ci(ruvector-hailo): cargo-audit + clippy + test + doc workflow (ADR-172 §5c)

Closes ADR-172 §5c (no cargo-audit in CI). New GitHub Actions workflow .github/workflows/hailo-backend-audit.yml runs four jobs on every push/PR touching the hailo-backend branch's three crates or its ADRs: * audit — `cargo audit --deny warnings` against the cluster crate's Cargo.lock (205 deps; 0 vulns at land time) * clippy — `cargo clippy --all-targets -- -D warnings` (cached) * test — full suite: 75 lib + 12 cluster + 18 CLI + 7 doctest * doc-warnings — `RUSTDOCFLAGS='-D missing-docs' cargo doc` (locks in iter-75's #![warn(missing_docs)] enforcement) Independent of the parent workspace's CI because the hailo crates are excluded from the default workspace build (need libhailort for the worker bin which CI can't install). Also lands `crates/ruvector-hailo-cluster/deny.toml` for a future cargo-deny pass: x86_64 + aarch64 targets, MIT/Apache/BSD/ISC license allowlist, denies wildcards + unknown registries + unknown git sources. Workflow doesn't run cargo-deny yet — config sits ready for the iter 92 follow-up after a clean `cargo deny check` pass against the dep tree. Co-Authored-By: claude-flow <ruv@ruv.net>
2026-06-01 23:00:37 +00:00 · 2026-05-02 01:01:54 -04:00 · 2026-05-02 01:01:54 -04:00 · cb7bd38872
commit cb7bd38872
parent 8c89c2d59f
2 changed files with 158 additions and 0 deletions
--- a/.github/workflows/hailo-backend-audit.yml
+++ b/.github/workflows/hailo-backend-audit.yml
@ -0,0 +1,102 @@
+# ruvector-hailo CI: cargo-audit + cargo-deny + clippy + test pyramid
+#
+# Closes ADR-172 §5c (no cargo-audit in CI). Runs on every push +
+# PR touching the hailo-backend branch's three crates. Independent of
+# the parent workspace's CI because the hailo crates are excluded from
+# the default workspace build (need libhailort for the worker bin).
+name: hailo-backend audit
+
+on:
+  push:
+    branches: [hailo-backend, main]
+    paths:
+      - 'crates/ruvector-hailo-cluster/**'
+      - 'crates/ruvector-hailo/**'
+      - 'crates/hailort-sys/**'
+      - 'docs/adr/ADR-167-*.md'
+      - 'docs/adr/ADR-168-*.md'
+      - 'docs/adr/ADR-169-*.md'
+      - 'docs/adr/ADR-170-*.md'
+      - 'docs/adr/ADR-171-*.md'
+      - 'docs/adr/ADR-172-*.md'
+      - 'docs/adr/ADR-173-*.md'
+      - 'docs/adr/ADR-174-*.md'
+      - '.github/workflows/hailo-backend-audit.yml'
+  pull_request:
+    paths:
+      - 'crates/ruvector-hailo-cluster/**'
+      - 'crates/ruvector-hailo/**'
+      - 'crates/hailort-sys/**'
+      - '.github/workflows/hailo-backend-audit.yml'
+
+jobs:
+  audit:
+    name: cargo-audit (cluster)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install protoc
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+      - name: Install cargo-audit
+        run: cargo install --locked cargo-audit
+      - name: Run cargo audit
+        working-directory: crates/ruvector-hailo-cluster
+        # `--deny warnings` makes any vuln advisory a hard CI fail. The
+        # cluster crate is the only one with a Cargo.lock under audit's
+        # default scope (hailort-sys/ruvector-hailo lock files are gated
+        # on the `hailo` feature which CI can't build without libhailort).
+        run: cargo audit --deny warnings
+
+  clippy:
+    name: clippy --all-targets -D warnings (cluster)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install protoc
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+      - name: Cache cargo
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            crates/ruvector-hailo-cluster/target
+          key: ${{ runner.os }}-cargo-${{ hashFiles('crates/ruvector-hailo-cluster/Cargo.lock') }}
+      - name: Run clippy
+        working-directory: crates/ruvector-hailo-cluster
+        run: cargo clippy --all-targets -- -D warnings
+
+  test:
+    name: test (cluster — lib + integration + cli + doctest)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install protoc
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+      - name: Cache cargo
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            crates/ruvector-hailo-cluster/target
+          key: ${{ runner.os }}-cargo-test-${{ hashFiles('crates/ruvector-hailo-cluster/Cargo.lock') }}
+      - name: Run all suites
+        working-directory: crates/ruvector-hailo-cluster
+        run: cargo test
+      - name: Run doctests
+        working-directory: crates/ruvector-hailo-cluster
+        run: cargo test --doc
+
+  doc-warnings:
+    name: missing-docs check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install protoc
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+      - name: Build docs with -D missing-docs
+        working-directory: crates/ruvector-hailo-cluster
+        env:
+          RUSTDOCFLAGS: "-D missing-docs"
+        run: cargo doc --no-deps --lib
--- a/crates/ruvector-hailo-cluster/deny.toml
+++ b/crates/ruvector-hailo-cluster/deny.toml
@ -0,0 +1,56 @@
+# cargo-deny config for ruvector-hailo-cluster.
+#
+# Run with `cargo deny check` after installing cargo-deny.
+# CI surfaces this in the hailo-backend-audit workflow (planned iter 92
+# follow-up — workflow currently runs cargo-audit; cargo-deny lands once
+# this config has had a pass against the dep tree).
+#
+# Closes ADR-172 §5b/§5c (build supply chain hardening).
+
+[graph]
+# Targets we actually ship: x86 dev hosts + Pi 5 deploys.
+targets = [
+    { triple = "x86_64-unknown-linux-gnu" },
+    { triple = "aarch64-unknown-linux-gnu" },
+]
+
+[advisories]
+# Block on any unfixed vuln. Same threshold as the cargo-audit job.
+yanked = "deny"
+ignore = []
+
+[licenses]
+# Permissive licenses we accept. GPL-family stays denied for now (no
+# GPL deps in the cluster crate; flag if one sneaks in).
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "Unicode-3.0",
+    "Unicode-DFS-2016",
+    "Zlib",
+    "MPL-2.0",
+    "CC0-1.0",
+    "0BSD",
+]
+confidence-threshold = 0.93
+
+[bans]
+# Explicit bans for things we don't want creeping in.
+multiple-versions = "warn"
+wildcards = "deny"
+highlight = "all"
+
+# Deny known-unsound or notoriously slow crates if they appear via
+# transitive deps. Empty today; populate as the dep tree grows.
+deny = []
+
+[sources]
+# Only crates.io. No git or path deps from outside the workspace.
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = []