Skip to content

ci(policy): run file policy checks advisory (#209, rollout PR 10/12)#222

Merged
EffortlessSteven merged 1 commit into
mainfrom
ci/policy-advisory-job-20260511
May 12, 2026
Merged

ci(policy): run file policy checks advisory (#209, rollout PR 10/12)#222
EffortlessSteven merged 1 commit into
mainfrom
ci/policy-advisory-job-20260511

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

Tenth PR in the 12-PR file-policy rollout. First PR to touch a CI workflow file. Wires the seven advisory xtask checks into CI and uploads the aggregated target/policy/ as an artifact. Never blocks merge.

Issue

Closes #209. Consumes PR 5 (#204), 6 (#205), 7 (#206), 8 (#207), 9 (#208). Refines #180. Tracks #109.

What the new CI job does

Policy (advisory) job in .github/workflows/ci.yml:

  1. Checks out the repo, installs stable Rust, caches Cargo under a policy-keyed cache.
  2. Runs cargo xtask policy-report, which internally invokes all seven advisory checks and writes the unified report alongside each sub-report.
  3. Uploads target/policy/ as a policy-reports artifact with 30-day retention and if-no-files-found: error.

The job sits after lint in ci.yml so it gets early visibility but runs concurrently with the test/build matrix. No critical-path extension expected.

Decisions

  • if: always() on the upload step so the artifact lands even when PRs 11/12 later promote sub-checks to blocking mode and a fail occurs.
  • if-no-files-found: error so a silently-empty target/policy/ (e.g., from a broken xtask) fails the upload rather than silently uploading nothing.
  • Dedicated cargo-policy-${{ hashFiles('**/Cargo.lock') }} cache key so the policy job doesn't fight with lint's cache (different cargo check targets).
  • Policy (advisory) name explicitly carries the mode so a future required-check ratchet (PRs 11/12) can rename the job to drop the "(advisory)" qualifier as a signal of the new posture.

Docs

  • docs/FILE_POLICY.md "Rollout" section now records that PR 10 is the current state.
  • docs/POLICY_ALLOWLISTS.md and docs/policy/NON_RUST_ROLLOUT.md flip PR 9 to landed, PR 10 to in flight.

Acceptance

  • .github/workflows/ci.yml parses as valid YAML.
  • cargo check --workspace --locked passes.
  • cargo xtask policy-report still produces both unified artifacts locally.
  • No other CI jobs touched; no permissions: changes; no critical-path lengthening.
  • Artifact upload uses pinned actions/upload-artifact@v7 (consistent with the rest of ci.yml).

Follow-ups

Tenth PR in the 12-PR file-policy rollout. Wires the seven advisory
xtask checks into CI and uploads the aggregated report as an
artifact. Never blocks merge.

## CI

Adds a `Policy (advisory)` job to .github/workflows/ci.yml. The job:

  - Checks out the repo and installs the stable Rust toolchain.
  - Caches Cargo under a dedicated `policy` cache key.
  - Runs `cargo xtask policy-report`, which itself invokes all seven
    advisory checks (file / generated / executable / dependency-
    surface / workflow / process / network) and writes the unified
    target/policy/policy-report.{md,json} alongside each sub-report's
    *-report.{md,json}.
  - Uploads `target/policy/` as a `policy-reports` artifact with
    `if: always()` and 30-day retention.

The job sits after `lint` in ci.yml so it gets early visibility but
runs concurrently with the test/build matrix — no critical-path
extension.

## Docs

- docs/FILE_POLICY.md "Rollout" section now records that PR 10 is the
  *current state* of the rollout.
- docs/POLICY_ALLOWLISTS.md and docs/policy/NON_RUST_ROLLOUT.md flip
  PR 9 to "landed" and PR 10 to "in flight".

## Acceptance

- ci.yml parses as valid YAML.
- `cargo check --workspace --locked` passes.
- `cargo xtask policy-report` still produces both unified artifacts
  locally.
- The Policy job is not gated by `if:` / `permissions` changes that
  could affect other jobs.
- Artifact upload uses `actions/upload-artifact@v7` (consistent with
  the rest of ci.yml) and `if-no-files-found: error` so a silently
  empty target/policy/ won't pass.

## Out of scope

- PR 11 (#210): promote file/generated/executable/dependency/workflow
  to blocking-allowlist.
- PR 12 (#211): promote process/network to blocking-allowlist.

Closes #209.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented May 12, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minute and 46 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 24b0e83c-1df9-431c-9730-774e5b6e02f0

📥 Commits

Reviewing files that changed from the base of the PR and between d77db14 and 979b2fd.

📒 Files selected for processing (4)
  • .github/workflows/ci.yml
  • docs/FILE_POLICY.md
  • docs/POLICY_ALLOWLISTS.md
  • docs/policy/NON_RUST_ROLLOUT.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/policy-advisory-job-20260511

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@factory-droid

factory-droid Bot commented May 12, 2026

Copy link
Copy Markdown

Droid finished @EffortlessSteven's task —— View job


Validation Complete — PR #222

Status: approved
Head SHA: 979b2fd4a81b151648ae3e72a4d40e8430b0adbc


Summary

No actionable findings emitted.

Inspected surfaces:

  • .github/workflows/ci.yml: new Policy (advisory) job definition
  • docs/FILE_POLICY.md: rollout status update
  • docs/POLICY_ALLOWLISTS.md: PR 9/10 status transition
  • docs/policy/NON_RUST_ROLLOUT.md: PR 9 landed, PR 10 in flight ledger update

Checks performed:

  • CI job correctness: advisory-only, no merge blocking; proper cache key isolation (cargo-policy- prefix); if: always() on artifact upload; if-no-files-found: error sentinel; actions/upload-artifact@v7 pinned consistently
  • Documentation consistency: rollout tracker accurately reflects PR 10 state; no stale references
  • No Rust source changes; no publish-state or registry-truth changes; no token handling, no unsafe code, no state/resume/receipt modifications

Why no comments:
Diff is pure CI infrastructure (YAML job definition) and documentation ledger updates. No behavioral changes to shipper-core engine, no changes to shipper-cli adapter, no changes to shipper façade. Advisory job correctly uses if: always() so artifact upload lands even when future promotion PRs cause a fail. Cache key correctly names policy to avoid cache contention with lint job.

Residual risk:
Registry-side ambiguity remains outside scope; this PR does not address Reconcile competency. Advisory job will not block merge per design.

Validation signal:

  • Observed: diff only touches YAML workflow and markdown docs
  • Reported: PR description states acceptance criteria (YAML parses, cargo check passes, xtask produces reports)
  • Not verified: actual CI run of the new job

Validated at: 2026-05-12T02:15:00Z

@EffortlessSteven EffortlessSteven merged commit 178b523 into main May 12, 2026
21 checks passed
@EffortlessSteven EffortlessSteven deleted the ci/policy-advisory-job-20260511 branch May 12, 2026 01:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci(policy): run file policy checks advisory (rollout PR 10/12)

1 participant