feat(M017/S02): activate GitHub CI + mirror flow documentation

wollax commented

2026-04-01 01:32:51 +00:00

Owner

Summary

Activates GitHub CI and documents the Forgejo→GitHub mirror flow. This is the terminal slice for M017 (Forgejo CI + GitHub Mirror Pipeline).

Changes

`.github/workflows/ci.yml` (new — renamed from `.disabled`)

Renames and activates the disabled GitHub CI workflow
Replaces jdx/mise-action@v2 with explicit tool install steps (D001)
SHA-pins all action refs: actions/checkout@34e11487..., dtolnay/rust-toolchain@29eef336..., Swatinem/rust-cache@c19371144... (D006)
Installs cargo-binstall v1.17.9 via pinned tarball (D005) — not curl-pipe-bash
Pins tools: just@1.46.0, cargo-deny@0.19.0, cargo-nextest@0.9.132
Adds RUSTFLAGS: "-Dwarnings" and timeout-minutes on both jobs
Node-based JSON validation in plugins job (D007)
ntfy failure alerts on both jobs (non-fatal)
Triggers on push (branches: [main]) and pull_request (branches: [main])

`CONTRIBUTING.md`

Adds "CI & Release Pipeline" section documenting the Forgejo→GitHub mirror architecture, dual CI setup, and release tag flow

Requirements Covered

R002 — GitHub CI enabled and functional (contract-proven)
R003 — Release workflow operates correctly via mirror (documented; operational proof on first real tag push)

Verification

just ready green (1574 tests, all checks pass)
All structural must-haves verified locally
GitHub CI integration and tag mirror UAT pending post-merge

Decisions Applied

D001, D004, D005, D006, D007 (see DECISIONS document in Linear)

## Summary Activates GitHub CI and documents the Forgejo→GitHub mirror flow. This is the terminal slice for M017 (Forgejo CI + GitHub Mirror Pipeline). ## Changes ### `.github/workflows/ci.yml` (new — renamed from `.disabled`) - Renames and activates the disabled GitHub CI workflow - Replaces `jdx/mise-action@v2` with explicit tool install steps (D001) - SHA-pins all action refs: `actions/checkout@34e11487...`, `dtolnay/rust-toolchain@29eef336...`, `Swatinem/rust-cache@c19371144...` (D006) - Installs `cargo-binstall v1.17.9` via pinned tarball (D005) — not curl-pipe-bash - Pins tools: `just@1.46.0`, `cargo-deny@0.19.0`, `cargo-nextest@0.9.132` - Adds `RUSTFLAGS: "-Dwarnings"` and `timeout-minutes` on both jobs - Node-based JSON validation in `plugins` job (D007) - ntfy failure alerts on both jobs (non-fatal) - Triggers on `push` (branches: [main]) and `pull_request` (branches: [main]) ### `CONTRIBUTING.md` - Adds "CI & Release Pipeline" section documenting the Forgejo→GitHub mirror architecture, dual CI setup, and release tag flow ## Requirements Covered - **R002** — GitHub CI enabled and functional (contract-proven) - **R003** — Release workflow operates correctly via mirror (documented; operational proof on first real tag push) ## Verification - `just ready` green (1574 tests, all checks pass) - All structural must-haves verified locally - GitHub CI integration and tag mirror UAT pending post-merge ## Decisions Applied D001, D004, D005, D006, D007 (see DECISIONS document in Linear)

wollax added 2 commits

2026-04-01 01:32:52 +00:00

feat(S02/T01): activate GitHub CI workflow with S01 hardening pattern 406e09dc11

- Rename ci.yml.disabled → ci.yml
- Replace mise-action with explicit tool installs (D001)
- SHA-pin all action refs (D006)
- Pinned cargo-binstall v1.17.9 tarball (D005)
- Pinned tools: just@1.46.0, cargo-deny@0.19.0, cargo-nextest@0.9.132
- RUSTFLAGS="-Dwarnings", timeout-minutes on both jobs
- node-based JSON validation (D007)
- ntfy failure alerts on both jobs

feat(S02/T02): add CI & Release Pipeline section to CONTRIBUTING.md

CI / Validate plugins (pull_request) Successful in 3s

Details

CI / Check (stable) (pull_request) Successful in 3m18s

Details

7d1bc0dd12

Document the Forgejo→GitHub mirror flow: dual CI setup,
push-mirror architecture, and release tag pipeline.

wollax added 1 commit

2026-04-01 01:39:06 +00:00

fix(S02): address PR review findings

CI / Validate plugins (pull_request) Successful in 2s

Details

CI / Check (stable) (pull_request) Successful in 3m26s

Details

6d4f930b65

- Add permissions: contents: read (M1 - least-privilege)
- Add concurrency group with cancel-in-progress (M2 - no stale runs)
- Name the 'just ready' step for log readability (n1)
- Add cross-reference comments between Forgejo and GitHub CI files (n3)
- CONTRIBUTING.md: specify release platform targets + GitHub-only note (m3, m4)
- CONTRIBUTING.md: add gate parity note to GitHub CI bullet (n4)
- Add inline comment explaining pull_request branch filter (m2)

wollax commented

2026-04-01 01:39:23 +00:00

Author

Owner

PR Review — feat(M017/S02): GitHub CI activation + mirror flow documentation

Verdict: COMMENT (no blockers — changes applied inline)
Reviewers: security-ci · docs-correctness · gha-best-practices (parallel multi-agent review)

Applied in follow-up commit `6d4f930`

Finding	Severity	Resolution
Missing `permissions: contents: read`	Major	✅ Added
Missing `concurrency` group	Major	✅ Added
`just ready` step unnamed	Nit	✅ Named
No cross-reference between CI files	Nit	✅ Added comments
`pull_request` branch filter unexplained	Minor	✅ Added inline comment
CONTRIBUTING.md: GitHub-only artifacts not stated	Minor	✅ Added note
CONTRIBUTING.md: "multi-platform" undefined	Minor	✅ Enumerated targets
CONTRIBUTING.md: gate parity not explicit	Nit	✅ Added parenthetical

Deferred / Acknowledged

Finding	Severity	Disposition
`cargo-binstall` tarball has no SHA-256 verify	Major	Deferred — matches Forgejo CI pattern; add checksum if repo goes public
`cargo-binstall` arch hardcoded to x86_64	Minor	Accepted — add comment for now; make dynamic if ARM runners are added
`NTFY_URL` in plaintext	Minor	Acceptable for private homelab repo; move to secret if repo goes public

No Blocking Issues

The workflow is production-ready. All quick-win best-practice gaps have been addressed in the follow-up commit. The two deferred items (binstall tarball checksum, ntfy secret) are appropriate for a private homelab repository.

## PR Review — feat(M017/S02): GitHub CI activation + mirror flow documentation **Verdict: COMMENT (no blockers — changes applied inline)** **Reviewers:** security-ci · docs-correctness · gha-best-practices (parallel multi-agent review) --- ### Applied in follow-up commit `6d4f930` | Finding | Severity | Resolution | |---------|----------|------------| | Missing `permissions: contents: read` | Major | ✅ Added | | Missing `concurrency` group | Major | ✅ Added | | `just ready` step unnamed | Nit | ✅ Named | | No cross-reference between CI files | Nit | ✅ Added comments | | `pull_request` branch filter unexplained | Minor | ✅ Added inline comment | | CONTRIBUTING.md: GitHub-only artifacts not stated | Minor | ✅ Added note | | CONTRIBUTING.md: "multi-platform" undefined | Minor | ✅ Enumerated targets | | CONTRIBUTING.md: gate parity not explicit | Nit | ✅ Added parenthetical | --- ### Deferred / Acknowledged | Finding | Severity | Disposition | |---------|----------|-------------| | `cargo-binstall` tarball has no SHA-256 verify | Major | Deferred — matches Forgejo CI pattern; add checksum if repo goes public | | `cargo-binstall` arch hardcoded to x86_64 | Minor | Accepted — add comment for now; make dynamic if ARM runners are added | | `NTFY_URL` in plaintext | Minor | Acceptable for private homelab repo; move to secret if repo goes public | --- ### No Blocking Issues The workflow is production-ready. All quick-win best-practice gaps have been addressed in the follow-up commit. The two deferred items (binstall tarball checksum, ntfy secret) are appropriate for a private homelab repository.