ci.yml

name: ci

# Core CI: formatting, linting, workspace tests, and a publish dry-run
# of hyperdb-bootstrap. Separate from verify-hyperd-pin.yml, which only
# HEADs the pinned release's URLs.

on:
  # Pure-prose changes don't affect Rust compilation, lint output,
  # advisory checks, or the publish dry-run. The paths-ignore lists
  # below skip CI on docs-only PRs to avoid burning CI minutes. Note:
  # `deny.toml` and `.cargo/audit.toml` are deliberately NOT in the
  # ignore list — those files configure the security checks themselves
  # and a typo would silently disable them. Keep the two lists in sync.
  push:
    branches: [main]
    paths-ignore:
      - "**/*.md"
      - "docs/**"
      - "LICENSE-*"
      - "NOTICE"
      - ".github/ISSUE_TEMPLATE/**"
      - ".github/pull_request_template.md"
  pull_request:
    paths-ignore:
      - "**/*.md"
      - "docs/**"
      - "LICENSE-*"
      - "NOTICE"
      - ".github/ISSUE_TEMPLATE/**"
      - ".github/pull_request_template.md"
  workflow_dispatch: {}

# Cancel a PR's in-progress CI runs when a new push lands on the PR.
# Pushes to main always run to completion.
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

permissions:
  contents: read

env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1

jobs:
  fmt:
    name: rustfmt
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v6
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: stable
          components: rustfmt
          cache: false
          # Disable the action's default RUSTFLAGS=-D warnings; workspace
          # lint policy lives in [workspace.lints] in Cargo.toml, and
          # promoting warn-level lints to errors at the env level would
          # break local-friendly behaviors elsewhere.
          rustflags: ""
      - run: cargo fmt --all --check

  clippy:
    # Clippy lints are platform-independent, so a single runner is enough.
    # If a lint ever diverges by target (rare), broaden the matrix.
    name: clippy
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v6
      - name: Install system libraries (fontconfig for plotters, mold for fast linking, protobuf)
        run: sudo apt-get update -q && sudo apt-get install -y libfontconfig1-dev mold protobuf-compiler
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: stable
          components: clippy
          cache-key: clippy
          # See fmt job for rationale; clippy enforces -D warnings via
          # the explicit `-- -D warnings` arg below, not via env.
          rustflags: ""
      - name: Cache hyperd binary
        # --all-features enables the compile-time feature, which starts an
        # embedded Hyper instance inside the proc-macro host during clippy.
        # hyperd must be present or the proc-macro panics.
        id: hyperd-cache
        uses: actions/cache@v5
        with:
          path: .hyperd
          key: hyperd-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('hyperdb-bootstrap/hyperd-version.toml') }}
      - name: Download hyperd
        if: steps.hyperd-cache.outputs.cache-hit != 'true'
        run: cargo run --release -p hyperdb-bootstrap --bin hyperdb-bootstrap -- download
      - name: Clippy (workspace, all targets)
        # Every crate in the workspace is linted under the Microsoft Rust
        # Guidelines config in `[workspace.lints]` (see Cargo.toml and
        # docs/RUST_GUIDELINES.md). Warnings are treated as errors.
        env:
          HYPERD_PATH: ${{ github.workspace }}/.hyperd/current
        run: cargo clippy --workspace --all-targets --all-features -- -D warnings

  test:
    name: test (${{ matrix.os }})
    runs-on: ${{ matrix.os }}
    timeout-minutes: 45
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-14, windows-latest]
    steps:
      - uses: actions/checkout@v6
      - name: Free disk space (Linux only)
        if: runner.os == 'Linux'
        run: |
          sudo rm -rf /usr/local/lib/android
          sudo rm -rf /usr/share/dotnet
          sudo rm -rf /opt/ghc
          sudo rm -rf /usr/local/share/boost
      - name: Install system libraries (Linux)
        if: runner.os == 'Linux'
        run: sudo apt-get update -q && sudo apt-get install -y libfontconfig1-dev mold protobuf-compiler
      - name: Install protobuf (macOS)
        if: runner.os == 'macOS'
        run: brew install protobuf
      - name: Install protobuf (Windows)
        if: runner.os == 'Windows'
        run: choco install protoc -y
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: stable
          # Keep this cache separate from the clippy job's; the test
          # profile has different artifacts and mixing them causes
          # unnecessary rebuilds.
          cache-key: test-${{ matrix.os }}
          # See fmt job for rationale.
          rustflags: ""

      - name: Cache hyperd binary
        # Keyed on the pinned release file, so bumping the pin
        # (hyperdb-bootstrap/hyperd-version.toml) invalidates the cache
        # automatically and the next run re-downloads.
        id: hyperd-cache
        uses: actions/cache@v5
        with:
          path: .hyperd
          key: hyperd-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('hyperdb-bootstrap/hyperd-version.toml') }}

      - name: Download hyperd
        if: steps.hyperd-cache.outputs.cache-hit != 'true'
        run: cargo run --release -p hyperdb-bootstrap --bin hyperdb-bootstrap -- download

      - name: Workspace tests
        shell: bash
        env:
          # .hyperd/current accepts either a file or directory per the
          # hyperdb-api process loader; passing the directory keeps the
          # command identical across OSes (hyperd vs hyperd.exe).
          HYPERD_PATH: ${{ github.workspace }}/.hyperd/current
        run: |
          cargo test --workspace \
            --exclude hyperdb-api-node \
            --exclude hyperdb-bootstrap
        # hyperdb-api-node needs napi-rs + a Node.js toolchain; it gets
        # its own workflow when wired up. hyperdb-bootstrap has its own
        # coverage (next step) and doesn't need hyperd running.

      - name: hyperdb-bootstrap tests
        run: cargo test -p hyperdb-bootstrap

  node-bindings:
    # Build the napi-rs Node.js bindings and run the smoke test on every
    # PR. Without this, regressions in hyperdb-api-node (TS surface, napi
    # glue, build script) only surface during npm-build-publish at release
    # time and block the publish mid-flight. Linux-only is sufficient —
    # cross-platform napi compatibility is exercised by the per-platform
    # build matrix in npm-build-publish.yml when a release ships.
    name: hyperdb-api-node (build + smoke)
    runs-on: ubuntu-latest
    timeout-minutes: 25
    steps:
      - uses: actions/checkout@v6
      - name: Install system libraries
        run: sudo apt-get update -q && sudo apt-get install -y libfontconfig1-dev mold protobuf-compiler
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: stable
          # Reuse the test job's Linux cache so the Cargo deps are warm
          # when both jobs run on the same SHA.
          cache-key: test-ubuntu-latest
          # See fmt job for rationale.
          rustflags: ""
      - uses: actions/setup-node@v6
        with:
          node-version: 20
      - name: Cache hyperd binary
        id: hyperd-cache
        uses: actions/cache@v5
        with:
          path: .hyperd
          key: hyperd-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('hyperdb-bootstrap/hyperd-version.toml') }}
      - name: Download hyperd
        if: steps.hyperd-cache.outputs.cache-hit != 'true'
        run: cargo run --release -p hyperdb-bootstrap --bin hyperdb-bootstrap -- download
      - name: Build native addon (debug)
        run: |
          cd hyperdb-api-node
          npm install --ignore-scripts
          npm run build:debug
      - name: Smoke test
        env:
          HYPERD_PATH: ${{ github.workspace }}/.hyperd/current
        run: |
          cd hyperdb-api-node
          npm test

  publish-dry-run:
    # Catches Cargo.toml metadata regressions (missing license, bad
    # include paths, etc.) on the subset of crates that have no
    # unresolvable path deps before the full wave ships.
    # Excluded from dry-run (resolved only at release time):
    #   hyperdb-api-core, hyperdb-api-salesforce, hyperdb-api, hyperdb-mcp:
    #     path+version deps on workspace siblings not yet on crates.io.
    #   hyperdb-api-derive: now has an optional path dep on
    #     hyperdb-compile-check, which is not a workspace member and not on
    #     crates.io until the release wave lands. Even optional deps are
    #     resolved by `cargo publish --dry-run` during verification.
    #   hyperdb-compile-check: depends on hyperdb-api (not yet published).
    # All of the above are exercised end-to-end by release.yml at tag time.
    name: publish dry-run
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@v6
      - name: Install mold linker
        run: sudo apt-get update -q && sudo apt-get install -y mold
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: stable
          cache-key: publish-dry-run
          rustflags: ""
      - run: |
          cargo publish -p hyperdb-bootstrap  --dry-run
          cargo publish -p sea-query-hyperdb  --dry-run
          # hyperdb-api-derive excluded: has an optional path dep on
          # hyperdb-compile-check which isn't on crates.io until the full
          # release wave lands. Cargo resolves optional deps during dry-run
          # verification regardless of whether the feature is enabled.

  deny:
    # Enforces license allowlist, advisory ignore list, and banned-source
    # rules from deny.toml. Pairs with the `audit` job — `cargo-deny` and
    # `cargo-audit` have separate ignore mechanisms; both must agree.
    name: cargo-deny
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v6
      - uses: EmbarkStudios/cargo-deny-action@v2
        with:
          command: check
          arguments: --all-features --workspace

  audit:
    # Enforces the RustSec advisory ignore list in .cargo/audit.toml.
    # Fails on any unfixed advisory for a crate in the lockfile.
    name: cargo-audit
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v6
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: stable
          cache-key: audit
          rustflags: ""
      - run: cargo install cargo-audit --locked
      - run: cargo audit --deny warnings

  version-consistency:
    # Ensures version.txt (release-please source of truth) stays in sync
    # with Cargo.toml workspace version. Catches release-please PRs that
    # bump one but not the other.
    name: version consistency
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@v6
      - name: Check version.txt matches Cargo.toml workspace version
        run: |
          set -euo pipefail
          CARGO_VERSION=$(grep '^version = ' Cargo.toml | head -1 | sed 's/version = "\(.*\)"/\1/')
          TXT_VERSION=$(cat version.txt | tr -d '[:space:]')
          if [[ "$CARGO_VERSION" != "$TXT_VERSION" ]]; then
            echo "::error::version.txt ($TXT_VERSION) does not match Cargo.toml workspace version ($CARGO_VERSION)"
            exit 1
          fi

      - name: Check npm package.json files have no in-source version
        # The platform and umbrella npm package.json files have their
        # `version` field stripped from source — npm-build-publish.yml
        # injects it at publish time from the git tag. This guard
        # catches anyone (or any tool) re-introducing a `version` field
        # and reviving the original "platform versions stuck at 0.1.3"
        # bug. assemble-npm.sh writes versions transiently with a
        # restore-on-EXIT trap, so a clean checkout never has them.
        run: |
          set -euo pipefail
          FILES=(
            hyperdb-mcp/npm/package.json
            hyperdb-mcp/npm/darwin-arm64/package.json
            hyperdb-mcp/npm/darwin-x64/package.json
            hyperdb-mcp/npm/linux-x64-gnu/package.json
            hyperdb-mcp/npm/win32-x64-msvc/package.json
            hyperdb-api-node/package.json
            hyperdb-api-node/npm/darwin-arm64/package.json
            hyperdb-api-node/npm/darwin-x64/package.json
            hyperdb-api-node/npm/linux-arm64-gnu/package.json
            hyperdb-api-node/npm/linux-x64-gnu/package.json
            hyperdb-api-node/npm/linux-x64-musl/package.json
            hyperdb-api-node/npm/win32-x64-msvc/package.json
          )
          OFFENDERS=()
          for f in "${FILES[@]}"; do
            if node -e "process.exit(JSON.parse(require('fs').readFileSync('$f', 'utf8')).version === undefined ? 0 : 1)"; then
              :
            else
              OFFENDERS+=("$f")
            fi
          done
          if (( ${#OFFENDERS[@]} > 0 )); then
            echo "::error::The following npm package.json files have a 'version' field, which must not be tracked in source (it's injected at publish time by npm-build-publish.yml):"
            printf '  - %s\n' "${OFFENDERS[@]}"
            exit 1
          fi