fix(ci): rust-ci.yml use --features verisim, not --all-features (#85)#86
Merged
Conversation
🔍 Hypatia Security ScanFindings: 189 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action haskell-actions/setup@v2 needs attention",
"type": "unpinned_action",
"file": "agda-meta-checker.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/cache@v4 needs attention",
"type": "unpinned_action",
"file": "agda-meta-checker.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/panic-attack/.github/workflows/scan-and-report.yml@main needs attention",
"type": "unpinned_action",
"file": "security-scan.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Workflow executes remote script directly (curl/wget piped to shell). Download, verify checksum/signature, then execute.",
"type": "download_then_run",
"file": "mirror.yml",
"action": "verify_download_integrity",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/echidna/echidna/src/abi/TypeLLForeign.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (2 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/echidna/echidna/src/abi/CoprocessorForeign.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/echidna/echidna/src/abi/Overlay.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
#85) --all-features force-enables flint/spark/chapel — opt-in, system-library-dependent features (libflint LGPL-3, GNAT+libechidna_spark, Zig FFI). build.rs correctly gates their link directives behind cfg(feature=...), but the bare GitHub runner lacks those libraries, so 'cargo test --all-features' failed at link time on EVERY PR (present on main; surfaced on #73): rust-lld: error: unable to find library -lflint Key distinction: clippy / doc / check type-check and lint the cfg-gated flint/spark/chapel code WITHOUT invoking the linker, so they keep --all-features (full lint/compile coverage, zero infra). Only the two 'cargo test' steps build a linked binary -> they drop to --features verisim (the only pure-Rust optional feature; live-provers superset). flint/spark/chapel test execution remains covered by their dedicated CI (chapel-ci.yml, SPARK Theatre Gate, live-provers.yml). This preserves lint/compile coverage that a blanket --features verisim would have lost for ~510 LoC of flint + the spark-gated FFI. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
force-pushed
the
fix/rust-ci-drop-all-features
branch
from
876520b to
0ccb0db
Compare
🔍 Hypatia Security ScanFindings: 189 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action haskell-actions/setup@v2 needs attention",
"type": "unpinned_action",
"file": "agda-meta-checker.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/cache@v4 needs attention",
"type": "unpinned_action",
"file": "agda-meta-checker.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/panic-attack/.github/workflows/scan-and-report.yml@main needs attention",
"type": "unpinned_action",
"file": "security-scan.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Workflow executes remote script directly (curl/wget piped to shell). Download, verify checksum/signature, then execute.",
"type": "download_then_run",
"file": "mirror.yml",
"action": "verify_download_integrity",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/echidna/echidna/src/abi/TypeLLForeign.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (2 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/echidna/echidna/src/abi/CoprocessorForeign.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/echidna/echidna/src/abi/Overlay.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
Human: docs/decisions/2026-05-19-ci-baseline-triage.md — the 3-class triage rule (real PR defect / baseline-rot / #77 infra jam), the 6 required merge-gate contexts, and the rationale for #73/#86/#87. Machine: .machine_readable/6a2/STATE.a2ml [session-2026-05-19-ci-baseline-triage] mirrors it; last-updated bumped. So future humans and agents do not re-litigate these red checks. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 189 issues detected
View findings[
{
"reason": "Issue in quality.yml",
"type": "missing_workflow",
"file": "quality.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in security-policy.yml",
"type": "missing_workflow",
"file": "security-policy.yml",
"action": "create",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action haskell-actions/setup@v2 needs attention",
"type": "unpinned_action",
"file": "agda-meta-checker.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action actions/cache@v4 needs attention",
"type": "unpinned_action",
"file": "agda-meta-checker.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Action hyperpolymath/panic-attack/.github/workflows/scan-and-report.yml@main needs attention",
"type": "unpinned_action",
"file": "security-scan.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Workflow executes remote script directly (curl/wget piped to shell). Download, verify checksum/signature, then execute.",
"type": "download_then_run",
"file": "mirror.yml",
"action": "verify_download_integrity",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/echidna/echidna/src/abi/TypeLLForeign.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (2 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/echidna/echidna/src/abi/CoprocessorForeign.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
},
{
"reason": "believe_me undermines formal verification (1 occurrences, CWE-704)",
"type": "believe_me",
"file": "/home/runner/work/echidna/echidna/src/abi/Overlay.idr",
"action": "flag",
"rule_module": "code_safety",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #85.
Problem
Test Suite/Code Coverage/MVP Smoke/Julia Integrationfail on every PR (present onmain; surfaced during #73 triage):build.rscorrectly gates-lflint/spark/chapel link directives behind#[cfg(feature = "...")]. The defect isrust-ci.ymlrunning with--all-features, which force-enablesflint/spark/chapel— opt-in, system-library-dependent (libflint LGPL-3 / GNAT+libechidna_spark / Zig FFI). The bare runner has none.Fix (refined after coverage audit)
Only
cargo testbuilds a linked binary;clippy/doc/checktype-check + lint the cfg-gated code without invoking the linker.clippy,doc,check→ keep--all-features(full lint/compile coverage of flint/spark/chapel, zero infra — they don't link).cargo teststeps →--features verisim(only pure-Rust optional feature;live-provers ⊇ verisim).flint/spark/chapel test execution stays covered by their dedicated CI (
chapel-ci.yml, SPARK Theatre Gate,live-provers.yml). This avoids the lint/compile blind spot a blanket--features verisimwould have created for ~510 LoC of flint + the spark-gated FFI.Verified locally on a bare machine:
cargo test --lib --features verisim→ 1092 passed, 0 failed.Baseline fix per estate guardrail (baseline-rot ≠ PR-defect): blocked PRs (e.g. #73 follow-ups) clear on their next
mainmerge.