Gradient/.github/workflows/ci.yml at 87e34cc414afffc232704a38dc5694051f0ca292 · Ontic-Systems/Gradient · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  # M-6: Weekly scheduled security audit
  schedule:
    - cron: '0 0 * * 0'  # Every Sunday at midnight UTC

permissions:
  contents: read

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
      - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
        with:
          toolchain: stable
          components: clippy, rustfmt
      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
        with:
          workspaces: codebase
      - name: Install libcurl
        run: sudo apt-get update && sudo apt-get install -y libcurl4-openssl-dev
      - name: Install LLVM
        run: |
          sudo apt-get install -y llvm-18-dev libpolly-18-dev libclang-18-dev clang-18
          echo "LLVM_SYS_180_PREFIX=/usr/lib/llvm-18" >> $GITHUB_ENV
          echo "LIBPOLLY_LIB_DIR=/usr/lib/llvm-18/lib" >> $GITHUB_ENV
          echo "LIBRARY_PATH=/usr/lib/llvm-18/lib:$LIBRARY_PATH" >> $GITHUB_ENV
          echo "LD_LIBRARY_PATH=/usr/lib/llvm-18/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV
      - name: Build
        working-directory: codebase
        run: cargo build --workspace
      # LLVM backend build is disabled pending resolution of Polly library linking
      # See: https://github.com/Ontic-Systems/Gradient/issues/3
      # - name: Build with LLVM backend
      #   working-directory: codebase
      #   run: cargo build -p gradient-compiler --features llvm
      - name: Test
        working-directory: codebase
        # Skip self_hosting_smoke tests - self-hosted parser.gr is experimental
        run: cargo test --workspace --exclude gradient-lsp --exclude gradient-test-framework -- --skip self_hosting
      - name: Test framework (sequential to avoid temp dir races)
        working-directory: codebase
        run: cargo test -p gradient-test-framework -- --test-threads=1
      - name: Test LSP (unit only)
        working-directory: codebase
        run: cargo test -p gradient-lsp --bin gradient-lsp
      - name: Clippy
        working-directory: codebase
        run: cargo clippy --workspace -- -D warnings

  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
      - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
        with:
          toolchain: stable
      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
        with:
          workspaces: codebase
      - name: Install cargo-audit
        working-directory: codebase
        run: cargo install cargo-audit --locked --version 0.22.1
      - name: Install cargo-deny
        run: cargo install cargo-deny --locked --version 0.14.24
      - name: Audit dependencies
        working-directory: codebase
        run: cargo audit --file Cargo.lock
      # M-6: cargo-deny for supply chain security
      - name: Deny check (licenses, advisories, bans)
        working-directory: codebase
        run: cargo deny check
      # M-7: Verify OpenSSL is not in dependency tree
      - name: Verify no OpenSSL dependency
        working-directory: codebase
        run: |
          if cargo tree -i openssl 2>/dev/null | grep -q openssl; then
            echo "ERROR: OpenSSL found in dependency tree"
            exit 1
          fi
          echo "PASS: No OpenSSL in dependency tree"

  e2e:
    runs-on: ubuntu-latest
    needs: check
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
      - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
        with:
          toolchain: stable
      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
        with:
          workspaces: codebase
      - name: Build compiler
        working-directory: codebase
        run: cargo build -p gradient-compiler
      - name: Install libcurl
        run: sudo apt-get update && sudo apt-get install -y libcurl4-openssl-dev
      - name: End-to-end compile tests
        working-directory: codebase/compiler
        run: |
          for f in tests/*.gr; do
            echo "Testing $f..."
            cargo run --quiet --bin gradient-compiler -- "$f" /tmp/test.o
            cc /tmp/test.o runtime/gradient_runtime.c -o /tmp/test_binary -lcurl
            /tmp/test_binary
            echo "PASS: $f"
          done

  wasm:
    runs-on: ubuntu-latest
    needs: check
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
      - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
        with:
          toolchain: stable
      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
        with:
          workspaces: codebase
      - name: Build compiler with WASM feature
        working-directory: codebase
        run: cargo build -p gradient-compiler --features wasm-unstable
      - name: Clippy with WASM feature
        working-directory: codebase
        run: cargo clippy -p gradient-compiler --features wasm-unstable -- -D warnings
      - name: Run WASM unit tests
        working-directory: codebase
        run: cargo test -p gradient-compiler --features wasm-unstable --test wasm_tests
      - name: Run WASM E2E tests
        working-directory: codebase
        run: cargo test -p gradient-compiler --features wasm-unstable --test wasm_e2e_tests
      - name: Install wasmtime
        run: |
          curl https://wasmtime.dev/install.sh -sSf | bash
          echo "$HOME/.wasmtime/bin" >> $GITHUB_PATH
      - name: Test WASM compilation via CLI
        working-directory: codebase/compiler
        run: |
          echo 'fn main() -> Int:' > /tmp/test.gr
          echo '    ret 42' >> /tmp/test.gr
          cargo run --quiet --bin gradient-compiler --features wasm-unstable -- /tmp/test.gr /tmp/test.wasm --experimental
          ls -la /tmp/test.wasm
          echo "WASM file generated successfully"
      - name: Validate WASM with wasmtime
        working-directory: codebase/compiler
        run: |
          # Add wasmtime to PATH (not persisted from previous step)
          export PATH="$HOME/.wasmtime/bin:$PATH"
          wasmtime --version
          # Try to validate the WASM file
          wasmtime validate /tmp/test.wasm || echo "Note: wasmtime validate not available in this version"
          # Try to run and get exit code
          wasmtime --invoke main /tmp/test.wasm || echo "Note: Function return value may cause non-zero exit"