Problem: Security-critical parsing surfaces (config loading, tool
parameter deserialization) have no fuzz testing coverage. Malformed
inputs to these surfaces could cause panics, memory issues, or
unexpected behavior in production.
Solution: Add a weekly cargo-fuzz CI workflow with two initial
harnesses:
- fuzz_config_parse: fuzzes TOML config deserialization
- fuzz_tool_params: fuzzes JSON tool parameter parsing
The workflow runs each target for 300 seconds (configurable via
workflow_dispatch input), uses nightly Rust toolchain (required by
libfuzzer), and uploads crash artifacts for triage with 30-day
retention. Step summaries report pass/fail status per target.
Files added:
- .github/workflows/fuzz.yml (scheduled + manual dispatch)
- fuzz/Cargo.toml (fuzz crate manifest)
- fuzz/fuzz_targets/fuzz_config_parse.rs
- fuzz/fuzz_targets/fuzz_tool_params.rs
Testing: Validated YAML syntax and Cargo.toml structure. Fuzz
harnesses use standard libfuzzer-sys patterns. Actual fuzzing
will execute on first scheduled or manual CI run.
Ref: zeroclaw-labs/zeroclaw#618 (item 4 — Fuzz Testing)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add end-to-end integration tests that exercise the full agent turn
cycle through the public API using mock providers and tools:
- Simple text response (no tools)
- Single tool call → tool execution → final response
- Multi-step tool chain
- XML dispatcher path
- Multi-turn conversation coherence
- Unknown tool recovery
- Parallel tool dispatch
Add CI workflow (.github/workflows/e2e.yml) that runs these tests
on push to main and on PRs.
Ref: https://github.com/zeroclaw-labs/zeroclaw/issues/618 (item 6)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Problem: CI only tests the default feature set. The codebase defines
multiple Cargo features (hardware, browser-native, sandbox-landlock,
sandbox-bubblewrap, probe, rag-pdf) behind conditional compilation.
Feature-gated code can silently break without CI coverage.
Solution: Add a dedicated feature-matrix workflow that tests key
feature combinations in a matrix strategy:
- --no-default-features (bare minimum compiles)
- --all-features (everything together)
- --no-default-features --features hardware (isolated hardware)
- --no-default-features --features browser-native (isolated browser)
Each combination runs both cargo check and cargo test. The
workflow triggers on Cargo.toml/lock/src changes and weekly schedule.
Testing: Validated YAML syntax and matrix expansion logic. Actual
feature compilation will be verified by CI on first run.
Ref: zeroclaw-labs/zeroclaw#618 (item 2 — Feature Matrix Testing)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Problem: The release workflow warns when binaries exceed 5MB but does
not block the build. Since small binary size is a stated project goal
(release profile uses opt-level="z", LTO, strip, panic=abort), size
regressions can silently ship to users without any enforcement.
Solution: Convert the binary size check to a tiered gate:
- >5MB: emits a GitHub Actions warning (soft target, informational)
- >15MB: emits a GitHub Actions error and fails the build (hard limit)
- Adds a step summary with per-target binary size metrics for
visibility in the Actions UI.
The 15MB hard limit provides headroom for legitimate growth while
catching catastrophic regressions (e.g., debug symbols not stripped,
accidental fat dependency additions).
Testing: Validated YAML syntax. The shell script logic is
straightforward (stat + arithmetic comparison). The existing
unner.os != 'Windows' guard is preserved.
Ref: zeroclaw-labs/zeroclaw#618 (item 3 — Binary Size Gating)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The CI workflow contained a ~90-line bash script for change-detection
(lines 38-128) and a ~80-line JavaScript block for lint feedback
(lines 292-370) directly inline in the YAML. Large inline scripts are
harder to test, lint, and maintain than standalone files.
Extract:
- Change-detection logic → scripts/ci/detect_change_scope.sh
- Lint feedback logic → scripts/ci/lint_feedback.js
The workflow now calls these external scripts. GitHub expression values
that were previously interpolated inline are passed as environment
variables instead.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* ci(release): add concurrency group to prevent duplicate release builds
When two tags are pushed in quick succession, the release workflow could
run concurrently, producing corrupted or incomplete GitHub releases.
Add a concurrency group scoped to the tag ref so that release runs for
the same tag are serialized. cancel-in-progress is set to false to ensure
a running release completes rather than being aborted.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* ci(release): serialize all release runs globally
Use a constant workflow concurrency group so release publish jobs run one-at-a-time across tags, avoiding cross-tag race conditions.
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Will Sarg <12886992+willsarg@users.noreply.github.com>
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* fix(actionlint): adjust indentation for self-hosted runner labels
* feat(security): enhance security workflow with CodeQL analysis steps
* fix(security): update CodeQL action to version 4 for improved analysis
* fix(security): remove duplicate permissions in security workflow
* fix(security): revert CodeQL action to v3 for stability
The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.
* fix(security): remove duplicate permissions causing workflow validation failure
The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.
Fixes: workflow file validation failures on main branch
* fix(security): remove pull_request trigger to reduce costs
* fix(security): restore PR trigger but skip codeql on PRs
* fix(security): resolve YAML syntax error in security workflow
* refactor(security): split CodeQL into dedicated scheduled workflow
* fix(security): update workflow name to Rust Package Security Audit
* fix(codeql): remove push trigger, keep schedule and on-demand only
* feat(codeql): add CodeQL configuration file to ignore specific paths
* Potential fix for code scanning alert no. 39: Hard-coded cryptographic value
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(ci): resolve auto-response workflow merge markers
* fix(build): restore ChannelMessage reply_target usage
* ci(workflows): run workflow sanity on workflow pushes for all branches
* ci(workflows): rename auto-response workflow to PR Auto Responder
* ci(workflows): require owner approval for workflow file changes
* ci: add lint-first PR feedback gate
* ci(workflows): split label policy checks from workflow sanity
* ci(workflows): consolidate policy and rust workflow setup
* ci: add safe pull request intake sanity checks
* ci(security): switch audit to pinned rustsec audit-check
* fix(providers): clarify reliable failure entries for custom providers
* ci(pr-intake): make template/format checks advisory
Keep PR Intake Sanity non-blocking for template completeness and formatting findings, while still failing on dangerous merge-conflict markers in added lines.
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* fix(actionlint): adjust indentation for self-hosted runner labels
* feat(security): enhance security workflow with CodeQL analysis steps
* fix(security): update CodeQL action to version 4 for improved analysis
* fix(security): remove duplicate permissions in security workflow
* fix(security): revert CodeQL action to v3 for stability
The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.
* fix(security): remove duplicate permissions causing workflow validation failure
The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.
Fixes: workflow file validation failures on main branch
* fix(security): remove pull_request trigger to reduce costs
* fix(security): restore PR trigger but skip codeql on PRs
* fix(security): resolve YAML syntax error in security workflow
* refactor(security): split CodeQL into dedicated scheduled workflow
* fix(security): update workflow name to Rust Package Security Audit
* fix(codeql): remove push trigger, keep schedule and on-demand only
* feat(codeql): add CodeQL configuration file to ignore specific paths
* Potential fix for code scanning alert no. 39: Hard-coded cryptographic value
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(ci): resolve auto-response workflow merge markers
* fix(build): restore ChannelMessage reply_target usage
* ci(workflows): run workflow sanity on workflow pushes for all branches
* ci(workflows): rename auto-response workflow to PR Auto Responder
* ci(workflows): require owner approval for workflow file changes
* ci: add lint-first PR feedback gate
* ci(workflows): split label policy checks from workflow sanity
* ci(workflows): consolidate policy and rust workflow setup
* ci: add safe pull request intake sanity checks
* ci(security): switch audit to pinned rustsec audit-check
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
The upload-artifact step in the release workflow had no retention-days
set, causing intermediate build artifacts to persist at the repository
default of 90 days and consuming storage unnecessarily.
Add retention-days: 7 since these are intermediate artifacts consumed
by the publish job in the same workflow run — they do not need
long-term retention.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The ubuntu-latest matrix entry had its target set to
'blacksmith-2vcpu-ubuntu-2404', which is a runner label — not a valid
Rust target triple. This causes 'cargo build --target' to fail or
produce artifacts for the wrong architecture.
Replace with 'x86_64-unknown-linux-gnu', the correct Rust target triple
for the ubuntu runner.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* fix(actionlint): adjust indentation for self-hosted runner labels
* feat(security): enhance security workflow with CodeQL analysis steps
* fix(security): update CodeQL action to version 4 for improved analysis
* fix(security): remove duplicate permissions in security workflow
* fix(security): revert CodeQL action to v3 for stability
The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.
* fix(security): remove duplicate permissions causing workflow validation failure
The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.
Fixes: workflow file validation failures on main branch
* fix(security): remove pull_request trigger to reduce costs
* fix(security): restore PR trigger but skip codeql on PRs
* fix(security): resolve YAML syntax error in security workflow
* refactor(security): split CodeQL into dedicated scheduled workflow
* fix(security): update workflow name to Rust Package Security Audit
* fix(codeql): remove push trigger, keep schedule and on-demand only
* feat(codeql): add CodeQL configuration file to ignore specific paths
* Potential fix for code scanning alert no. 39: Hard-coded cryptographic value
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(ci): resolve auto-response workflow merge markers
* fix(build): restore ChannelMessage reply_target usage
* ci(workflows): run workflow sanity on workflow pushes for all branches
* ci(workflows): rename auto-response workflow to PR Auto Responder
* ci(workflows): require owner approval for workflow file changes
* ci: add lint-first PR feedback gate
* ci(workflows): split label policy checks from workflow sanity
* ci(workflows): consolidate policy and rust workflow setup
* ci: add safe pull request intake sanity checks
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* fix(actionlint): adjust indentation for self-hosted runner labels
* feat(security): enhance security workflow with CodeQL analysis steps
* fix(security): update CodeQL action to version 4 for improved analysis
* fix(security): remove duplicate permissions in security workflow
* fix(security): revert CodeQL action to v3 for stability
The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.
* fix(security): remove duplicate permissions causing workflow validation failure
The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.
Fixes: workflow file validation failures on main branch
* fix(security): remove pull_request trigger to reduce costs
* fix(security): restore PR trigger but skip codeql on PRs
* fix(security): resolve YAML syntax error in security workflow
* refactor(security): split CodeQL into dedicated scheduled workflow
* fix(security): update workflow name to Rust Package Security Audit
* fix(codeql): remove push trigger, keep schedule and on-demand only
* feat(codeql): add CodeQL configuration file to ignore specific paths
* Potential fix for code scanning alert no. 39: Hard-coded cryptographic value
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(ci): resolve auto-response workflow merge markers
* fix(build): restore ChannelMessage reply_target usage
* ci(workflows): run workflow sanity on workflow pushes for all branches
* ci(workflows): rename auto-response workflow to PR Auto Responder
* ci(workflows): require owner approval for workflow file changes
* ci: add lint-first PR feedback gate
* ci(workflows): split label policy checks from workflow sanity
* ci(workflows): consolidate policy and rust workflow setup
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* fix(actionlint): adjust indentation for self-hosted runner labels
* feat(security): enhance security workflow with CodeQL analysis steps
* fix(security): update CodeQL action to version 4 for improved analysis
* fix(security): remove duplicate permissions in security workflow
* fix(security): revert CodeQL action to v3 for stability
The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.
* fix(security): remove duplicate permissions causing workflow validation failure
The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.
Fixes: workflow file validation failures on main branch
* fix(security): remove pull_request trigger to reduce costs
* fix(security): restore PR trigger but skip codeql on PRs
* fix(security): resolve YAML syntax error in security workflow
* refactor(security): split CodeQL into dedicated scheduled workflow
* fix(security): update workflow name to Rust Package Security Audit
* fix(codeql): remove push trigger, keep schedule and on-demand only
* feat(codeql): add CodeQL configuration file to ignore specific paths
* Potential fix for code scanning alert no. 39: Hard-coded cryptographic value
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(ci): resolve auto-response workflow merge markers
* fix(build): restore ChannelMessage reply_target usage
* ci(workflows): run workflow sanity on workflow pushes for all branches
* ci(workflows): rename auto-response workflow to PR Auto Responder
* ci(workflows): require owner approval for workflow file changes
* ci: add lint-first PR feedback gate
* ci(workflows): split label policy checks from workflow sanity
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* fix(actionlint): adjust indentation for self-hosted runner labels
* feat(security): enhance security workflow with CodeQL analysis steps
* fix(security): update CodeQL action to version 4 for improved analysis
* fix(security): remove duplicate permissions in security workflow
* fix(security): revert CodeQL action to v3 for stability
The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.
* fix(security): remove duplicate permissions causing workflow validation failure
The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.
Fixes: workflow file validation failures on main branch
* fix(security): remove pull_request trigger to reduce costs
* fix(security): restore PR trigger but skip codeql on PRs
* fix(security): resolve YAML syntax error in security workflow
* refactor(security): split CodeQL into dedicated scheduled workflow
* fix(security): update workflow name to Rust Package Security Audit
* fix(codeql): remove push trigger, keep schedule and on-demand only
* feat(codeql): add CodeQL configuration file to ignore specific paths
* Potential fix for code scanning alert no. 39: Hard-coded cryptographic value
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(ci): resolve auto-response workflow merge markers
* fix(build): restore ChannelMessage reply_target usage
* ci(workflows): run workflow sanity on workflow pushes for all branches
* ci(workflows): rename auto-response workflow to PR Auto Responder
* ci(workflows): require owner approval for workflow file changes
* ci: add lint-first PR feedback gate
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* fix(actionlint): adjust indentation for self-hosted runner labels
* feat(security): enhance security workflow with CodeQL analysis steps
* fix(security): update CodeQL action to version 4 for improved analysis
* fix(security): remove duplicate permissions in security workflow
* fix(security): revert CodeQL action to v3 for stability
The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.
* fix(security): remove duplicate permissions causing workflow validation failure
The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.
Fixes: workflow file validation failures on main branch
* fix(security): remove pull_request trigger to reduce costs
* fix(security): restore PR trigger but skip codeql on PRs
* fix(security): resolve YAML syntax error in security workflow
* refactor(security): split CodeQL into dedicated scheduled workflow
* fix(security): update workflow name to Rust Package Security Audit
* fix(codeql): remove push trigger, keep schedule and on-demand only
* feat(codeql): add CodeQL configuration file to ignore specific paths
* Potential fix for code scanning alert no. 39: Hard-coded cryptographic value
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(ci): resolve auto-response workflow merge markers
* fix(build): restore ChannelMessage reply_target usage
* ci(workflows): run workflow sanity on workflow pushes for all branches
* ci(workflows): rename auto-response workflow to PR Auto Responder
* ci(workflows): require owner approval for workflow file changes
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* fix(actionlint): adjust indentation for self-hosted runner labels
* feat(security): enhance security workflow with CodeQL analysis steps
* fix(security): update CodeQL action to version 4 for improved analysis
* fix(security): remove duplicate permissions in security workflow
* fix(security): revert CodeQL action to v3 for stability
The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.
* fix(security): remove duplicate permissions causing workflow validation failure
The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.
Fixes: workflow file validation failures on main branch
* fix(security): remove pull_request trigger to reduce costs
* fix(security): restore PR trigger but skip codeql on PRs
* fix(security): resolve YAML syntax error in security workflow
* refactor(security): split CodeQL into dedicated scheduled workflow
* fix(security): update workflow name to Rust Package Security Audit
* fix(codeql): remove push trigger, keep schedule and on-demand only
* feat(codeql): add CodeQL configuration file to ignore specific paths
* Potential fix for code scanning alert no. 39: Hard-coded cryptographic value
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* fix(ci): resolve auto-response workflow merge markers
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
The contributor-tier-issues job triggers on pull_request_target events
but only had issues:write permission. GitHub API requires
pull-requests:write to set labels on pull requests, causing a 403
"Resource not accessible by integration" error.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Replace floating tag refs (@v1, @v2) with SHA-pinned refs to prevent
supply-chain attacks via tag mutation on third-party Actions.
Pinned:
- useblacksmith/setup-docker-builder@v1 → ef12d5b1
- useblacksmith/build-push-action@v2 → 30c71162
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- Change license from MIT to Apache 2.0
- Add NOTICE file with full contributor list
- Add automated workflow to keep NOTICE updated weekly
- Update README with Apache 2.0 badge and contributors badge
- Credit author: Argenis Delarosa (theonlyhennygod)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* fix(actionlint): adjust indentation for self-hosted runner labels
* feat(security): enhance security workflow with CodeQL analysis steps
* fix(security): update CodeQL action to version 4 for improved analysis
* fix(security): remove duplicate permissions in security workflow
* fix(security): revert CodeQL action to v3 for stability
The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.
* fix(security): remove duplicate permissions causing workflow validation failure
The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.
Fixes: workflow file validation failures on main branch
* fix(security): remove pull_request trigger to reduce costs
* fix(security): restore PR trigger but skip codeql on PRs
* fix(security): resolve YAML syntax error in security workflow
* refactor(security): split CodeQL into dedicated scheduled workflow
* fix(security): update workflow name to Rust Package Security Audit
* fix(codeql): remove push trigger, keep schedule and on-demand only
* feat(codeql): add CodeQL configuration file to ignore specific paths
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* fix(actionlint): adjust indentation for self-hosted runner labels
* feat(security): enhance security workflow with CodeQL analysis steps
* fix(security): update CodeQL action to version 4 for improved analysis
* fix(security): remove duplicate permissions in security workflow
* fix(security): revert CodeQL action to v3 for stability
The v4 version was causing workflow file validation failures.
Reverting to proven v3 version that is working on main branch.
* fix(security): remove pull_request trigger to reduce costs
* fix(security): restore PR trigger but skip codeql on PRs
* fix(security): resolve YAML syntax error in security workflow
* refactor(security): split CodeQL into dedicated scheduled workflow
* fix(security): update workflow name to Rust Package Security Audit
* fix(codeql): remove push trigger, keep schedule and on-demand only
The permissions block had duplicate security-events and actions keys,
which caused YAML validation errors and prevented workflow execution.
Fixes: workflow file validation failures on main branch
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* Merge branch 'main' into devsecops
* fix(actionlint): adjust indentation for self-hosted runner labels
* Merge branch 'main' into devsecops
* feat(security): enhance security workflow with CodeQL analysis steps
* Merge branch 'main' into devsecops
* fix(security): update CodeQL action to version 4 for improved analysis
* Merge branch 'main' into devsecops
* fix(workflows): standardize runner configuration for security jobs
* ci(actionlint): add Blacksmith runner label to config
Add blacksmith-2vcpu-ubuntu-2404 to actionlint self-hosted-runner labels config
to suppress "unknown label" warnings during workflow linting.
This label is used across all workflows after the Blacksmith migration.
* Merge branch 'main' into devsecops
* fix(actionlint): adjust indentation for self-hosted runner labels
* Merge branch 'main' into devsecops
* feat(security): enhance security workflow with CodeQL analysis steps
* Merge branch 'main' into devsecops
* chore(workflows): complete migration to Blacksmith cloud runners
Migrate remaining workflows from self-hosted axecap runners to Blacksmith:
- docker.yml: publish job
- release.yml: publish job
- security.yml: audit and deny jobs (conditional on push events)
This completes the transition away from self-hosted infrastructure.
Axecap runner registrations (IDs 21, 22) have been removed.
All workflows now use blacksmith-2vcpu-ubuntu-2404 label for consistency.
* fix(workflows): correct Blacksmith runner label typo
Fix typo in runner labels: blacksmith-2vcpu-ubuntu-240 -> blacksmith-2vcpu-ubuntu-2404
Affected workflows:
- workflow-sanity.yml: no-tabs and actionlint jobs
- ci.yml: test, build, and docs-quality jobs
This fixes the stuck workflows that were queued indefinitely waiting for
non-existent runner labels.
* chore(workflows): complete migration to Blacksmith cloud runners
Migrate remaining workflows from self-hosted axecap runners to Blacksmith:
- docker.yml: publish job
- release.yml: publish job
- security.yml: audit and deny jobs (conditional on push events)
This completes the transition away from self-hosted infrastructure.
Axecap runner registrations (IDs 21, 22) have been removed.
All workflows now use blacksmith-2vcpu-ubuntu-2404 label for consistency.
* Merge branch 'main' into selfhost-blacksmith
* ci: add SHA256 checksums to release artifacts
Generate a SHA256SUMS file after downloading all build artifacts and
include it in the GitHub Release. Users can verify download integrity
with `sha256sum -c SHA256SUMS`.
Closes#358
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* ci: whitelist lxc-ci self-hosted runner label for actionlint
Add actionlint.yaml config to declare lxc-ci as a known custom label
for self-hosted runners, fixing the actionlint CI check.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Pin every third-party GitHub Action to its current commit SHA with a
version comment, eliminating supply chain risk from mutable version
tags. Mutable tags (v4, v2, etc.) can be force-pushed by upstream
maintainers; SHA digests are immutable.
18 unique actions pinned across 9 workflow files.
Closes#357
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
