feat: make V8 JS the primary rule engine; add --js-file; remove -r/--rule #199
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tests | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| workflow_call: | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| jobs: | |
| test-macos: | |
| name: macOS Integration Tests | |
| runs-on: macos-15-xlarge | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: ${{ runner.os }} | |
| - name: Install nextest | |
| uses: taiki-e/install-action@nextest | |
| - name: Build | |
| run: cargo build --verbose | |
| - name: Run unit tests | |
| run: cargo nextest run --profile ci --bins --verbose | |
| - name: Run smoke tests | |
| run: cargo nextest run --profile ci --test smoke_test --verbose | |
| - name: Run script integration tests | |
| run: cargo nextest run --profile ci --test script_integration --verbose | |
| - name: Run weak mode integration tests | |
| run: | | |
| # On macOS, we only support weak mode due to PF limitations | |
| # (PF translation rules cannot match on user/group) | |
| cargo nextest run --profile ci --test weak_integration --verbose | |
| test-linux: | |
| name: Linux Tests | |
| runs-on: [self-hosted, linux] | |
| steps: | |
| - name: Fix permissions from previous runs | |
| run: | | |
| # Clean up any files left from previous sudo runs before checkout | |
| # Use GITHUB_WORKSPACE parent directory or current working directory | |
| WORK_DIR="${GITHUB_WORKSPACE:-$(pwd)}" | |
| if [ -d "$WORK_DIR" ]; then | |
| sudo chown -R ci:ci "$WORK_DIR" || true | |
| fi | |
| # Ensure cargo cache has correct permissions | |
| if [ -d /home/ci/.cargo ]; then | |
| sudo chown -R ci:ci /home/ci/.cargo || true | |
| fi | |
| - uses: actions/checkout@v4 | |
| - name: Fix permissions on current directory | |
| run: | | |
| # Clean up any files left from previous sudo runs | |
| if [ -d target ]; then | |
| sudo chown -R ci:ci target || true | |
| fi | |
| # Fix cargo registry permissions to enable cache reuse | |
| if [ -d /home/ci/.cargo/registry ]; then | |
| sudo chown -R ci:ci /home/ci/.cargo/registry || true | |
| fi | |
| # Ensure git index cache has correct permissions | |
| if [ -d /home/ci/.cargo/git ]; then | |
| sudo chown -R ci:ci /home/ci/.cargo/git || true | |
| fi | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: ${{ runner.os }} | |
| - name: Setup Rust environment and install nextest | |
| run: | | |
| source ~/.cargo/env | |
| # Install nextest if not already present | |
| if ! command -v cargo-nextest &> /dev/null; then | |
| cargo install cargo-nextest --locked | |
| fi | |
| - name: Build | |
| run: | | |
| source ~/.cargo/env | |
| # Use incremental compilation for faster builds | |
| export CARGO_INCREMENTAL=1 | |
| cargo build --verbose | |
| - name: Run unit tests | |
| run: | | |
| source ~/.cargo/env | |
| cargo nextest run --profile ci --bins --verbose | |
| - name: Run smoke tests | |
| run: | | |
| source ~/.cargo/env | |
| cargo nextest run --profile ci --test smoke_test --verbose | |
| - name: Run script integration tests | |
| run: | | |
| source ~/.cargo/env | |
| cargo nextest run --profile ci --test script_integration --verbose | |
| - name: Run Linux jail integration tests | |
| run: | | |
| source ~/.cargo/env | |
| # Run all tests without CI workarounds since this is a self-hosted runner | |
| sudo -E $(which cargo) nextest run --profile ci --test linux_integration --verbose | |
| - name: Run isolated cleanup tests | |
| run: | | |
| source ~/.cargo/env | |
| # Run only the comprehensive cleanup and sigint tests with the feature flag | |
| # These tests need to run in isolation from other tests | |
| sudo -E $(which cargo) test --test linux_integration --features isolated-cleanup-tests -- test_comprehensive_resource_cleanup test_cleanup_after_sigint | |
| test-weak: | |
| name: Weak Mode Integration Tests (Linux) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: ${{ runner.os }} | |
| - name: Install nextest | |
| uses: taiki-e/install-action@nextest | |
| - name: Build | |
| run: cargo build --verbose | |
| - name: Run script integration tests | |
| run: cargo nextest run --profile ci --test script_integration --verbose | |
| - name: Run weak mode integration tests | |
| run: cargo nextest run --profile ci --test weak_integration --verbose | |
| clippy: | |
| name: Clippy (${{ matrix.os }}) | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| components: clippy | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: ${{ runner.os }} | |
| - name: Run clippy | |
| run: cargo clippy --all-targets -- -D warnings | |
| fmt: | |
| name: Format | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| components: rustfmt | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: ${{ runner.os }} | |
| - name: Check formatting | |
| run: cargo fmt -- --check | |
| udeps: | |
| name: Unused dependency check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust (nightly for cargo-udeps) | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: nightly | |
| - name: Setup Rust cache | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: ${{ runner.os }} | |
| - name: Install cargo-udeps | |
| uses: taiki-e/install-action@cargo-udeps | |
| - name: Check for unused dependencies | |
| run: | | |
| set -euo pipefail | |
| # Run with nightly; capture output without failing the step | |
| set +e | |
| cargo +nightly udeps --all-targets --all-features 2>&1 | tee udeps_output.txt | |
| STATUS=$? | |
| set -e | |
| cat udeps_output.txt | |
| # If cargo-udeps failed due to nightly requirement or other errors, surface that | |
| if [ $STATUS -ne 0 ]; then | |
| echo "cargo-udeps exited with status $STATUS" | |
| # If unused deps are present, cargo-udeps typically exits non-zero; still explicitly check text | |
| if grep -qi "unused" udeps_output.txt; then | |
| echo "Unused dependencies detected" | |
| exit 1 | |
| fi | |
| exit $STATUS | |
| fi | |
| # Treat any mention of 'unused' as a failure signal | |
| if grep -qi "unused" udeps_output.txt; then | |
| echo "Unused dependencies detected" | |
| exit 1 | |
| fi |