chore(ci): externalize workflow scripts and relocate main flow doc (#722)

* feat: Add GitHub Actions workflows for security audits, CodeQL analysis, contributor updates, performance benchmarks, integration tests, fuzz testing, and reusable Rust build jobs - Implemented `sec-audit.yml` for Rust package security audits using `rustsec/audit-check` and `cargo-deny-action`. - Created `sec-codeql.yml` for CodeQL analysis scheduled twice daily. - Added `sync-contributors.yml` to update the NOTICE file with new contributors automatically. - Introduced `test-benchmarks.yml` for performance benchmarks using Criterion. - Established `test-e2e.yml` for running integration and end-to-end tests. - Developed `test-fuzz.yml` for fuzz testing with configurable runtime. - Created `test-rust-build.yml` as a reusable job for executing Rust commands with customizable parameters. - Documented main branch delivery flows in `main-branch-flow.md` for clarity on CI/CD processes. * ci(workflows): update workflow scripts and rename for clarity; remove obsolete lint feedback script * chore(ci): externalize workflow scripts and relocate main flow doc
2026-02-17 19:48:37 -05:00 · 2026-02-17 19:48:37 -05:00 · 69a3b54968
commit 69a3b54968
parent 41da46e2b2
34 changed files with 2090 additions and 1777 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -1,111 +0,0 @@
-name: Docker
-
-on:
-    push:
-        tags: ["v*"]
-    pull_request:
-        branches: [main]
-        paths:
-            - "Dockerfile"
-            - "docker-compose.yml"
-            - "dev/docker-compose.yml"
-            - "dev/sandbox/**"
-            - ".github/workflows/docker.yml"
-    workflow_dispatch:
-
-concurrency:
-    group: docker-${{ github.event.pull_request.number || github.ref }}
-    cancel-in-progress: true
-
-env:
-    REGISTRY: ghcr.io
-    IMAGE_NAME: ${{ github.repository }}
-
-jobs:
-    pr-smoke:
-        name: PR Docker Smoke
-        if: github.event_name == 'pull_request'
-        runs-on: blacksmith-2vcpu-ubuntu-2404
-        timeout-minutes: 25
-        permissions:
-            contents: read
-        steps:
-            - name: Checkout repository
-              uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-
-            - name: Setup Blacksmith Builder
-              uses: useblacksmith/setup-docker-builder@ef12d5b165b596e3aa44ea8198d8fde563eab402 # v1
-
-            - name: Extract metadata (tags, labels)
-              id: meta
-              uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
-              with:
-                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-                  tags: |
-                      type=ref,event=pr
-
-            - name: Build smoke image
-              uses: useblacksmith/build-push-action@30c71162f16ea2c27c3e21523255d209b8b538c1 # v2
-              with:
-                  context: .
-                  push: false
-                  load: true
-                  provenance: false
-                  sbom: false
-                  tags: zeroclaw-pr-smoke:latest
-                  labels: ${{ steps.meta.outputs.labels }}
-                  platforms: linux/amd64
-
-            - name: Verify image
-              run: docker run --rm zeroclaw-pr-smoke:latest --version
-
-    publish:
-        name: Build and Push Docker Image
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-        runs-on: blacksmith-2vcpu-ubuntu-2404
-        timeout-minutes: 25
-        permissions:
-            contents: read
-            packages: write
-        steps:
-            - name: Checkout repository
-              uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-
-            - name: Setup Blacksmith Builder
-              uses: useblacksmith/setup-docker-builder@ef12d5b165b596e3aa44ea8198d8fde563eab402 # v1
-
-            - name: Log in to Container Registry
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
-              with:
-                  registry: ${{ env.REGISTRY }}
-                  username: ${{ github.actor }}
-                  password: ${{ secrets.GITHUB_TOKEN }}
-
-            - name: Compute tags
-              id: meta
-              shell: bash
-              run: |
-                  set -euo pipefail
-                  IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
-                  SHA_TAG="${IMAGE}:sha-${GITHUB_SHA::12}"
-
-                  if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
-                    TAG_NAME="${GITHUB_REF#refs/tags/}"
-                    TAGS="${IMAGE}:${TAG_NAME},${SHA_TAG}"
-                  elif [[ "${GITHUB_REF}" == "refs/heads/main" ]]; then
-                    TAGS="${IMAGE}:latest,${SHA_TAG}"
-                  else
-                    BRANCH_NAME="${GITHUB_REF#refs/heads/}"
-                    BRANCH_NAME="${BRANCH_NAME//\//-}"
-                    TAGS="${IMAGE}:${BRANCH_NAME},${SHA_TAG}"
-                  fi
-
-                  echo "tags=${TAGS}" >> "$GITHUB_OUTPUT"
-
-            - name: Build and push Docker image
-              uses: useblacksmith/build-push-action@30c71162f16ea2c27c3e21523255d209b8b538c1 # v2
-              with:
-                  context: .
-                  push: true
-                  tags: ${{ steps.meta.outputs.tags }}
-                  platforms: ${{ startsWith(github.ref, 'refs/tags/') && 'linux/amd64,linux/arm64' || 'linux/amd64' }}