diff --git a/.claude/commands/maintain.md b/.claude/commands/maintain.md index 24f9f6c6..858eedf9 100644 --- a/.claude/commands/maintain.md +++ b/.claude/commands/maintain.md @@ -74,13 +74,29 @@ Make the simplifications. Run tests after each change. The goal is less code tha `AGENTS.md` and `CLAUDE.md` reflect current specs, commands, tooling, and workflows. -### 10. Nightly CI is healthy - -Nightly and fuzz workflows green for past week. Fuzz targets compile. Git-sourced deps resolve. - -Key tools: `gh run list --workflow=nightly.yml --limit 7`, `gh run list --workflow=fuzz.yml --limit 7` - -If failures persist >2 days, escalate per the policy in `specs/012-maintenance.md`. +### 10. All CI is healthy (HARD GATE) + +**This section is a blocker.** The maintenance pass MUST NOT be marked complete +while any of these checks are red. + +1. **CI on main is green** — check the latest CI run on the `main` branch. If + any job (Audit, Test, Lint, Examples, Fuzz Compile Check) fails, fix it + before proceeding. Common failures: `cargo vet` missing certifications, + dependency audit advisories, clippy warnings. +2. **Nightly workflow green** for past 7 days. +3. **Fuzz workflow green** for past 7 days. If a fuzz target crashes, open a + GitHub issue with the crash artifact, reproduction command, and base64 input. +4. Fuzz targets compile. Git-sourced deps resolve. + +Key tools: +- `gh run list --workflow=ci.yml --branch=main --limit 5` (CI on main) +- `gh run list --workflow=nightly.yml --limit 7` (nightly) +- `gh run list --workflow=fuzz.yml --limit 7` (fuzz) +- `gh api repos/OWNER/REPO/actions/runs/RUN_ID/jobs` (inspect failed jobs) + +If failures persist >2 days, escalate per `specs/012-maintenance.md`. +If the agent cannot fix a failure, it MUST open a GitHub issue and report the +pass as blocked — never silently skip. ## Execution diff --git a/specs/012-maintenance.md b/specs/012-maintenance.md index b6e12884..79bef7a6 100644 --- a/specs/012-maintenance.md +++ b/specs/012-maintenance.md @@ -111,20 +111,28 @@ dependency rot, or security gaps ship in a release. - Build/test commands work - Pre-PR checklist covers current tooling -### Nightly CI +### CI Health +- **CI on main is green** — the latest CI run on `main` must pass. Any failure + (audit, test, lint, examples) is a blocker that must be fixed before + proceeding with the rest of the maintenance pass. - Nightly and fuzz workflows green for past week - Fuzz targets compile - Git-sourced dependencies still resolve -#### Nightly Escalation Policy +#### Escalation Policy -Failures persisting **>2 consecutive days** are blocking: +Failures persisting **>2 consecutive days** on any workflow (CI, nightly, fuzz) +are blocking: 1. Open GitHub issue with label `ci:nightly` 2. Link failing run(s) 3. Assign to most recent contributor in failing area 4. If upstream dep change: pin to known-good rev, open follow-up issue +**This section is a hard gate.** The maintenance pass MUST NOT be marked +complete or merged while any of the above checks are red. If the agent cannot +fix a failure, it must open a GitHub issue and report the pass as blocked. + ## Deferred Items When a maintenance pass identifies issues too large to fix inline (e.g. @@ -149,7 +157,8 @@ Sections dependencies, tests, examples, code quality, and nightly CI are fully automatable. Security, documentation, specs, simplification, and agent config require human or agent review. -Nightly check enforced by `just check-nightly`, called by `just release-check`. +CI health check enforced by `just check-nightly` (nightly + fuzz) and manual +inspection of CI on `main` (audit, test, lint). Called by `just release-check`. ## Invocation diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 6b416bd3..d2964944 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -6,6 +6,11 @@ who = "Mykhailo Chalyi " criteria = "safe-to-deploy" version = "0.39.1" +[[audits.fastrand]] +who = "Mykhailo Chalyi " +criteria = "safe-to-deploy" +version = "2.4.0" + [[audits.hybrid-array]] who = "Mykhailo Chalyi " criteria = "safe-to-deploy" diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 5d695742..f772b0b6 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -490,10 +490,6 @@ criteria = "safe-to-deploy" version = "0.17.0" criteria = "safe-to-deploy" -[[exemptions.fastrand]] -version = "2.4.0" -criteria = "safe-to-deploy" - [[exemptions.ff]] version = "0.13.1" criteria = "safe-to-deploy"