From b161fff9efd6c13cdbfa691abcd7dd9931bf625a Mon Sep 17 00:00:00 2001 From: Chummy Date: Tue, 17 Feb 2026 01:36:17 +0800 Subject: [PATCH] chore(ci): align lint gate and add strict audit path (#410) --- .githooks/pre-push | 16 ++++++++++++---- CONTRIBUTING.md | 25 +++++++++++++++++++++---- dev/README.md | 6 ++++++ dev/ci.sh | 7 ++++++- docs/ci-map.md | 4 +++- 5 files changed, 48 insertions(+), 10 deletions(-) diff --git a/.githooks/pre-push b/.githooks/pre-push index 4d8eea7..18a612b 100755 --- a/.githooks/pre-push +++ b/.githooks/pre-push @@ -7,18 +7,26 @@ set -euo pipefail echo "==> pre-push: checking formatting..." -cargo fmt -- --check || { - echo "FAIL: cargo fmt -- --check found unformatted code." +cargo fmt --all -- --check || { + echo "FAIL: cargo fmt --all -- --check found unformatted code." echo "Run 'cargo fmt' and try again." exit 1 } echo "==> pre-push: running clippy..." -cargo clippy -- -D warnings || { - echo "FAIL: clippy reported warnings." +cargo clippy --all-targets -- -D clippy::correctness || { + echo "FAIL: clippy correctness gate reported issues." exit 1 } +if [ "${ZEROCLAW_STRICT_LINT:-0}" = "1" ]; then + echo "==> pre-push: running strict clippy warnings gate (ZEROCLAW_STRICT_LINT=1)..." + cargo clippy --all-targets -- -D warnings || { + echo "FAIL: strict clippy warnings gate reported issues." + exit 1 + } +fi + echo "==> pre-push: running tests..." cargo test || { echo "FAIL: some tests did not pass." diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a859148..39b9c3d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -18,8 +18,12 @@ cargo build # Run tests (all must pass) cargo test -# Format & lint (must pass before PR) -cargo fmt && cargo clippy -- -D warnings +# Format & lint (required before PR) +cargo fmt --all -- --check +cargo clippy --all-targets -- -D clippy::correctness + +# Optional strict lint audit (recommended periodically) +cargo clippy --all-targets -- -D warnings # Release build (~3.4MB) cargo build --release @@ -27,7 +31,19 @@ cargo build --release ### Pre-push hook -The repo includes a pre-push hook in `.githooks/` that enforces `cargo fmt --check`, `cargo clippy -- -D warnings`, and `cargo test` before every push. Enable it with `git config core.hooksPath .githooks`. +The repo includes a pre-push hook in `.githooks/` that enforces `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D clippy::correctness`, and `cargo test` before every push. Enable it with `git config core.hooksPath .githooks`. + +For an opt-in strict lint pass during pre-push, set: + +```bash +ZEROCLAW_STRICT_LINT=1 git push +``` + +For full CI parity in Docker, run: + +```bash +./dev/ci.sh all +``` To skip it during rapid iteration: @@ -325,8 +341,9 @@ impl Tool for YourTool { - [ ] PR template sections are completed (including security + rollback) - [ ] `cargo fmt --all -- --check` — code is formatted -- [ ] `cargo clippy --all-targets -- -D warnings` — no warnings +- [ ] `cargo clippy --all-targets -- -D clippy::correctness` — merge gate lint baseline passes - [ ] `cargo test` — all tests pass locally or skipped tests are explained +- [ ] Optional strict audit: `cargo clippy --all-targets -- -D warnings` (run when doing lint cleanup or before release-hardening work) - [ ] New code has inline `#[cfg(test)]` tests - [ ] No new dependencies unless absolutely necessary (we optimize for binary size) - [ ] README updated if adding user-facing features diff --git a/dev/README.md b/dev/README.md index 7645e0d..39945c8 100644 --- a/dev/README.md +++ b/dev/README.md @@ -110,6 +110,12 @@ This runs inside a container: - `cargo audit` - Docker smoke build (`docker build --target dev ...` + `--version` check) +To run an opt-in strict lint audit locally: + +```bash +./dev/ci.sh lint-strict +``` + ### 3. Run targeted stages ```bash diff --git a/dev/ci.sh b/dev/ci.sh index 9424287..ac99acf 100755 --- a/dev/ci.sh +++ b/dev/ci.sh @@ -26,7 +26,8 @@ Usage: ./dev/ci.sh Commands: build-image Build/update the local CI image shell Open an interactive shell inside the CI container - lint Run rustfmt + clippy (container only) + lint Run rustfmt + clippy correctness gate (container only) + lint-strict Run rustfmt + full clippy warnings gate (container only) test Run cargo test (container only) build Run release build smoke check (container only) audit Run cargo audit (container only) @@ -56,6 +57,10 @@ case "$1" in run_in_ci "cargo fmt --all -- --check && cargo clippy --locked --all-targets -- -D clippy::correctness" ;; + lint-strict) + run_in_ci "cargo fmt --all -- --check && cargo clippy --locked --all-targets -- -D warnings" + ;; + test) run_in_ci "cargo test --locked --verbose" ;; diff --git a/docs/ci-map.md b/docs/ci-map.md index ac3d192..95866d2 100644 --- a/docs/ci-map.md +++ b/docs/ci-map.md @@ -9,7 +9,7 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u ### Merge-Blocking - `.github/workflows/ci.yml` (`CI`) - - Purpose: Rust validation (`fmt`, `clippy`, `test`, release build smoke) + docs quality checks when docs change + - Purpose: Rust validation (`cargo fmt --all -- --check`, `cargo clippy --locked --all-targets -- -D clippy::correctness`, `test`, release build smoke) + docs quality checks when docs change - Merge gate: `CI Required Gate` - `.github/workflows/workflow-sanity.yml` (`Workflow Sanity`) - Purpose: lint GitHub workflow files (`actionlint`, tab checks) @@ -75,6 +75,8 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u ## Maintenance Rules - Keep merge-blocking checks deterministic and reproducible (`--locked` where applicable). +- Keep merge-blocking clippy policy aligned across `.github/workflows/ci.yml`, `dev/ci.sh`, and `.githooks/pre-push` (`cargo clippy --all-targets -- -D clippy::correctness`). +- Run strict lint audits regularly via `cargo clippy --all-targets -- -D warnings` (for example through `./dev/ci.sh lint-strict`) and track cleanup in focused PRs. - Prefer explicit workflow permissions (least privilege). - Keep Actions source policy restricted to approved allowlist patterns (see `docs/actions-source-policy.md`). - Use path filters for expensive workflows when practical.