ci: harden SARIF tooling

[acgetchell]

Closes #358

• Add a repository-rule Semgrep SARIF workflow for direct Code Scanning uploads.
• Harden Clippy SARIF generation with pipefail, cargo lint coverage, and guarded uploads.
• Discover Semgrep rule fixtures dynamically so new fixtures are tested automatically.
• Document the tooling parity updates ported from causal-triangulations.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 3856bd75-e994-42d3-8f82-784314fe7813

📥 Commits

Reviewing files that changed from the base of the PR and between f09d698 and 43775bc.

📒 Files selected for processing (4)

• .github/workflows/rust-clippy.yml
• .github/workflows/semgrep-sarif.yml
• docs/dev/tooling-alignment.md
• justfile

---

Walkthrough

This PR ports tooling hardening from causal-triangulations to delaunay. A new Semgrep SARIF workflow is introduced, the existing clippy workflow is strengthened with stricter shell execution and conditional uploads, the semgrep test recipe is refactored to discover fixtures dynamically, and changes are documented.

Changes

Tooling and CI Hardening

Layer / File(s)	Summary
Semgrep SARIF Workflow .github/workflows/semgrep-sarif.yml	New workflow runs repository-level Semgrep with pinned uv, captures exit code, uploads SARIF conditionally when file exists and (for PRs) when source repo matches, and gates the workflow to fail if findings are detected.
Clippy Workflow Hardening .github/workflows/rust-clippy.yml	Clippy SARIF generation now runs under strict Bash mode (set -euo pipefail), adds -W clippy::cargo lint flag, and SARIF upload is now conditional on file existence and PR repository matching.
Test Configuration justfile	semgrep-test recipe now dynamically discovers all fixtures under tests/semgrep, builds a temporary config directory with symlinks, and runs a single strict Semgrep test scan instead of hardcoded per-file invocations.
Documentation docs/dev/tooling-alignment.md	Records ported tooling enhancements: script path normalization, fixture discovery in justfile, clippy workflow hardening, and Semgrep SARIF workflow integration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• acgetchell/delaunay#362: Modifies the same CI/tooling files (rust-clippy workflow, semgrep workflow, justfile) and documentation related to GitHub Actions workflow alignment.
• acgetchell/delaunay#164: Modifies the same CI/tooling infrastructure files (rust-clippy workflow and justfile).

Suggested labels

documentation, enhancement, rust

Poem

🐰 A workflow is born, Semgrep takes flight,
Clippy stands guard in the strict mode's light,
Fixtures discovered, tests running strong,
Tooling aligned where it's belonged all along!

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/358-tooling-sarif-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Coverage ∅ diff coverage · +0.02% coverage variation

Metric	Results
Coverage variation	✅ +0.02% coverage variation (-1.00%)
Diff coverage	✅ ∅ diff coverage

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (f09d698)	53526	47995	89.67%
Head commit (43775bc)	53526 (+0)	48005 (+10)	89.69% (+0.02%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#367)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.66%. Comparing base (f09d698) to head (43775bc).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #367      +/-   ##
==========================================
+ Coverage   89.64%   89.66%   +0.01%     
==========================================
  Files          58       58              
  Lines       53335    53335              
==========================================
+ Hits        47811    47821      +10     
+ Misses       5524     5514      -10     

Flag	Coverage Δ
unittests	89.66% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.