Merged
Conversation
…se 1) Implemented Phase 1 improvements for enterprise-grade CI/CD: #176 Concurrency Control: - Added concurrency groups to ci.yml and release.yml - Prevents redundant CI runs on PR updates - Saves CI minutes and provides faster feedback #177 Code Coverage Reporting: - Integrated cargo-llvm-cov for accurate coverage tracking - Added dedicated coverage job with Codecov upload - Enables coverage visibility in PRs and trend tracking #178 Matrix Strategy: - Introduced matrix testing for MSRV and stable Rust versions - Separated MSRV detection into dedicated job for reusability - README and package operations run only on MSRV to avoid duplication - fmt, deny, and audit run once per workflow to optimize CI time Benefits: - Faster CI feedback through parallel execution - Better test coverage across Rust versions - Resource-efficient workflow execution - Foundation for future multi-platform testing
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/reusable-ci.yml
Outdated
Comment on lines
40
to
247
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
- General fix: Explicitly set a
permissions:block so that the workflow (or individual jobs) only receive the minimal required set of permissions for their steps to work. - Best single fix for this snippet:
Add a top-levelpermissions:block (applies to all jobs) with the most restrictive feasible permissions, e.g.permissions: { contents: read }, and extend specific jobs that need more (here likely thecijob, specifically where it commits, pushes, or makes a pull request) with apermissions:block givingcontents: writeandpull-requests: write. - Specific changes:
- Add at the top level of the workflow (
permissions:aftername:and beforeon:) withcontents: read. - In the
cijob, add apermissions:block setting:beforepermissions: contents: write pull-requests: write
runs-on: ubuntu-latest.
- Add at the top level of the workflow (
- What is needed:
- Insert top-level
permissions: contents: read - Add job-level explicit permissions for
cijob as above.
- Insert top-level
Suggested changeset
1
.github/workflows/reusable-ci.yml
| @@ -3,6 +3,8 @@ | ||
| # SPDX-License-Identifier: MIT | ||
|
|
||
| name: Reusable CI | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_call: | ||
| @@ -37,6 +39,9 @@ | ||
| echo "Using MSRV: $RV" | ||
|
|
||
| ci: | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| runs-on: ubuntu-latest | ||
| needs: msrv | ||
| strategy: |
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/reusable-ci.yml
Outdated
Comment on lines
+248
to
+277
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To resolve this issue, add a permissions: block specifying the minimum required permissions, thereby adhering to the principle of least privilege. The best practice is to place this block at the top level of the workflow YAML file, so that all jobs inherit least-privilege permissions unless overridden at the job level.
- Add a top-level
permissions:block after thename:declaration, beforeon:. - For most CI/CD workflows that do not require write access to repository contents, the recommended setting is
contents: read. - If jobs require other permissions (e.g.,
pull-requests: writeorcontents: writefor auto-committing changes), consider setting those at the individual job level. However, as a minimal fix and starting point, setcontents: readat the top level.
What to change:
- Add after line
5: name: Reusable CIa block:permissions: contents: read - If later, any job (e.g., the "auto-commit README changes" step) is shown to need
contents: write, you may override the permissions for that specific job. For now, the minimal recommended fix is to set the top-level block to restrict all jobs to read-only.
Suggested changeset
1
.github/workflows/reusable-ci.yml
| @@ -3,6 +3,8 @@ | ||
| # SPDX-License-Identifier: MIT | ||
|
|
||
| name: Reusable CI | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| workflow_call: |
Copilot is powered by AI and may make mistakes. Always verify output.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implemented Phase 1 enterprise-grade CI/CD improvements with concurrency control, code coverage reporting, and matrix strategy for multi-version testing.
Changes
#176 Concurrency Control
ci.ymlandrelease.yml#177 Code Coverage Reporting
cargo-llvm-covfor accurate coverage trackingcoveragejob with Codecov integration#178 Matrix Strategy
Benefits
Test Plan
cargo test --all-features)Next Steps (Phase 2 & 3)
Closes #176
Closes #177
Closes #178