check_schema(schema)
PY
- run: python3 fixtures/validate_fixtures.py
no-network-runtime:
# Invariant 5c: the base CLI functions with zero network egress. Runs the CLI inside
# a no-net namespace; any egress attempt fails hard. Extends to full parses when the
# engine lands.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: rustup show
- run: cargo build --locked -p ethos-cli
- name: run CLI under network-denied namespace
run: |
sudo unshare -n -- ./target/debug/ethos fingerprint schemas/examples/document.example.json
sudo unshare -n -- ./target/debug/ethos rag chunk schemas/examples/document.example.json > /tmp/chunks.jsonl
test -s /tmp/chunks.jsonl
claims-gate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: python3 .github/scripts/claims_gate.py
dco:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: check DCO sign-offs
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
python3 .github/scripts/check_dco.py "${{ github.event.pull_request.base.sha }}" "${{ github.event.pull_request.head.sha }}"
else
python3 .github/scripts/check_dco.py "${{ github.event.before }}" "${{ github.sha }}"
fi