-
Notifications
You must be signed in to change notification settings - Fork 1
255 lines (231 loc) · 10.8 KB
/
ci.yml
File metadata and controls
255 lines (231 loc) · 10.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
name: CI
on:
push:
branches:
- main
- "feature/**"
pull_request:
branches:
- main
# Cancel in-flight runs for the same branch when a new commit is pushed.
concurrency:
group: ci-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
check:
name: check (${{ matrix.os }})
strategy:
# Never fail-fast — we always want to see both Linux and Windows
# results, even if one platform regresses. Masking a Windows-only
# break with a Linux pass (or vice versa) would defeat the whole
# point of having this matrix.
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
runs-on: ${{ matrix.os }}
# Healthy runs finish in ~6 min on Linux and ~9 min on Windows. The
# GitHub-default ceiling is 6 hours per job, so a single hung test on
# Windows can pin a runner for that long (see PR #28's post-merge CI).
# 30 min is a comfortable 3× headroom over the slow side; anything
# past that is a hang, not slowness.
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@v5
- name: Free disk space (Linux)
if: matrix.os == 'ubuntu-latest'
# GitHub-hosted Ubuntu runners ship with ~14 GB free on /. Our
# job restores a Rust target cache, runs `cargo check` and
# `cargo test` (each round of which adds GB to target/), installs
# node_modules, builds the frontend, and `bun install`s the
# sidecar — that comfortably exceeds 14 GB and has produced
# post-merge CI failures with "No space left on device" during
# `cargo test` (see PR #44 and PR #46 merge runs).
#
# Removing the preinstalled toolchains we never touch (Android
# SDK ~12 GB, .NET ~1.6 GB, Haskell GHC ~5 GB, CodeQL ~5 GB,
# cached Docker images ~3 GB) frees ~25 GB in <30 s and avoids
# pinning a third-party action. Windows runners have ~150 GB
# free and don't need this.
shell: bash
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf /usr/local/lib/android
sudo rm -rf /opt/ghc
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo docker image prune --all --force || true
df -h /
- name: Install Linux system dependencies
if: matrix.os == 'ubuntu-latest'
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
libwebkit2gtk-4.1-dev \
build-essential \
libssl-dev \
libgtk-3-dev \
libayatana-appindicator3-dev \
librsvg2-dev \
patchelf \
file \
ripgrep
# This matches the package list installed in release.yml so the CI
# toolchain is a strict subset of what the release pipeline uses.
# libfuse2 is excluded — it is only needed by `tauri build`'s
# AppImage packager, not by `cargo check` or `cargo test`.
# ripgrep is required by `commands::files::tests::grep_count_pattern_*`,
# which shells out to `rg` to count CODEMUX_DEBUG markers.
- name: Install Windows system dependencies
if: matrix.os == 'windows-latest'
# Chocolatey is pre-installed on windows-latest runners. ripgrep
# is needed for the same `grep_count_pattern_*` tests as Linux.
run: choco install ripgrep -y --no-progress
shell: pwsh
- name: Setup Rust
uses: dtolnay/rust-toolchain@stable
- name: Rust cache
uses: Swatinem/rust-cache@v2
with:
workspaces: src-tauri -> target
# Scope the cache per OS so Linux and Windows artifacts never
# collide in the same cache key.
key: ${{ matrix.os }}
- name: Setup Node
uses: actions/setup-node@v5
with:
# Node 22 for the project's npm scripts. The action itself is on
# @v5 (Node 24 runtime) so it won't trip GitHub's Node-20-actions
# deprecation that takes effect 2026-06-02.
# See: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
node-version: 22
cache: npm
- name: Install npm dependencies
run: npm ci
- name: Setup Bun
# Needed to build the claude-agent sidecar below. Installed here
# so the stage step can produce the per-target binary before
# `cargo check` fails tauri-build's externalBin validation.
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Stage claude-agent sidecar binary
shell: bash
run: |
# Like the agent-browser step below, tauri-build validates
# `externalBin` at compile time, so the sidecar binary has to
# be present before `cargo check` / `cargo test`. Full build
# via Bun; fall back to a zero-byte placeholder if Bun fails
# (e.g. transient registry hiccup) — CI is checking types and
# running tests, not producing distributables.
TARGET="${CARGO_BUILD_TARGET:-$(rustc -vV | grep host | cut -d' ' -f2)}"
mkdir -p src-tauri/binaries
case "$TARGET" in
*windows*) DEST="src-tauri/binaries/codemux-claude-sidecar-$TARGET.exe" ;;
*) DEST="src-tauri/binaries/codemux-claude-sidecar-$TARGET" ;;
esac
if bash scripts/build-claude-sidecar.sh; then
if [ ! -s "$DEST" ]; then
echo "[ci] build-claude-sidecar.sh reported success but $DEST is missing — placeholder"
touch "$DEST"
chmod +x "$DEST" 2>/dev/null || true
fi
else
echo "[ci] sidecar build failed — creating placeholder at $DEST"
touch "$DEST"
chmod +x "$DEST" 2>/dev/null || true
fi
- name: Stage agent-browser sidecar binary
shell: bash
run: |
# tauri-build validates `externalBin` at compile time, so even
# `cargo check` fails if src-tauri/binaries/agent-browser-<target>
# does not exist. Our existing copy-agent-browser.sh maps the host
# target triple to the upstream npm package's pre-built binary.
#
# Git Bash is preinstalled on windows-latest, so `shell: bash`
# works on both platforms without needing a second .ps1 script.
bash scripts/copy-agent-browser.sh || true
# Fallback: if the copy script couldn't find the upstream binary
# (e.g. agent-browser's postinstall was skipped on a particular
# platform — see upstream issue #549), drop a zero-byte placeholder
# at the expected path so tauri-build's externalBin check passes.
# CI's job is to verify type-correctness and run unit tests, not
# to produce a distributable installer — an empty placeholder is
# sufficient for `cargo check` / `cargo test`.
TARGET="${CARGO_BUILD_TARGET:-$(rustc -vV | grep host | cut -d' ' -f2)}"
mkdir -p src-tauri/binaries
case "$TARGET" in
*windows*) DEST="src-tauri/binaries/agent-browser-$TARGET.exe" ;;
*) DEST="src-tauri/binaries/agent-browser-$TARGET" ;;
esac
if [ ! -f "$DEST" ]; then
echo "[ci] Real agent-browser binary not found at $DEST — creating placeholder"
touch "$DEST"
chmod +x "$DEST" 2>/dev/null || true
fi
- name: Stage codemux-remote binary (placeholder for cargo check)
shell: bash
run: |
# tauri.conf.json's `bundle.resources = ["binaries/codemux-remote-*"]`
# makes tauri-build fail at compile time if no matching file
# exists. In release.yml the Ubuntu runner actually builds this
# binary (it ships in the .deb/.rpm/AppImage). In ci.yml we
# only need cargo check / cargo test to succeed — a zero-byte
# placeholder satisfies the glob without spending the time to
# cross-compile. Same pattern as the agent-browser stage above.
TARGET="${CARGO_BUILD_TARGET:-$(rustc -vV | grep host | cut -d' ' -f2)}"
mkdir -p src-tauri/binaries
case "$TARGET" in
*windows*) DEST="src-tauri/binaries/codemux-remote-$TARGET.exe" ;;
*) DEST="src-tauri/binaries/codemux-remote-$TARGET" ;;
esac
if [ ! -f "$DEST" ]; then
echo "[ci] Creating zero-byte codemux-remote placeholder at $DEST"
touch "$DEST"
chmod +x "$DEST" 2>/dev/null || true
fi
- name: Sidecar ToS boundary check
# Static check that forbids the sidecar from reading Claude
# credential files, hitting Anthropic URLs directly, spawning
# the `claude` binary outside the auth-probe allowlist, or
# peeking at ANTHROPIC_* / CLAUDE_CODE_OAUTH_TOKEN env vars.
# This is a hard CI gate so a violation can never slip in.
shell: bash
run: cd sidecar/claude-agent && bun run check-tos
- name: Sidecar unit tests
shell: bash
run: cd sidecar/claude-agent && bun install --frozen-lockfile && bun test
- name: Build frontend
# `frontendDist: "../dist"` in tauri.conf.json means tauri-build
# wants `dist/` to exist at compile time — build the frontend first.
run: npm run build
- name: TypeScript typecheck
run: npm run check
- name: Frontend tests
run: npm run test
- name: Cargo check
run: cargo check --manifest-path src-tauri/Cargo.toml
- name: Configure git identity and line endings for tests
# Several tests in src-tauri/src/git.rs spin up a fixture repo and
# shell out to `git commit`. GitHub runners have git installed but
# no default user.email/user.name, so `git commit` refuses to run
# unless we provide a throwaway identity here.
#
# The `core.autocrlf false` + `core.eol lf` pair disables Git for
# Windows's default `autocrlf=true` behavior — without this, git on
# Windows rewrites `\n` to `\r\n` on checkout, and tests that write
# a file with `\n` then read it back after a git operation fail
# with `left: "...\r\n"` vs `right: "...\n"` assertion mismatches.
# Linux git already defaults to autocrlf=false, so these lines are
# no-ops there.
#
# Works on both Linux and Windows runners — git --global reads from
# $HOME on Linux and %USERPROFILE% on Windows.
shell: bash
run: |
git config --global user.email "ci@codemux.dev"
git config --global user.name "Codemux CI"
git config --global core.autocrlf false
git config --global core.eol lf
- name: Cargo test
run: cargo test --manifest-path src-tauri/Cargo.toml