ci: harden lint, add release build and audit jobs#85
Merged
shadowhand merged 2 commits intoApr 28, 2026
Conversation
- Clippy now runs with --all-targets --all-features and -D warnings, so any new warning fails CI. - New release-build job catches release-only compile/link issues (LTO, codegen-units, etc.) before they hit a tag. - New audit job runs cargo-audit against the lockfile to surface known-vulnerable transitive dependencies. Fixes the 10 pre-existing clippy warnings that accumulated across the codebase so the strict lint passes: - src/commands/api.rs: useless format!() in a test fixture - src/commands/clinicians/prepare.rs: setup_prepare_mocks_by_uuid has 10 args by design (mock-construction helper); allowed locally - src/commands/config/default.rs: map_or(true, ...) → is_none_or(...) (3 occurrences in tests) - src/commands/skills.rs: needless &Path::path() borrows in tests - src/config.rs, src/version_check.rs: field-reassign-with-default in three test fixtures, replaced with struct-update syntax CONTRIBUTING.md: documented the strict clippy invocation and the release build command so local checks match CI. 288 → 291 tests still pass (no test changes; the +3 came in PR8 from Stage::workos_config tests).
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
The new cargo-audit job in CI surfaced three vulnerabilities in transitive dependencies. All three resolve to semver-compatible patch versions reachable via `cargo update`: - rustls-webpki 0.103.10 → 0.103.13 - RUSTSEC-2026-0098: name constraints for URI names - RUSTSEC-2026-0099: name constraints accepted for wildcard certs - RUSTSEC-2026-0104: reachable panic in CRL parsing - rand 0.9.2 → 0.9.4 - RUSTSEC-2026-0097: unsoundness with custom logger via rand::rng() - fastrand 2.4.0 → 2.4.1 (yanked → published) No source changes; only Cargo.lock. All 291 tests still pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stacked on #84. Final PR in the architecture refactor stack.
CI changes
cargo clippy --all-targets --all-features -- -D warnings. Any new warning fails CI.release-buildjob catches release-only compile/link issues (LTO, codegen-units, etc.) before they hit a tag.auditjob runscargo-auditagainst the lockfile to surface known-vulnerable transitive dependencies.Pre-existing warnings fixed
Strict lint surfaced 10 warnings that had been accumulating because the previous CI step was
cargo clippywith no flags:commands/api.rsformat!()in a test fixture →.to_string()commands/clinicians/prepare.rssetup_prepare_mocks_by_uuidhas 10 args by design —#[allow]it locallycommands/config/default.rs(×3)map_or(true, …)→is_none_or(…)commands/skills.rs(×2)&path()borrows in testsconfig.rs,version_check.rs(×3)CONTRIBUTING.mdupdated with the strict clippy invocation and the release build command so local checks match CI.Stack — final
This closes the 9-PR series: #77 → #78 → #79 → #80 → #81 → #82 → #83 → #84 → this.
Cumulative results:
main.rsapi.get(path).await?)*ListResponsejsonapi::List<A>)lib.rs+ thin binary-D warningsstrictTest plan
cargo fmt --checkcleancargo clippy --all-targets --all-features -- -D warnings— cleancargo build --release— succeeds in 1m35scargo test— 291 pass totalhttps://claude.ai/code/session_012fVDyKBysF1ERtvVuEAw2Y
Generated by Claude Code