Add Security realted changes #16
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: MACP Runtime CI | |
| on: | |
| pull_request: | |
| push: | |
| branches: [ main ] | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| check: | |
| name: Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Cache cargo registry and build | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: ${{ runner.os }}-cargo- | |
| - name: Install protoc | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y protobuf-compiler | |
| - name: Cargo check | |
| run: cargo check --all-targets | |
| fmt: | |
| name: Format | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| - name: Check formatting | |
| run: cargo fmt --all -- --check | |
| clippy: | |
| name: Clippy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - name: Cache cargo registry and build | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: ${{ runner.os }}-cargo- | |
| - name: Install protoc | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y protobuf-compiler | |
| - name: Run clippy | |
| run: cargo clippy --all-targets -- -D warnings | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Cache cargo registry and build | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: ${{ runner.os }}-cargo- | |
| - name: Install protoc | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y protobuf-compiler | |
| - name: Run tests | |
| run: cargo test --all-targets | |
| env: | |
| MACP_MEMORY_ONLY: "1" | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Cache cargo registry and build | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: ${{ runner.os }}-cargo- | |
| - name: Install protoc | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y protobuf-compiler | |
| - name: Build release | |
| run: cargo build --release | |
| lint-protobuf: | |
| name: Lint Protocol Buffers | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install buf | |
| uses: bufbuild/buf-setup-action@v1 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Lint protobuf with buf | |
| run: buf lint proto | |
| - name: Check for breaking changes | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| git fetch origin main | |
| # Skip if main branch doesn't have a buf module yet | |
| if git show origin/main:proto/buf.yaml > /dev/null 2>&1; then | |
| buf breaking proto --against '.git#branch=origin/main,subdir=proto' | |
| else | |
| echo "No buf module found on main branch, skipping breaking change check" | |
| fi | |
| proto-sync: | |
| name: Proto Sync Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: bufbuild/buf-setup-action@v1 | |
| - name: Verify protos match pinned BSR version | |
| run: | | |
| TMPDIR=$(mktemp -d) | |
| buf export buf.build/multiagentcoordinationprotocol/macp -o "$TMPDIR" | |
| DRIFT=0 | |
| for proto in \ | |
| macp/v1/envelope.proto \ | |
| macp/v1/core.proto \ | |
| macp/modes/decision/v1/decision.proto \ | |
| macp/modes/proposal/v1/proposal.proto \ | |
| macp/modes/task/v1/task.proto \ | |
| macp/modes/handoff/v1/handoff.proto \ | |
| macp/modes/quorum/v1/quorum.proto; do | |
| if ! diff -q "$TMPDIR/$proto" "proto/$proto" > /dev/null 2>&1; then | |
| echo "DRIFT: $proto" | |
| diff -u "$TMPDIR/$proto" "proto/$proto" || true | |
| DRIFT=1 | |
| fi | |
| done | |
| rm -rf "$TMPDIR" | |
| if [ "$DRIFT" -ne 0 ]; then | |
| echo "Proto files don't match BSR. Run 'make sync-protos'." | |
| exit 1 | |
| fi | |
| echo "All proto files match BSR." | |
| ci-pass: | |
| name: All Checks Passed | |
| runs-on: ubuntu-latest | |
| needs: [check, fmt, clippy, test, build, lint-protobuf, proto-sync] | |
| steps: | |
| - name: Summary | |
| run: | | |
| echo "All checks passed successfully" | |
| echo " - cargo check" | |
| echo " - cargo fmt" | |
| echo " - cargo clippy" | |
| echo " - cargo test" | |
| echo " - cargo build --release" | |
| echo " - protobuf lint" | |
| echo " - proto sync check" |