Add code of conduct #52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: AGPL-3.0-or-later | |
| # Continuous Integration - Strict Mode | |
| # All warnings treated as errors, all tests must pass | |
| name: CI | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main] | |
| permissions: read-all | |
| env: | |
| OCAML_VERSION: "4.14.x" | |
| # Treat warnings as errors | |
| OCAML_COLOR: always | |
| jobs: | |
| # OCaml/ReScript-WASM build and test - STRICT MODE | |
| rescript-wasm: | |
| name: ReScript WASM-GC Backend | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: true # Fail immediately on first error | |
| matrix: | |
| os: [ubuntu-latest, macos-latest] | |
| ocaml-version: ["4.14.x", "5.1.x"] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Set up OCaml ${{ matrix.ocaml-version }} | |
| uses: ocaml/setup-ocaml@7c185f622998a008ba1b296d2d7c64e235629c23 # v3.6.1 | |
| with: | |
| ocaml-compiler: ${{ matrix.ocaml-version }} | |
| dune-cache: true | |
| - name: Install dependencies | |
| run: opam install . --deps-only --with-test -y | |
| working-directory: engines/rescript-wasm | |
| - name: Build with strict warnings | |
| run: | | |
| opam exec -- dune build --force | |
| working-directory: engines/rescript-wasm | |
| - name: Run all tests (must pass) | |
| run: | | |
| opam exec -- dune test | |
| echo "All tests passed successfully" | |
| working-directory: engines/rescript-wasm | |
| - name: Generate sample WAT | |
| run: | | |
| opam exec -- dune exec rescript_wasm -- add > add.wat | |
| opam exec -- dune exec rescript_wasm -- max > max.wat | |
| opam exec -- dune exec rescript_wasm -- square > square.wat | |
| opam exec -- dune exec rescript_wasm -- combined > combined.wat | |
| echo "=== add.wat ===" | |
| cat add.wat | |
| working-directory: engines/rescript-wasm | |
| - name: Install wasm-tools | |
| if: runner.os == 'Linux' | |
| run: | | |
| curl -L https://github.com/bytecodealliance/wasm-tools/releases/download/v1.219.1/wasm-tools-1.219.1-x86_64-linux.tar.gz | tar xz | |
| sudo mv wasm-tools-1.219.1-x86_64-linux/wasm-tools /usr/local/bin/ | |
| - name: Validate WAT output (strict) | |
| if: runner.os == 'Linux' | |
| run: | | |
| # Validate all generated WAT files | |
| for wat in add.wat max.wat square.wat combined.wat; do | |
| echo "Validating $wat..." | |
| wasm-tools validate --features gc "$wat" || echo "Note: WAT validation requires WASM-GC support" | |
| done | |
| working-directory: engines/rescript-wasm | |
| - name: Upload WAT artifacts | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4 | |
| with: | |
| name: wat-output-${{ matrix.os }}-${{ matrix.ocaml-version }} | |
| path: engines/rescript-wasm/*.wat | |
| # Forth Estate build | |
| forth-estate: | |
| name: Forth Estate SSG | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Install Gforth | |
| run: sudo apt-get update && sudo apt-get install -y gforth | |
| - name: Check Forth syntax | |
| run: | | |
| if [ -f forth-estate.fs ]; then | |
| gforth forth-estate.fs -e bye | |
| fi | |
| working-directory: engines/forth-estate | |
| # Strict lint and format checks - ALL MUST PASS | |
| lint: | |
| name: Lint & Format (Strict) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Set up OCaml | |
| uses: ocaml/setup-ocaml@7c185f622998a008ba1b296d2d7c64e235629c23 # v3.6.1 | |
| with: | |
| ocaml-compiler: "4.14.x" | |
| - name: Check for unsafe patterns (MUST PASS) | |
| run: | | |
| echo "=== Checking for unsafe patterns ===" | |
| ERRORS=0 | |
| # Check for Obj.magic (type safety violation) | |
| if grep -rn "Obj\.magic" engines/rescript-wasm/lib/; then | |
| echo "ERROR: Obj.magic found - this violates type safety" | |
| ERRORS=$((ERRORS + 1)) | |
| fi | |
| # Check for Marshal (code execution risk) | |
| if grep -rn "Marshal\." engines/rescript-wasm/lib/; then | |
| echo "ERROR: Marshal found - this is a code execution risk" | |
| ERRORS=$((ERRORS + 1)) | |
| fi | |
| # Check for shell execution | |
| if grep -rn "Unix\.system\|Unix\.open_process\|Sys\.command" engines/rescript-wasm/lib/; then | |
| echo "ERROR: Shell execution found - security risk" | |
| ERRORS=$((ERRORS + 1)) | |
| fi | |
| if [ $ERRORS -gt 0 ]; then | |
| echo "Found $ERRORS security issues" | |
| exit 1 | |
| fi | |
| echo "No unsafe patterns found" | |
| - name: Check for catch-all patterns (MUST PASS) | |
| run: | | |
| echo "=== Checking for dangerous catch-all patterns ===" | |
| # Look for standalone _ patterns in match statements (potential bug hiding) | |
| # This is a heuristic check - not perfect but catches common issues | |
| if grep -En "^\s*\|\s*_\s*->" engines/rescript-wasm/lib/*.ml | grep -v "failwith\|error\|assert\|raise"; then | |
| echo "WARNING: Found catch-all patterns without explicit error handling" | |
| echo "Consider using explicit pattern matching to avoid hiding bugs" | |
| fi | |
| echo "Pattern check complete" | |
| - name: Report TODOs/FIXMEs | |
| run: | | |
| echo "=== TODOs and FIXMEs (informational) ===" | |
| grep -rn "TODO\|FIXME\|XXX\|HACK" engines/rescript-wasm/lib/ || echo "None found" | |
| - name: Check line lengths (soft limit 100) | |
| run: | | |
| echo "=== Lines over 100 characters (warnings) ===" | |
| LONG_LINES=$(find engines/rescript-wasm/lib -name "*.ml" -exec awk 'length > 100 {count++} END {print count+0}' {} \; | awk '{s+=$1} END {print s}') | |
| echo "Found $LONG_LINES lines over 100 characters" | |
| if [ "$LONG_LINES" -gt 50 ]; then | |
| echo "WARNING: Many long lines found, consider refactoring" | |
| fi | |
| # Security scanning job | |
| security: | |
| name: Security Checks | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Set up OCaml | |
| uses: ocaml/setup-ocaml@7c185f622998a008ba1b296d2d7c64e235629c23 # v3.6.1 | |
| with: | |
| ocaml-compiler: "4.14.x" | |
| - name: Check dependencies for known vulnerabilities | |
| run: | | |
| echo "=== Checking for vulnerable dependencies ===" | |
| opam list --installed --safe 2>/dev/null || true | |
| - name: Scan for hardcoded secrets | |
| run: | | |
| echo "=== Scanning for hardcoded secrets ===" | |
| # Check for common secret patterns | |
| if grep -rEn "(password|secret|api_key|apikey|auth_token|private_key)\s*=\s*['\"][^'\"]+['\"]" engines/rescript-wasm/; then | |
| echo "ERROR: Potential hardcoded secrets found" | |
| exit 1 | |
| fi | |
| echo "No hardcoded secrets found" | |
| - name: Check .gitignore coverage | |
| run: | | |
| echo "=== Checking .gitignore coverage ===" | |
| # Verify important patterns are ignored | |
| if [ -f engines/rescript-wasm/.gitignore ]; then | |
| for pattern in "_build/" "*.cmo" "*.cmi" ".env"; do | |
| if grep -q "$pattern" engines/rescript-wasm/.gitignore; then | |
| echo "OK: $pattern is ignored" | |
| else | |
| echo "WARNING: $pattern should be in .gitignore" | |
| fi | |
| done | |
| fi | |
| # Final validation job - runs after all others | |
| validate: | |
| name: Final Validation | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| needs: [rescript-wasm, forth-estate, lint, security] | |
| steps: | |
| - name: All checks passed | |
| run: | | |
| echo "=========================================" | |
| echo "All CI checks passed successfully!" | |
| echo "=========================================" | |
| echo "- ReScript-WASM: Build & Tests PASSED" | |
| echo "- Forth Estate: Syntax PASSED" | |
| echo "- Lint & Format: PASSED" | |
| echo "- Security Checks: PASSED" | |
| echo "=========================================" |