From 4d6408097a84d510689733bfe7852e39cfe2f22d Mon Sep 17 00:00:00 2001 From: zlice dev Date: Fri, 3 Apr 2026 04:11:14 +0900 Subject: [PATCH 1/2] Add CI build/test and security audit workflow --- .github/workflows/ci.yml | 80 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..c305244 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,80 @@ +name: CI + +on: + push: + branches: [master] + pull_request: + schedule: + - cron: '0 0 * * 1' + +permissions: + contents: read + +jobs: + check: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + + - name: Install Zig + run: | + curl -sL "https://ziglang.org/download/0.15.2/zig-x86_64-linux-0.15.2.tar.xz" | tar -xJ + echo "$PWD/zig-x86_64-linux-0.15.2" >> "$GITHUB_PATH" + + - name: Format check + run: zig fmt --check src/ + + # Full build skipped — tree-sitter grammar libs not in apt. + # Tests are standalone (no C deps required). + - name: Test + run: zig build test + + security-audit: + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Zig Security Audit + env: + GH_EVENT: ${{ github.event_name }} + GH_BASE_REF: ${{ github.event.pull_request.base.ref }} + run: | + echo "## Zig Security Audit" >> "$GITHUB_STEP_SUMMARY" + echo "" >> "$GITHUB_STEP_SUMMARY" + echo "| Pattern | Count | Level |" >> "$GITHUB_STEP_SUMMARY" + echo "|---------|-------|-------|" >> "$GITHUB_STEP_SUMMARY" + + total=0 + + audit() { + local pattern="$1" level="$2" label="$3" + local count + count=$(grep -rn --include='*.zig' -e "$pattern" src/ 2>/dev/null | wc -l) + if [ "$count" -gt 0 ]; then + echo "| \`$label\` | $count | $level |" >> "$GITHUB_STEP_SUMMARY" + total=$((total + count)) + fi + if [ "$GH_EVENT" = "pull_request" ] && [ -n "$GH_BASE_REF" ]; then + git diff --name-only "origin/$GH_BASE_REF" -- '*.zig' 2>/dev/null | while read -r file; do + [ -f "$file" ] || continue + grep -n "$pattern" "$file" 2>/dev/null | while IFS=: read -r line content; do + echo "::warning file=$file,line=$line::[$level] $label: $content" + done + done + fi + } + + audit '@setRuntimeSafety\(false\)' 'Critical' '@setRuntimeSafety(false)' + audit '@ptrCast' 'Tracked' '@ptrCast' + audit '@ptrFromInt' 'Tracked' '@ptrFromInt' + audit '@intFromPtr' 'Tracked' '@intFromPtr' + audit '@alignCast' 'Tracked' '@alignCast' + audit 'catch unreachable' 'Review' 'catch unreachable' + audit 'orelse unreachable' 'Review' 'orelse unreachable' + audit '@cImport' 'Info' '@cImport' + + echo "" >> "$GITHUB_STEP_SUMMARY" + echo "**Total: $total** patterns tracked" >> "$GITHUB_STEP_SUMMARY" + echo "_Not bugs — areas requiring careful review during changes._" >> "$GITHUB_STEP_SUMMARY" From 39c36358344a5463dafbae9a077d73ea3da88b2c Mon Sep 17 00:00:00 2001 From: zlice dev Date: Fri, 3 Apr 2026 05:13:42 +0900 Subject: [PATCH 2/2] Make fmt check non-blocking (continue-on-error) --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c305244..ed88e82 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,6 +22,7 @@ jobs: echo "$PWD/zig-x86_64-linux-0.15.2" >> "$GITHUB_PATH" - name: Format check + continue-on-error: true run: zig fmt --check src/ # Full build skipped — tree-sitter grammar libs not in apt.