0.2.0 Track C: cargo-deny + Kani matrix + nightly long-fuzz#25
Merged
Conversation
Three additions bringing the wohl CI gate in line with sibling
PulseEngine repos (synth, rivet):
1. cargo-deny job + deny.toml (supply-chain gate)
- Checks bans, licenses, advisories, sources.
- License allow-list covers what's in the current graph
(MIT, Apache-2.0, Apache-2.0 WITH LLVM-exception, Unicode-3.0,
Unlicense) plus forward-looking allowances (BSD-2/3, ISC,
MPL-2.0, Unicode-DFS-2016, CC0-1.0, Zlib).
- bans.multiple-versions = warn (two known duplicates from the
stm32g0xx-hal transitive chain: bare-metal, nb).
- advisories.yanked = warn.
- Uses EmbarkStudios/cargo-deny-action@v2 with the same pinned-
sibling checkout pattern as the rest of the workflow.
- Locally clean: bans ok, licenses ok, sources ok.
2. Kani matrix split
- Was: one job, serial bash loop over 7 components, first-fail
aborted the loop and you had to read logs to learn which
component failed.
- Now: GH Actions matrix, one cell per crate (wohl-leak,
wohl-temp, wohl-air, wohl-door, wohl-power, wohl-alert,
wohl-ota). fail-fast: false so a single failing crate doesn't
mask the rest.
- The Kani install cache (~/.cargo/bin/cargo-kani, ~/.kani) is
shared across matrix cells; per-crate target/ dirs are covered
by Swatinem/rust-cache with key kani-${{ matrix.crate }}.
3. .github/workflows/nightly-fuzz.yml (new workflow)
- cron: "0 3 * * *" + workflow_dispatch.
- Matrix over fuzz_leak, fuzz_temp; 900s (15 min) per target.
- concurrency group nightly-fuzz, cancel-in-progress: true.
- RELAY_REF duplicated from ci.yml with an in-file comment that
they must bump in lock-step.
Closes the remaining ci-hygiene items in #8. Strict-dedup and a
larger fuzz budget are deliberately deferred to follow-up PRs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
bare-metal {0.2.5, 1.0.0} is reachable via the STM32G0 firmware chain
(wohl-fw-door-bench → stm32g0xx-hal → cortex-m 0.7.x). The advisory
itself states "No safe upgrade is available"; the cortex-m 0.7.x
release line that the entire embedded Rust ecosystem still pins
hasn't migrated to `critical-section` yet. Ignore with a comment
that names the trigger for re-evaluating (cortex-m 0.8 release).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes out the remaining CI items in #8. Three additions to the CI gate:
cargo-denyjob with bans/licenses/sources/advisories — supply-chain check viaEmbarkStudios/cargo-deny-action@v2. Newdeny.tomlat repo root with sensible licenses allowlist (MIT/Apache-2.0/BSD-2/3-Clause/ISC/MPL-2.0/Unicode-DFS-2016/Unicode-3.0/CC0-1.0/Zlib), warn-level multiple-versions (the workspace currently has known transitive duplicates inbare-metalandnbvia the STM32G0 firmware deps).matrix:so each crate runs in its own parallel job. Failing crate name is now visible in the GitHub Actions UI (currently first-fail aborted the loop).fail-fast: falseso a failure doesn't mask the rest..github/workflows/nightly-fuzz.yml. Triggers daily at 3 AM UTC (andworkflow_dispatch). Per-target time budget 900s (15 min) — ~30 min wall-clock for the 2 fuzz targets in matrix. Concurrency group cancels in-progress on re-trigger.Verified locally
cargo deny check bans licenses sources→ all OK; advisories skipped locally only (the user's cargo-deny 0.16.4 can't parse RUSTSEC-2026-0073's CVSS 4.0 — the CI runner pulls a fresh action with current cargo-deny and runs the full set). YAML parses on both workflow files.Open follow-ups
bans.multiple-versions = "warn"→"deny"after thebare-metal/nbduplicates resolve (likely needs anstm32g0xx-halbump).cargo-deny-action@v2to a specific commit for parity with the rest of the workflow's pinning posture.cargo deny check advisories-only run so vulns are flagged without PR traffic.🤖 Generated with Claude Code