Skip to content

ci: align workflows, fix CI detection, merge dependency updates #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
EffortlessSteven merged 9 commits into from
Mar 29, 2026
Merged

ci: align workflows, fix CI detection, merge dependency updates #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
0c07fda
ci: fix deprecation workflow and CI detection tests
EffortlessSteven Mar 29, 2026
80e9004
ci(deps): bump the actions group with 6 updates
dependabot[bot] Mar 29, 2026
a3af65c
deps(deps): bump the dependencies group with 11 updates
dependabot[bot] Mar 29, 2026
eeddddf
chore: run rustfmt on workspace
EffortlessSteven Mar 29, 2026
2aae758
fix: adapt ExplainSection serde payload variants for new serde behavior
EffortlessSteven Mar 29, 2026
830f400
fix: serialize Severity as lowercase strings for serde compatibility
EffortlessSteven Mar 29, 2026
a9fca6f
fix: correct serde cfg_attr syntax for Severity
EffortlessSteven Mar 29, 2026
9c35403
test: fix severity map builder property invariant
EffortlessSteven Mar 29, 2026
5dc5406
test: serialize cwd-mutating app-git integration tests
EffortlessSteven Mar 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/bench.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,12 @@ jobs:
bench:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- name: Run benchmarks
run: cargo bench --workspace
- name: Upload results
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: criterion-results
path: target/criterion
6 changes: 3 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- uses: dtolnay/rust-toolchain@stable
with:
Expand All @@ -25,7 +25,7 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- uses: dtolnay/rust-toolchain@stable
with:
Expand All @@ -36,7 +36,7 @@ jobs:
bdd:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- uses: dtolnay/rust-toolchain@stable
- name: BDD (cucumber)
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ jobs:
coverage:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- name: Install cargo-llvm-cov
run: cargo install cargo-llvm-cov
- name: Generate coverage
run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info
- name: Upload to codecov
uses: codecov/codecov-action@v4
uses: codecov/codecov-action@v6
with:
files: lcov.info
fail_ci_if_error: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/deny.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
deny:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: EmbarkStudios/cargo-deny-action@v2
with:
arguments: --all-features
66 changes: 61 additions & 5 deletions .github/workflows/deprecation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,30 +11,78 @@ jobs:
build-deprecated:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- uses: dtolnay/rust-toolchain@stable

- name: Build deprecated crates
run: |
echo "Building all deprecated facade crates..."
cargo build -p lintdiff-domain -p lintdiff-core -p lintdiff-ingest
deprecated_crates=()
if [ -d "${{ github.workspace }}/crates/lintdiff-domain" ]; then
deprecated_crates+=("lintdiff-domain")
else
echo "✅ Skipping lintdiff-domain (already removed)"
fi
if [ -d "${{ github.workspace }}/crates/lintdiff-core" ]; then
deprecated_crates+=("lintdiff-core")
else
echo "✅ Skipping lintdiff-core (already removed)"
fi
if [ -d "${{ github.workspace }}/crates/lintdiff-ingest" ]; then
deprecated_crates+=("lintdiff-ingest")
else
echo "✅ Skipping lintdiff-ingest (already removed)"
Comment on lines +21 to +35
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Centralize the deprecated crate inventory.

The same crate names and existence checks are now duplicated across build, check, and warning steps. The next rename or removal will require touching several places again, so this workflow is still prone to drift. Consider defining the manifest-path list once and iterating over it.

Also applies to: 48-62, 82-85, 117-120, 151-154

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deprecation.yml around lines 21 - 35, Centralize the
deprecated crate inventory by extracting the repeated crate names
(lintdiff-domain, lintdiff-core, lintdiff-ingest) into a single shared list
variable (e.g., DEPRECATED_CRATES or deprecated_crates_list) and replace each
duplicated block that checks directory existence and appends to
deprecated_crates with a loop that iterates over that single list; update the
build/check/warning steps to source or reference that shared variable so the
existence checks and echo messages are performed from one place rather than
duplicating the same if [ -d "${{ github.workspace }}/crates/<name>" ] ...
deprecated_crates+=("<name>") logic in multiple locations.

fi

if [ ${#deprecated_crates[@]} -eq 0 ]; then
echo "✅ No deprecated facade crates found; skipping build."
exit 0
fi

cargo build ${deprecated_crates[@]/#/ -p }

- name: Check deprecated crates compile without errors
run: |
echo "Checking deprecated crates compile successfully..."
cargo check -p lintdiff-domain -p lintdiff-core -p lintdiff-ingest
deprecated_crates=()
if [ -d "${{ github.workspace }}/crates/lintdiff-domain" ]; then
deprecated_crates+=("lintdiff-domain")
else
echo "✅ Skipping lintdiff-domain (already removed)"
fi
if [ -d "${{ github.workspace }}/crates/lintdiff-core" ]; then
deprecated_crates+=("lintdiff-core")
else
echo "✅ Skipping lintdiff-core (already removed)"
fi
if [ -d "${{ github.workspace }}/crates/lintdiff-ingest" ]; then
deprecated_crates+=("lintdiff-ingest")
else
echo "✅ Skipping lintdiff-ingest (already removed)"
fi

if [ ${#deprecated_crates[@]} -eq 0 ]; then
echo "✅ No deprecated facade crates found; skipping checks."
exit 0
fi

cargo check ${deprecated_crates[@]/#/ -p }

# Job 2: Verify deprecation warnings are emitted
verify-warnings:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- uses: dtolnay/rust-toolchain@stable

- name: Check deprecation warnings in lintdiff-domain
run: |
if [ ! -d "${{ github.workspace }}/crates/lintdiff-domain" ]; then
echo "✅ Skipping lintdiff-domain (already removed)"
exit 0
fi
echo "Checking that lintdiff-domain emits deprecation warning..."
# Create a temporary test file that uses the deprecated crate
mkdir -p /tmp/deptest/src
Expand Down Expand Up @@ -66,6 +114,10 @@ jobs:

- name: Check deprecation warnings in lintdiff-core
run: |
if [ ! -d "${{ github.workspace }}/crates/lintdiff-core" ]; then
echo "✅ Skipping lintdiff-core (already removed)"
exit 0
fi
echo "Checking that lintdiff-core emits deprecation warning..."
mkdir -p /tmp/deptest-core
cat > /tmp/deptest-core/Cargo.toml << 'EOF'
Expand Down Expand Up @@ -96,6 +148,10 @@ jobs:

- name: Check deprecation warnings in lintdiff-ingest
run: |
if [ ! -d "${{ github.workspace }}/crates/lintdiff-ingest" ]; then
echo "✅ Skipping lintdiff-ingest (already removed)"
exit 0
fi
echo "Checking that lintdiff-ingest emits deprecation warning..."
mkdir -p /tmp/deptest-ingest
cat > /tmp/deptest-ingest/Cargo.toml << 'EOF'
Expand Down Expand Up @@ -128,7 +184,7 @@ jobs:
report-consumers:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
- uses: Swatinem/rust-cache@v2
- uses: dtolnay/rust-toolchain@stable

Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/fuzz.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,15 +55,15 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v6

- name: Install Rust nightly
uses: dtolnay/rust-toolchain@nightly
with:
components: rust-src

- name: Cache cargo registry
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: |
~/.cargo/registry
Expand All @@ -74,7 +74,7 @@ jobs:
${{ runner.os }}-cargo-

- name: Cache fuzz corpus
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: |
fuzz/corpus
Expand Down Expand Up @@ -194,7 +194,7 @@ jobs:
steps.check-target.outputs.exists == 'true' &&
steps.should-run.outputs.run == 'true' &&
steps.fuzz.outputs.crashed == 'true'
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: crash-${{ matrix.target }}-${{ github.run_id }}
path: |
Expand All @@ -207,7 +207,7 @@ jobs:
steps.check-target.outputs.exists == 'true' &&
steps.should-run.outputs.run == 'true' &&
always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: corpus-${{ matrix.target }}-${{ github.run_id }}
path: fuzz/corpus/${{ matrix.target }}
Expand Down Expand Up @@ -255,7 +255,7 @@ jobs:
fi

- name: Download all artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@v8
with:
pattern: 'crash-*'
path: crashes
Expand Down Expand Up @@ -287,7 +287,7 @@ jobs:

- name: Create issue on crash
if: steps.check-crashes.outputs.crashes_found == 'true' && github.event_name == 'schedule'
uses: actions/github-script@v7
uses: actions/github-script@v8
with:
script: |
const title = `🐛 Fuzzing Crash Detected (Run #${{ github.run_number }})`;
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/mutation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,14 +52,14 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v6

- name: Install Rust stable
uses: dtolnay/rust-toolchain@stable

# Cache cargo registry and build artifacts for faster runs
- name: Cache cargo registry
uses: actions/cache@v4
uses: actions/cache@v5
with:
Comment on lines +55 to 63
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, check if the workflow file exists and get its size
wc -l .github/workflows/mutation.yml 2>/dev/null || echo "File not found"

Repository: EffortlessMetrics/lintdiff

Length of output: 104

🏁 Script executed:

# Read the specific lines mentioned in the review
echo "=== Lines 55-63 ==="
sed -n '55,63p' .github/workflows/mutation.yml 2>/dev/null || echo "File not found"

echo -e "\n=== Lines 263-272 ==="
sed -n '263,272p' .github/workflows/mutation.yml 2>/dev/null || echo "File not found"

Repository: EffortlessMetrics/lintdiff

Length of output: 803

🏁 Script executed:

# Search for all 'uses:' entries in the workflow to see the pattern
echo "=== All action references in mutation.yml ==="
grep -n "uses:" .github/workflows/mutation.yml 2>/dev/null || echo "File not found"

Repository: EffortlessMetrics/lintdiff

Length of output: 321

🌐 Web query:

GitHub Actions security best practices pin commit SHA immutable

💡 Result:

GitHub Actions security best practices strongly recommend pinning actions to a full-length commit SHA for immutability and protection against supply chain attacks. This prevents malicious updates to tags or branches. Key practices: - Pin to full SHA: uses: actions/checkout@692973e (Verify SHA from official repo, not forks). - Add comment for readability and Dependabot: # v4.1.0 - Use for third-party actions, especially high-risk ones handling secrets. - Avoid @main, @latest, or unpinned tags; tags can be moved. - Enforce via org/repo policies (new feature): require SHA pinning, block risky actions with !prefix. - Automate updates with Dependabot version updates or tools like pin-github-action. - Audit action source code; prefer first-party (actions/*). - Combine with: least-privilege GITHUB_TOKEN, OIDC for cloud auth, secret masking, runtime protection (e.g., Harden-Runner). Example workflow step: - uses: actions/checkout@34e1148 # v4.3.1 Benefits: Mitigates backdoors (SHA collision hard), reproducibility, counters dependency confusion.

Citations:

Pin these action upgrades to immutable commit SHAs.

These uses: entries use mutable major version tags (@v6, @v5, @v7, @v8), allowing tag reassignment outside this repository to change workflow behavior unexpectedly. GitHub's security guidance recommends pinning to full-length commit SHAs, which are immutable and prevent supply chain attacks. Use the format: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v6.1.0

Applies to lines 55, 62, 263, and 272.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/mutation.yml around lines 55 - 63, Replace mutable
major-version tags with immutable full commit SHAs for all GitHub Action uses to
prevent unexpected workflow changes: update uses: actions/checkout@v6, uses:
dtolnay/rust-toolchain@stable, uses: actions/cache@v5 and the other action uses
referenced in this file to their corresponding full-length commit SHAs (e.g.,
uses: actions/checkout@<full-commit-sha> and add an inline comment with the
human-readable tag like # v6.1.0) so each action reference is pinned immutably
while preserving the original tag in a comment for clarity.

path: |
~/.cargo/registry
Expand Down Expand Up @@ -260,7 +260,7 @@ jobs:

# Upload mutation reports as artifacts
- name: Upload mutation reports
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: mutation-reports
path: mutants-out/
Expand All @@ -269,7 +269,7 @@ jobs:
# Create GitHub issue if mutation score drops below threshold
- name: Create issue for low mutation score
if: steps.aggregate.outputs.overall_score < env.MUTATION_THRESHOLD && github.event_name == 'schedule'
uses: actions/github-script@v7
uses: actions/github-script@v8
with:
script: |
const score = '${{ steps.aggregate.outputs.overall_score }}';
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,15 +64,15 @@ jobs:

runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6

- name: Setup Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}

- name: Cache cargo registry
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: |
~/.cargo/registry
Expand All @@ -82,7 +82,7 @@ jobs:
${{ runner.os }}-cargo-

- name: Cache target directory
uses: actions/cache@v4
uses: actions/cache@v5
with:
path: target
key: ${{ runner.os }}-${{ matrix.target }}-target-${{ hashFiles('**/Cargo.lock') }}
Expand Down Expand Up @@ -122,7 +122,7 @@ jobs:
cd ../../..
sha256sum lintdiff-${{ needs.prepare.outputs.version }}-${{ matrix.target }}.zip > lintdiff-${{ needs.prepare.outputs.version }}-${{ matrix.target }}.zip.sha256

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@v7
with:
name: lintdiff-${{ matrix.target }}
path: |
Expand All @@ -132,7 +132,7 @@ jobs:
needs: [prepare, build]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
- uses: actions/download-artifact@v8
with:
merge-multiple: true

Expand All @@ -142,7 +142,7 @@ jobs:
echo "Checksums:"
cat checksums-${{ needs.prepare.outputs.version }}.txt

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@v7
with:
name: checksums
path: checksums-${{ needs.prepare.outputs.version }}.txt
Expand All @@ -151,11 +151,11 @@ jobs:
needs: [prepare, build, checksums]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
with:
fetch-depth: 0

- uses: actions/download-artifact@v4
- uses: actions/download-artifact@v8
with:
merge-multiple: true

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/semver.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
semver:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v6
with:
fetch-depth: 0 # Need full history for baseline comparison
- uses: Swatinem/rust-cache@v2
Expand Down
Loading