fix(interpreter): prevent byte range panic in ${#arr[idx]} with malformed input #1941
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| workflow_call: | |
| permissions: | |
| contents: read | |
| checks: write | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }} | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt, clippy | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Check formatting | |
| run: cargo fmt --all -- --check | |
| - name: Run clippy | |
| run: cargo clippy --all-targets --all-features -- -D warnings | |
| - name: Build documentation | |
| run: cargo doc --no-deps --all-features | |
| env: | |
| RUSTDOCFLAGS: "-D warnings" | |
| audit: | |
| name: Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Generate lockfile | |
| run: cargo generate-lockfile | |
| - name: Security audit (cargo-audit) | |
| uses: rustsec/audit-check@v2.0.0 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| ignore: RUSTSEC-2023-0071 | |
| - name: License check (cargo-deny) | |
| uses: EmbarkStudios/cargo-deny-action@v2 | |
| with: | |
| command: check licenses sources | |
| - name: Install cargo-vet | |
| uses: taiki-e/install-action@v2 | |
| with: | |
| tool: cargo-vet | |
| - name: Supply chain audit (cargo-vet) | |
| run: cargo vet --locked | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Run tests | |
| run: cargo test --features http_client,ssh | |
| - name: Run realfs tests | |
| run: cargo test --features realfs -p bashkit --test realfs_tests -p bashkit-cli | |
| - name: Run fail-point tests (single-threaded) | |
| run: cargo test --features failpoints --test security_failpoint_tests -- --test-threads=1 | |
| - name: Run property-based security tests (proptest) | |
| run: cargo test --test proptest_security -- --test-threads=1 | |
| env: | |
| PROPTEST_CASES: 50 | |
| examples: | |
| name: Examples | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Build examples | |
| run: cargo build --examples --features "git,http_client,ssh" | |
| - name: Run examples | |
| run: | | |
| cargo run --example basic | |
| cargo run --example custom_fs | |
| cargo run --example resource_limits | |
| cargo run --example text_processing | |
| cargo run --example live_mounts | |
| cargo run --example git_workflow --features git | |
| cargo run --example python_external_functions --features python | |
| cargo run --example typescript_external_functions --features typescript | |
| cargo run --example realfs_readonly --features realfs | |
| cargo run --example realfs_readwrite --features realfs | |
| # SSH tests | |
| - name: Run ssh builtin tests (mock handler) | |
| run: cargo test --features ssh -p bashkit --test ssh_builtin_tests | |
| - name: Run ssh supabase.sh example and tests | |
| run: | | |
| cargo run --example ssh_supabase --features ssh | |
| cargo test --features ssh -p bashkit --test ssh_supabase_tests | |
| - name: Run realfs bash example | |
| run: | | |
| cargo build -p bashkit-cli --features realfs | |
| bash examples/realfs_mount.sh | |
| # External API dependency — don't block CI on Anthropic outages | |
| - name: Run LLM agent example | |
| continue-on-error: true | |
| env: | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| run: cargo run --example agent_tool --features http_client | |
| - name: Install Doppler CLI | |
| if: env.DOPPLER_TOKEN != '' | |
| uses: dopplerhq/cli-action@v4 | |
| - name: Run harness OpenAI joke example | |
| if: env.DOPPLER_TOKEN != '' | |
| run: | | |
| cargo build -p bashkit-cli --features realfs --quiet | |
| doppler run -- bash examples/harness-openai-joke.sh | |
| fuzz-check: | |
| name: Fuzz Compile Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install Rust nightly | |
| uses: dtolnay/rust-toolchain@nightly | |
| - name: Install cargo-fuzz | |
| uses: taiki-e/cache-cargo-install-action@v3 | |
| with: | |
| tool: cargo-fuzz | |
| locked: true | |
| - name: Verify fuzz targets compile | |
| working-directory: crates/bashkit | |
| run: cargo +nightly fuzz build | |
| # Gate job for branch protection — name must stay "Check" | |
| check: | |
| name: Check | |
| if: always() | |
| needs: [lint, audit, test, examples, fuzz-check] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Verify all jobs passed | |
| run: | | |
| if [[ "${{ needs.lint.result }}" != "success" ]] || \ | |
| [[ "${{ needs.audit.result }}" != "success" ]] || \ | |
| [[ "${{ needs.test.result }}" != "success" ]] || \ | |
| [[ "${{ needs.examples.result }}" != "success" ]] || \ | |
| [[ "${{ needs.fuzz-check.result }}" != "success" ]]; then | |
| echo "One or more required jobs failed" | |
| exit 1 | |
| fi |