9740bc64c9
Firmware QEMU Tests (ADR-061) / QEMU Test (edge-tier1) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (full-adr060) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (tdm-3node) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / Swarm Test (ADR-062) (push) Has been skipped
npm packages / tools/ruview-mcp (node 22) (push) Failing after 1s
nvsim-server → ghcr.io / build-and-publish (push) Failing after 1s
ruview-swarm CI guard / tests (full+train) (push) Failing after 2s
Bench Regression Guard / bench compile-verify (--no-run) (push) Failing after 0s
Bench Regression Guard / bench fast-run (informational, non-gating) (push) Has been skipped
Firmware CI / Verify version.txt matches release tag (push) Has been skipped
Dashboard a11y + cross-browser / a11y (push) Failing after 0s
nvsim Dashboard → GitHub Pages / build-and-deploy (push) Failing after 2s
Firmware CI / Build firmware (esp32s3 / 4mb) (push) Failing after 15s
Firmware QEMU Tests (ADR-061) / Build Espressif QEMU (push) Failing after 1s
Firmware QEMU Tests (ADR-061) / Fuzz Testing (ADR-061 Layer 6) (push) Failing after 1s
Continuous Deployment / Pre-deployment Checks (push) Has been skipped
Firmware CI / Build firmware (esp32c6 / c6-4mb) (push) Failing after 15s
Firmware CI / Build firmware (esp32s3 / 8mb) (push) Failing after 15s
Firmware QEMU Tests (ADR-061) / QEMU Test (boundary-max) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (boundary-min) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (default) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / QEMU Test (edge-tier0) (push) Has been skipped
Firmware QEMU Tests (ADR-061) / NVS Matrix Generation (push) Failing after 1s
Security Scanning / Security Policy Compliance (push) Failing after 0s
Security Scanning / Dependency Vulnerability Scan (push) Failing after 0s
Security Scanning / Static Application Security Testing (push) Failing after 1s
Security Scanning / Infrastructure Security Scan (push) Failing after 1s
Security Scanning / Secret Scanning (push) Failing after 1s
npm packages / harness/ruview (node 22) (push) Failing after 17s
Security Scanning / License Compliance Scan (push) Failing after 1s
Security Scanning / Container Security Scan (push) Failing after 4s
three.js demos → GitHub Pages / build-and-deploy (push) Failing after 1s
Verify Pipeline Determinism / Verify Pipeline Determinism (3.11) (push) Failing after 1s
Fix-Marker Regression Guard / Verify fix markers (push) Failing after 1s
ADR-115 MQTT integration tests / mqtt-integration (push) Failing after 1s
npm packages / harness/ruview (node 20) (push) Failing after 1s
npm packages / tools/ruview-mcp (node 20) (push) Failing after 1s
npm packages / tools/ruview-cli (node 20) (push) Failing after 1s
npm packages / tools/ruview-cli (node 22) (push) Failing after 1s
BFLD MQTT Integration / cargo test --features mqtt (live mosquitto) (push) Failing after 29s
ruview-swarm CI guard / build train_marl bin (push) Failing after 2s
ruview-swarm CI guard / clippy (-D warnings, --no-deps) (push) Failing after 3s
ruview-swarm CI guard / tests (ruflo) (push) Failing after 1s
ruview-swarm CI guard / tests (train) (push) Failing after 2s
ruview-swarm CI guard / tests (default) (push) Failing after 2s
Point Cloud Viewer → GitHub Pages / build-and-deploy (push) Failing after 8s
ruview-swarm CI guard / ITAR / publish guard (push) Failing after 0s
wifi-densepose sensing-server → Docker Hub + ghcr.io / build · push · smoke-test (push) Failing after 1s
Continuous Deployment / Deploy to Production (push) Has been cancelled
Continuous Deployment / Rollback Deployment (push) Has been cancelled
Continuous Deployment / Post-deployment Monitoring (push) Has been cancelled
Continuous Deployment / Notify Deployment Status (push) Has been cancelled
Continuous Deployment / Deploy to Staging (push) Has been cancelled
Security Scanning / Security Report (push) Has been cancelled
138 lines
5.3 KiB
YAML
138 lines
5.3 KiB
YAML
# ADR-265 D2 — publish only from CI, with provenance.
|
|
#
|
|
# Manual `npm publish` from laptops stops: this workflow re-runs the ADR-265 D1
|
|
# gate for the selected package and then publishes with npm provenance
|
|
# attestations (OIDC), tying every published version to a public commit +
|
|
# workflow run — the npm-side analogue of the ADR-028 witness bundle.
|
|
#
|
|
# Requires: NPM_TOKEN repo secret (an npm automation token), or npm Trusted
|
|
# Publishing configured for the package (in which case the token is unused).
|
|
|
|
name: ruview npm release
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
package:
|
|
description: 'Package directory to publish'
|
|
required: true
|
|
type: choice
|
|
options:
|
|
- harness/ruview
|
|
- tools/ruview-mcp
|
|
dist_tag:
|
|
description: 'npm dist-tag'
|
|
required: false
|
|
default: 'latest'
|
|
type: string
|
|
|
|
permissions:
|
|
contents: read
|
|
id-token: write # npm --provenance
|
|
|
|
jobs:
|
|
publish:
|
|
runs-on: ubuntu-latest
|
|
defaults:
|
|
run:
|
|
working-directory: ${{ inputs.package }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '20'
|
|
registry-url: 'https://registry.npmjs.org'
|
|
|
|
- name: Install
|
|
run: |
|
|
if [ -f package-lock.json ]; then npm ci; else npm install --no-fund --no-audit; fi
|
|
|
|
- name: Build (if present)
|
|
run: npm run build --if-present
|
|
|
|
- name: Test
|
|
run: npm test --if-present
|
|
|
|
# ADR-265 D3 — package.json is the only place a version string lives.
|
|
- name: Version-literal gate
|
|
run: |
|
|
set -euo pipefail
|
|
hits=""
|
|
for d in src bin; do
|
|
if [ -d "$d" ]; then
|
|
hits+=$(grep -rEn '\b[0-9]+\.[0-9]+\.[0-9]+\b' "$d" | grep -vE '127\.0\.0\.1|0\.0\.0\.0' || true)
|
|
fi
|
|
done
|
|
if [ -n "$hits" ]; then
|
|
echo "Hardcoded version-like literals found (read package.json instead — ADR-265 D3):"
|
|
echo "$hits"
|
|
exit 1
|
|
fi
|
|
|
|
# ADR-265 D1.3 — pack-content gate: no maps AND the per-package
|
|
# unpacked-size budget (the budgets that npm-packages.yml enforces).
|
|
- name: Pack gate (no maps + size budget)
|
|
run: |
|
|
set -euo pipefail
|
|
case "${{ inputs.package }}" in
|
|
# ADR-263: dependency-free harness; budget guards against dep creep.
|
|
harness/ruview) export UNPACKED_BUDGET=65536 ;;
|
|
# ADR-264 O2: map-free tarball (was 188 kB with maps).
|
|
tools/ruview-mcp) export UNPACKED_BUDGET=140000 ;;
|
|
*) echo "Unknown package '${{ inputs.package }}' — no budget defined"; exit 1 ;;
|
|
esac
|
|
npm pack --dry-run --json 2>/dev/null | node -e "
|
|
const [info] = JSON.parse(require('fs').readFileSync(0, 'utf8'));
|
|
const budget = Number(process.env.UNPACKED_BUDGET);
|
|
const maps = info.files.filter((f) => f.path.endsWith('.map'));
|
|
if (maps.length > 0) {
|
|
console.error('Tarball contains source maps (ADR-264 F2):', maps.map((m) => m.path));
|
|
process.exit(1);
|
|
}
|
|
if (info.unpackedSize > budget) {
|
|
console.error(\`Unpacked size \${info.unpackedSize} B exceeds budget \${budget} B\`);
|
|
process.exit(1);
|
|
}
|
|
console.log(\`pack gate OK: \${info.files.length} files, \${info.unpackedSize} B unpacked (budget \${budget} B), 0 maps\`);
|
|
"
|
|
|
|
# ADR-265 D1.4 — install the real tarball and drive each bin/export.
|
|
- name: Tarball smoke test
|
|
run: |
|
|
set -euo pipefail
|
|
TGZ="$PWD/$(npm pack --silent 2>/dev/null | tail -1)"
|
|
SMOKE="$(mktemp -d)"
|
|
cd "$SMOKE"
|
|
npm init -y > /dev/null
|
|
npm i --no-fund --no-audit "$TGZ"
|
|
case "${{ inputs.package }}" in
|
|
harness/ruview)
|
|
./node_modules/.bin/ruview --version
|
|
./node_modules/.bin/ruview doctor
|
|
# the honesty gate must fail closed on empty input (ADR-263 F1)
|
|
if ./node_modules/.bin/ruview claim-check; then
|
|
echo 'claim-check passed with no input — fail-open regression'; exit 1
|
|
fi
|
|
node --input-type=module -e "const m = await import('@ruvnet/ruview'); if (!m.TOOLS) process.exit(1);"
|
|
;;
|
|
tools/ruview-mcp)
|
|
# initialize over stdio; server must answer and exit 0 on EOF
|
|
printf '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"ci","version":"0"}}}\n' \
|
|
| timeout 30 ./node_modules/.bin/rvagent | grep -q '"serverInfo"'
|
|
# the ESM export must resolve from the installed tarball (ADR-264 F1)
|
|
timeout 30 node --input-type=module -e "await import('@ruvnet/rvagent');" < /dev/null
|
|
;;
|
|
esac
|
|
|
|
- name: Claim-check README
|
|
run: |
|
|
if [ -f README.md ]; then
|
|
node "$GITHUB_WORKSPACE/harness/ruview/bin/cli.js" claim-check --file README.md
|
|
fi
|
|
|
|
- name: Publish (with provenance)
|
|
run: npm publish --provenance --access public --tag "${{ inputs.dist_tag }}"
|
|
env:
|
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|