You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bring this repository onto the shared Rust tooling workflow now working in markov-chain-monte-carlo: run just ci consistently in GitHub Actions, install project tooling through uv or Cargo, and align the security checks.
Current State
The repository should be reviewed against the current shared baseline rather than assuming the existing CI, Python tooling, and security workflows are equivalent.
Proposed Changes
Update CI so Linux, macOS, and Windows run just ci where practical.
Install developer and CI tools through uv or Cargo instead of relying on Homebrew or runner-global tools.
Prefer taiki-e/cache-cargo-install-action for Cargo-installed CI tools in PR-running workflows instead of raw cargo install steps.
Add taiki-e/cache-cargo-install-action@* to the repository selected-actions allowlist before switching workflows.
Pin the cache action by full SHA with a readable version comment, matching the repository-owned workflow policy.
Measure both cold-cache and warm-cache PR timings; expect the first cache-warming run after tool-version changes to be slow.
Keep full just ci platform coverage unless a later CI-shape change documents an explicit replacement.
Remove taiki-e/install-action from workflows and selected-actions allowlists once equivalent Cargo installs/caches are in place.
Pin and verify tool versions for just, cargo-nextest, dprint, taplo, typos, zizmor, and any coverage or changelog helpers used here.
Ensure yamllint, actionlint, Semgrep, Ruff, and other Python-side tools are managed through the uv dev environment where appropriate.
Add or update zizmor local and GitHub Actions coverage.
Add a SECURITY.md policy if one is missing.
Add a repository-owned Semgrep SARIF workflow similar to semgrep-sarif.yml if this repo does not already upload equivalent results to GitHub Code Scanning.
Require strict Semgrep execution for local and CI scans.
Benefits
This gives the repo the same reproducible local and CI validation path across operating systems, reduces drift from system package managers, and improves GitHub Actions supply-chain coverage.
Implementation Notes
Use markov-chain-monte-carlo as the reference implementation for the current workflow, including just ci, cargo-nextest, uv-managed linters, zizmor, the GitHub Actions SHA/version-comment Semgrep rules, repository security policy structure, and cached Cargo-installed CI tooling from acgetchell/markov-chain-monte-carlo#68 / #57.
Summary
Bring this repository onto the shared Rust tooling workflow now working in
markov-chain-monte-carlo: runjust ciconsistently in GitHub Actions, install project tooling throughuvor Cargo, and align the security checks.Current State
The repository should be reviewed against the current shared baseline rather than assuming the existing CI, Python tooling, and security workflows are equivalent.
Proposed Changes
just ciwhere practical.uvor Cargo instead of relying on Homebrew or runner-global tools.taiki-e/cache-cargo-install-actionfor Cargo-installed CI tools in PR-running workflows instead of rawcargo installsteps.taiki-e/cache-cargo-install-action@*to the repository selected-actions allowlist before switching workflows.just ciplatform coverage unless a later CI-shape change documents an explicit replacement.taiki-e/install-actionfrom workflows and selected-actions allowlists once equivalent Cargo installs/caches are in place.just,cargo-nextest,dprint,taplo,typos,zizmor, and any coverage or changelog helpers used here.yamllint,actionlint, Semgrep, Ruff, and other Python-side tools are managed through theuvdev environment where appropriate.zizmorlocal and GitHub Actions coverage.SECURITY.mdpolicy if one is missing.semgrep-sarif.ymlif this repo does not already upload equivalent results to GitHub Code Scanning.Benefits
This gives the repo the same reproducible local and CI validation path across operating systems, reduces drift from system package managers, and improves GitHub Actions supply-chain coverage.
Implementation Notes
Use
markov-chain-monte-carloas the reference implementation for the current workflow, includingjust ci,cargo-nextest,uv-managed linters,zizmor, the GitHub Actions SHA/version-comment Semgrep rules, repository security policy structure, and cached Cargo-installed CI tooling from acgetchell/markov-chain-monte-carlo#68 / #57.Blocks: #113