Skip to content

ci(policy): require non-Rust file policy allowlist (#210, rollout PR 11/12)#223

Merged
EffortlessSteven merged 1 commit into
mainfrom
ci/policy-promote-blocking-20260511
May 12, 2026
Merged

ci(policy): require non-Rust file policy allowlist (#210, rollout PR 11/12)#223
EffortlessSteven merged 1 commit into
mainfrom
ci/policy-promote-blocking-20260511

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

Eleventh PR in the 12-PR file-policy rollout. The promotion PR. Five of seven advisory checks become merge-blocking, with one significant refactor + 12 new receipts to make blocking-allowlist actually pass on the current main.

Issue

Closes #210. Builds on PR 10 (#209, CI advisory wiring). Refines #180. Tracks #109.

What changed

1. Refactor: companion-ledger pre-filter (xtask/src/check_file_policy.rs)

The non-Rust-allowlist checker now loads the other four ledgers (generated, executable, dependency-surface, workflow) and excludes any tracked file already matched by a companion selector before reconciliation. Universe drops from 1018 → 178 — the 813 snapshots, 9 workflows, 16 dep-surface manifests etc. are now correctly deferred to their dedicated checkers instead of being double-counted as unreceipted by check-file-policy.

2. Receipts: cover the remaining 107

After the companion filter, 107 actually-uncovered files remained. Receipted as broad globs in policy/non-rust-allowlist.toml:

Glob / file Why
.cargo/** Cargo workspace config (aliases, mutants.toml)
.config/** Tool config (nextest)
.factory/** Droid review skill + rules
.github/CODEOWNERS, .github/copilot-instructions.md, .github/settings.yml GitHub repo config
.gitignore Git config
crates/**/AGENTS.md, crates/**/CLAUDE.md Per-crate agent docs (incl. nested dirs)
crates/*/README.md Per-crate READMEs (crates.io display)
crates/*/proptest-regressions/** Proptest regression seeds
policy/** Policy TOML ledgers themselves

Plus xtask/Cargo.toml added to dependency-surface-allowlist.toml (it's a dep manifest, not a non-Rust doc).

Removed the now-unused fuzz/** glob from non-rust-allowlist.

3. CI: promote five checks

.github/workflows/ci.yml's policy job (renamed from Policy (advisory) to Policy) now invokes each check explicitly:

check-file-policy           --mode blocking-allowlist
check-generated             --mode blocking-allowlist
check-executable-files      --mode blocking-allowlist
check-dependency-surfaces   --mode blocking-allowlist
check-workflow-surfaces     --mode blocking-allowlist
check-process-policy        --mode advisory      (PR 12 promotes)
check-network-policy        --mode advisory      (PR 12 promotes)
policy-report                                    (if: always — artifact always uploaded)

4. Docs

  • docs/FILE_POLICY.md "Rollout" section now records PR 11 as the current state of the rollout and explains the rename.
  • docs/POLICY_ALLOWLISTS.md and docs/policy/NON_RUST_ROLLOUT.md flip PR 10 → landed, PR 11 → in flight.

Live local results

check-file-policy           tracked=178 entries=35  ALL ZERO
check-generated             universe=0  entries=1   ALL ZERO
check-executable-files      universe=0  entries=0   ALL ZERO
check-dependency-surfaces   universe=16 entries=5   ALL ZERO (unused=1 advisory-only)
check-workflow-surfaces     workflows=9 entries=10  ALL ZERO
check-process-policy        unknown=10 (advisory, known false positives)
check-network-policy        unknown=0

All five blocking checks exit 0 on current main. CI will exit 1 on an unreceipted new non-Rust file.

Acceptance

  • cargo check --workspace --locked passes.
  • cargo clippy -p xtask --all-targets --locked -- -D warnings clean.
  • cargo fmt --all -- --check clean.
  • All 5 blocking-allowlist invocations exit 0 locally.
  • All policy/*.toml files parse.
  • .github/workflows/ci.yml parses.
  • The Policy job's artifact upload uses if: always() so failures still produce the report.

Follow-ups

Eleventh PR in the 12-PR file-policy rollout. Promotes five of the
seven advisory checks to --mode blocking-allowlist in CI:

  check-file-policy
  check-generated
  check-executable-files
  check-dependency-surfaces
  check-workflow-surfaces

check-process-policy and check-network-policy stay at --mode advisory
until PR 12 (#211).

## What this PR actually does

Promoting check-file-policy from advisory to blocking surfaced two
real problems with the prior architecture:

1. **Double counting.** The non-Rust-allowlist checker only consulted
   `policy/non-rust-allowlist.toml`. Files already receipted in
   companion ledgers (`generated`, `executable`,
   `dependency-surface`, `workflow`) were reported as unreceipted by
   this checker — 945 false unreceipted entries, dominated by the 813
   `**/*.snap` files in the generated ledger.

2. **Missing receipts for the actually-uncovered ~107.** PR 2's
   seeded receipts covered top-level docs, agent files, license,
   release artifacts, build config, and four broad subtree globs.
   Repo-internal dotfile dirs (`.cargo/`, `.config/`, `.factory/`,
   selected `.github/` files), per-crate agent docs, per-crate
   READMEs, proptest regression seeds, the policy ledgers themselves,
   and `xtask/Cargo.toml` were all uncovered.

This PR resolves both:

### Refactor: companion-ledger pre-filter

`xtask/src/check_file_policy.rs` now loads the other four ledgers
(`generated-allowlist.toml`, `executable-allowlist.toml`,
`dependency-surface-allowlist.toml`, `workflow-allowlist.toml`),
builds a `CompanionSelector` set, and excludes any tracked file
matched by any companion selector before reconciliation. The non-Rust
checker now sees ONLY files that aren't receipted elsewhere.

Universe drops from 1018 → 178 (the 813 + 9 + ~16 + others handled by
companions).

### Receipts: cover the remaining 107

Adds broad-glob receipts for:

  .cargo/**          .config/**        .factory/**
  .github/CODEOWNERS .github/copilot-instructions.md .github/settings.yml
  .gitignore         crates/**/AGENTS.md   crates/**/CLAUDE.md
  crates/*/README.md crates/*/proptest-regressions/**
  policy/**

And adds `xtask/Cargo.toml` to `dependency-surface-allowlist.toml`
(where it belongs — it's a dep manifest).

Removed the `fuzz/**` glob from non-rust-allowlist (it was unused
after the companion-ledger filter — fuzz tracked files are now all
covered by `.rs` exclusion or `fuzz/Cargo.toml` in dep-surface).

### CI: promote five checks

`.github/workflows/ci.yml` `policy` job (was `Policy (advisory)`,
renamed to `Policy`) now runs the five blocking checks plus the two
advisory checks plus `cargo xtask policy-report`. The unified report
step uses `if: always()` so the artifact lands even when one of the
blocking checks fails. Upload still uses
`actions/upload-artifact@v7` and `if-no-files-found: error`.

### Docs

- `docs/FILE_POLICY.md` "Rollout" section marks PR 11 as the
  *current state of the rollout* and explains the rename.
- `docs/POLICY_ALLOWLISTS.md` and `docs/policy/NON_RUST_ROLLOUT.md`
  flip PR 10 to "landed" and PR 11 to "in flight".

## Acceptance (local)

  cargo xtask check-file-policy --mode blocking-allowlist
    file-policy (blocking-allowlist): tracked=178 entries=35
    unreceipted=0 missing_fields=0 expired=0 stale=0 unused=0

  cargo xtask check-generated --mode blocking-allowlist            (clean)
  cargo xtask check-executable-files --mode blocking-allowlist     (clean)
  cargo xtask check-dependency-surfaces --mode blocking-allowlist  (clean)
  cargo xtask check-workflow-surfaces --mode blocking-allowlist    (clean)

  cargo check --workspace --locked   OK
  cargo clippy -p xtask --all-targets --locked -- -D warnings  clean
  cargo fmt --all -- --check  clean

## Out of scope

- PR 12 (#211): promote check-process-policy and check-network-policy
  to blocking-allowlist after a clean observational window.
- blocking-strict mode (which fails on unused entries and stale
  review dates) remains deferred to a future cleanup pass.

Closes #210.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented May 12, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 37 minutes before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d03d80f3-cb6c-4fbe-a169-1a3e0a9a915a

📥 Commits

Reviewing files that changed from the base of the PR and between 178b523 and dff4975.

📒 Files selected for processing (7)
  • .github/workflows/ci.yml
  • docs/FILE_POLICY.md
  • docs/POLICY_ALLOWLISTS.md
  • docs/policy/NON_RUST_ROLLOUT.md
  • policy/dependency-surface-allowlist.toml
  • policy/non-rust-allowlist.toml
  • xtask/src/check_file_policy.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/policy-promote-blocking-20260511

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@factory-droid

factory-droid Bot commented May 12, 2026

Copy link
Copy Markdown

Droid finished @EffortlessSteven's task —— View job


Droid review complete. ✅ No candidate comments emitted — diff is clean. Five file-policy checks promoted to blocking-allowlist in CI, companion-ledger pre-filter refactored correctly, and all TOML receipts valid.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dff49756a9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

review_after = "2026-08-11"

[[file]]
path = "xtask/Cargo.toml"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep xtask manifest in the dependency universe

This new companion receipt causes check-file-policy to defer xtask/Cargo.toml to check-dependency-surfaces, but that checker’s universe in xtask/src/checks.rs::dependency_surface_files only includes root Cargo.toml/Cargo.lock/deny.toml, crates/*/Cargo.toml, and fuzz/Cargo.*. As a result this entry is always reported as unused (and would fail once blocking-strict is enabled), so either the dependency-surface universe should include xtask/Cargo.toml or this manifest should stay covered by the general non-Rust allowlist.

Useful? React with 👍 / 👎.

@EffortlessSteven EffortlessSteven merged commit 2bc1360 into main May 12, 2026
23 checks passed
@EffortlessSteven EffortlessSteven deleted the ci/policy-promote-blocking-20260511 branch May 12, 2026 02:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci(policy): require non-Rust file policy allowlist (rollout PR 11/12)

1 participant