ci(policy): run file policy checks advisory (#209, rollout PR 10/12)#222
Conversation
Tenth PR in the 12-PR file-policy rollout. Wires the seven advisory
xtask checks into CI and uploads the aggregated report as an
artifact. Never blocks merge.
## CI
Adds a `Policy (advisory)` job to .github/workflows/ci.yml. The job:
- Checks out the repo and installs the stable Rust toolchain.
- Caches Cargo under a dedicated `policy` cache key.
- Runs `cargo xtask policy-report`, which itself invokes all seven
advisory checks (file / generated / executable / dependency-
surface / workflow / process / network) and writes the unified
target/policy/policy-report.{md,json} alongside each sub-report's
*-report.{md,json}.
- Uploads `target/policy/` as a `policy-reports` artifact with
`if: always()` and 30-day retention.
The job sits after `lint` in ci.yml so it gets early visibility but
runs concurrently with the test/build matrix — no critical-path
extension.
## Docs
- docs/FILE_POLICY.md "Rollout" section now records that PR 10 is the
*current state* of the rollout.
- docs/POLICY_ALLOWLISTS.md and docs/policy/NON_RUST_ROLLOUT.md flip
PR 9 to "landed" and PR 10 to "in flight".
## Acceptance
- ci.yml parses as valid YAML.
- `cargo check --workspace --locked` passes.
- `cargo xtask policy-report` still produces both unified artifacts
locally.
- The Policy job is not gated by `if:` / `permissions` changes that
could affect other jobs.
- Artifact upload uses `actions/upload-artifact@v7` (consistent with
the rest of ci.yml) and `if-no-files-found: error` so a silently
empty target/policy/ won't pass.
## Out of scope
- PR 11 (#210): promote file/generated/executable/dependency/workflow
to blocking-allowlist.
- PR 12 (#211): promote process/network to blocking-allowlist.
Closes #209.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Droid finished @EffortlessSteven's task —— View job Validation Complete — PR #222Status: SummaryNo actionable findings emitted. Inspected surfaces:
Checks performed:
Why no comments: Residual risk: Validation signal:
Validated at: 2026-05-12T02:15:00Z |
Summary
Tenth PR in the 12-PR file-policy rollout. First PR to touch a CI workflow file. Wires the seven advisory xtask checks into CI and uploads the aggregated
target/policy/as an artifact. Never blocks merge.Issue
Closes #209. Consumes PR 5 (#204), 6 (#205), 7 (#206), 8 (#207), 9 (#208). Refines #180. Tracks #109.
What the new CI job does
Policy (advisory)job in.github/workflows/ci.yml:policy-keyed cache.cargo xtask policy-report, which internally invokes all seven advisory checks and writes the unified report alongside each sub-report.target/policy/as apolicy-reportsartifact with 30-day retention andif-no-files-found: error.The job sits after
lintin ci.yml so it gets early visibility but runs concurrently with the test/build matrix. No critical-path extension expected.Decisions
if: always()on the upload step so the artifact lands even when PRs 11/12 later promote sub-checks to blocking mode and a fail occurs.if-no-files-found: errorso a silently-emptytarget/policy/(e.g., from a broken xtask) fails the upload rather than silently uploading nothing.cargo-policy-${{ hashFiles('**/Cargo.lock') }}cache key so the policy job doesn't fight withlint's cache (differentcargo checktargets).Policy (advisory)name explicitly carries the mode so a future required-check ratchet (PRs 11/12) can rename the job to drop the "(advisory)" qualifier as a signal of the new posture.Docs
docs/FILE_POLICY.md"Rollout" section now records that PR 10 is the current state.docs/POLICY_ALLOWLISTS.mdanddocs/policy/NON_RUST_ROLLOUT.mdflip PR 9 tolanded, PR 10 toin flight.Acceptance
.github/workflows/ci.ymlparses as valid YAML.cargo check --workspace --lockedpasses.cargo xtask policy-reportstill produces both unified artifacts locally.permissions:changes; no critical-path lengthening.actions/upload-artifact@v7(consistent with the rest of ci.yml).Follow-ups
blocking-allowlistby adding explicit invocations in CI with--mode blocking-allowlist. Process/network stay advisory.blocking-allowlistafter a clean observational window.