Last Updated: 2025-10-03 Version: 0.1.0 Status: Production-Grade CI/CD
pforge employs a comprehensive CI/CD pipeline with 11 parallel jobs covering testing, security, performance, and quality. All jobs run on every push to main/develop and on pull requests.
| Metric | Status | Details |
|---|---|---|
| Total Jobs | 11 | All automated and parallel where possible |
| Platform Coverage | 3 OS | Ubuntu, macOS, Windows |
| Rust Versions | 2 | stable, beta |
| Avg Pipeline Time | ~15 min | Optimized with caching |
| Artifact Retention | 90 days | Binaries, coverage, benchmarks |
| Security Scans | 3 types | audit, deny, dependency-review |
┌─────────────┐
│ Push/PR │
└──────┬──────┘
│
├──────────────┬─────────────┬──────────────┬───────────────┐
│ │ │ │ │
▼ ▼ ▼ ▼ ▼
┌────────┐ ┌─────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Test │ │ Fmt │ │ Clippy │ │ Build │ │ Coverage │
│ Matrix │ │ │ │ │ │ Matrix │ │ │
└────────┘ └─────────┘ └──────────┘ └──────────┘ └──────────┘
│ │ │ │ │
└──────────────┴─────────────┴──────────────┴───────────────┘
│
┌────────────────────────────┴────────────────────────────┐
│ │ │
▼ ▼ ▼
┌──────────┐ ┌──────────────┐ ┌────────────┐
│ Security │ │ Mutation │ │ Benchmarks │
│ Audit │ │ Testing │ │ Regression │
└──────────┘ └──────────────┘ └────────────┘
│ │ │
└─────────────────────────────┴────────────────────────────┘
│
┌───────┴────────┐
│ │
▼ ▼
┌──────────────┐ ┌─────────────┐
│ Dependency │ │ Supply │
│ Review │ │ Chain │
└──────────────┘ └─────────────┘
Platforms: Ubuntu, macOS, Windows Rust Versions: stable, beta Purpose: Cross-platform compatibility verification
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
rust: [stable, beta]Tests Run:
- Unit tests (all crates)
- Integration tests (pforge-integration-tests)
- Property-based tests (120K+ test cases)
Caching:
- Cargo registry
- Cargo git dependencies
- Build artifacts
Runtime: ~8-12 minutes
Failure Criteria:
- Any test failure
- Any platform/version combination fails
Purpose: Enforce consistent code style
cargo fmt --all -- --checkRuntime: ~30 seconds
Failure Criteria:
- Any file not properly formatted
- Enforced by pre-commit hook locally
Purpose: Catch common mistakes and anti-patterns
cargo clippy --all-targets --all-features -- -D warningsLints Enforced:
- All clippy warnings as errors
- Memory safety patterns
- Performance anti-patterns
- API consistency
Runtime: ~2-3 minutes
Failure Criteria:
- Any clippy warning
Platforms: Ubuntu, macOS, Windows Purpose: Ensure release builds succeed on all platforms
cargo build --release --verboseArtifacts Uploaded:
- Binary executables (pforge, pforge.exe)
- Retention: 90 days
Runtime: ~5-7 minutes
Failure Criteria:
- Build failure on any platform
Tool: cargo-tarpaulin Target: ≥80% line coverage Purpose: Ensure comprehensive test coverage
cargo tarpaulin --out Xml --all-features --workspaceThreshold Enforcement:
if coverage < 80%:
exit 1 # Fail CIIntegration:
- Codecov upload (trend tracking)
- Coverage badge in README
Runtime: ~10-12 minutes
Failure Criteria:
- Coverage below 80%
- Coverage regression >5%
Tool: cargo-audit Purpose: Check for known vulnerabilities in dependencies
cargo audit --deny warningsChecks:
- RustSec Advisory Database
- Unmaintained crates
- Yanked crates
- Known vulnerabilities
Runtime: ~1-2 minutes
Failure Criteria:
- Any critical or high-severity vulnerability
- Warnings treated as errors
Purpose: Ensure documentation builds and tests pass
cargo doc --no-deps --all-features
cargo test --docChecks:
- All doc comments valid
- No broken intra-doc links
- All doc tests pass
Runtime: ~3-4 minutes
Failure Criteria:
- Documentation build errors
- Doc test failures
Tool: cargo-mutants Target: ≥80% kill rate (goal: 90%+) Purpose: Validate test effectiveness
cargo mutants --workspace --output mutants-ci.out --jsonMetrics Tracked:
- Mutants caught
- Mutants missed
- Kill rate percentage
Runtime: ~20-30 minutes (longest job)
Failure Criteria:
- Currently informational (warning only)
- Will enforce 80% threshold in future
Artifacts:
- Full mutation report (JSON)
- Uploaded for analysis
Tool: Criterion Target: < 1μs dispatch latency Purpose: Prevent performance regressions
cargo bench --package pforge-runtime -- --output-format bencherChecks:
- Handler dispatch: < 1000ns
- Sequential throughput: > 100K req/s
- Concurrent throughput: > 500K req/s
Runtime: ~5-7 minutes
Failure Criteria:
- Dispatch time exceeds 1000ns
- Any regression >10%
Artifacts:
- Benchmark results (text)
- Historical comparison
Tool: GitHub Dependency Review Trigger: Pull requests only Purpose: Review new dependencies for security/licensing
uses: actions/dependency-review-action@v3
with:
fail-on-severity: moderate
deny-licenses: GPL-3.0, AGPL-3.0Checks:
- New vulnerabilities introduced
- License compatibility
- Supply chain risks
Runtime: ~1-2 minutes
Failure Criteria:
- Moderate or higher vulnerability
- Incompatible license (GPL, AGPL)
Tool: cargo-deny Purpose: Comprehensive dependency analysis
cargo deny checkConfiguration: deny.toml
Checks:
- Advisories: RustSec database
- Licenses: MIT, Apache-2.0, BSD allowed
- Bans: No GPL/AGPL, no duplicate versions
- Sources: Only crates.io allowed
Runtime: ~2-3 minutes
Failure Criteria:
- Denied license
- Critical vulnerability
- Unauthorized source
Goals:
- Reduce CI time by 60-70%
- Minimize redundant builds
- Share artifacts across jobs
Cached Items:
-
Cargo Registry (
~/.cargo/registry)- Key:
${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} - Invalidation: Cargo.lock changes
- Key:
-
Cargo Git (
~/.cargo/git)- Key:
${{ runner.os }}-cargo-git-${{ hashFiles('**/Cargo.lock') }} - Invalidation: Cargo.lock changes
- Key:
-
Build Artifacts (
target/)- Key:
${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }} - Invalidation: Cargo.lock changes
- Key:
-
Cargo Tools (
~/.cargo/bin)- Keys:
cargo-tools-tarpaulincargo-tools-auditcargo-tools-mutantscargo-tools-deny
- Invalidation: Manual (when tool versions change)
- Keys:
Cache Sizes:
- Registry: ~500MB
- Build artifacts: ~2GB
- Tools: ~100MB
Cache Hit Rate: ~85% (estimated)
Before Optimization:
- Total time: ~45 minutes
- Cold cache: ~60 minutes
After Optimization:
- Total time: ~15 minutes (67% faster)
- Cold cache: ~25 minutes (58% faster)
Key Optimizations:
-
Parallel Job Execution
- All independent jobs run in parallel
- Matrix builds maximize parallelism
-
Cargo Tool Caching
- cargo-tarpaulin, cargo-audit, etc. cached
- Saves ~5 minutes per run
-
Incremental Compilation
- Build artifacts cached
- Only changed crates recompiled
-
Dependency Caching
- Registry and git deps cached
- Saves ~3-4 minutes per run
All jobs must pass before merge:
| Job | Required | Can Skip |
|---|---|---|
| Test Suite (all platforms) | ✅ Yes | ❌ No |
| Formatting | ✅ Yes | ❌ No |
| Clippy | ✅ Yes | ❌ No |
| Build (all platforms) | ✅ Yes | ❌ No |
| Coverage (≥80%) | ✅ Yes | ❌ No |
| Security Audit | ✅ Yes | ❌ No |
| Documentation | ✅ Yes | ❌ No |
| Mutation Testing | ✅ Yes | |
| Benchmarks | ✅ Yes | ❌ No |
| Dependency Review | ✅ Yes (PRs only) | ❌ No |
| Supply Chain | ✅ Yes | ❌ No |
Main Branch:
- Require pull request reviews (1 approval)
- Require status checks to pass
- Require up-to-date branches
- No force pushes
- No deletions
Develop Branch:
- Require status checks to pass
- Allow force pushes (with lease)
-
Binary Builds
- Path:
target/release/pforge* - Retention: 90 days
- Platforms: Ubuntu, macOS, Windows
- Path:
-
Coverage Reports
- Path:
cobertura.xml - Retention: 30 days
- Uploaded to Codecov
- Path:
-
Mutation Results
- Path:
mutants-ci.out/ - Retention: 30 days
- Full JSON output
- Path:
-
Benchmark Results
- Path:
benchmark-results.txt - Retention: 90 days
- Historical comparison
- Path:
- Max per artifact: 2GB
- Max total per workflow: 10GB
-
Dependency Pinning
- Cargo.lock checked into repo
- Reproducible builds guaranteed
-
License Enforcement
- Only permissive licenses (MIT, Apache-2.0, BSD)
- GPL/AGPL denied
-
Vulnerability Scanning
- cargo-audit (RustSec database)
- GitHub Dependency Review
- cargo-deny (comprehensive)
-
Source Verification
- Only crates.io allowed
- No git dependencies
- No path dependencies in published crates
No secrets in CI:
- No API keys
- No credentials
- No tokens (except GitHub Actions default)
Future additions (when needed):
- GitHub Secrets for:
- crates.io publish token
- Codecov upload token
| Failure | Cause | Fix |
|---|---|---|
| Test flakiness | Race conditions, timeouts | Add retries, fix test |
| Coverage drop | New code without tests | Add tests |
| Clippy warnings | Code quality issues | Fix warnings |
| Security vulnerabilities | New advisory | Update dependency |
| Performance regression | Inefficient code | Profile and optimize |
| Cache miss | Lock file changed | Wait for rebuild |
Transient Failures:
- Network timeouts: Auto-retry (3 attempts)
- Cache misses: Rebuild from scratch
- Flaky tests: Rerun (up to 2 retries)
Manual Intervention:
- Security vulnerabilities: Update deps
- Coverage regression: Add tests
- Performance regression: Optimize code
Metrics Tracked:
- Success rate by job
- Average runtime by job
- Cache hit rate
- Artifact storage usage
Planned Integrations:
- Slack notifications on failure
- Email on security vulnerabilities
- Discord webhook on releases
-
Run Pre-Commit Hooks
# Ensures local quality matches CI git config core.hooksPath .pmat/hooks -
Run Tests Locally
cargo test --all cargo clippy -- -D warnings cargo fmt --check -
Check Coverage Locally
cargo tarpaulin --out Html --all-features open tarpaulin-report.html
-
Run Benchmarks Locally
cargo bench --package pforge-runtime
-
Review CI Logs
- Check all failed jobs
- Identify patterns
- Fix root causes
-
Update Dependencies Regularly
cargo update cargo audit cargo deny check
-
Monitor Performance Trends
- Review benchmark artifacts
- Track dispatch latency
- Watch for regressions
-
Keep Tooling Updated
cargo install cargo-tarpaulin --locked cargo install cargo-audit --locked cargo install cargo-mutants --locked cargo install cargo-deny --locked
- ✅ Added performance regression checks
- ✅ Added supply chain security (cargo-deny)
- ✅ Added dependency review (GitHub)
- ✅ Optimized caching (tool binaries)
- ✅ Added coverage threshold enforcement
-
Nightly Builds
- Test against Rust nightly
- Early warning for breaking changes
-
Release Automation
- Automated version bumping
- Changelog generation
- crates.io publishing
-
Performance Tracking
- Historical benchmark database
- Trend visualization
- Alert on >10% regression
-
Security Scanning
- SAST (static analysis)
- Dependency graph visualization
-
Artifact Signing
- GPG signatures on releases
- Checksum verification
Symptoms: >30 minutes total time
Causes:
- Cache miss (cold build)
- Mutation testing running
Solutions:
- Wait for cache to warm up
- Mutation testing is expected to be slow
- Consider running mutation tests on schedule (nightly)
Symptoms: Rebuilding every run
Causes:
- Cargo.lock frequently changing
- Cache key mismatch
Solutions:
- Update dependencies less frequently
- Bundle dependency updates
- Verify cache key logic
Symptoms: Intermittent failures
Causes:
- Race conditions
- Timeout issues
- Platform-specific bugs
Solutions:
- Add
--test-threads=1for debugging - Increase timeouts
- Fix non-determinism
- SECURITY.md - Security policies
- MEMORY_SAFETY.md - Memory safety guarantees
- PERFORMANCE.md - Performance benchmarks
pforge's CI/CD pipeline provides production-grade quality gates with:
- ✅ 11 automated jobs (parallel execution)
- ✅ 3 platform coverage (Linux, macOS, Windows)
- ✅ 3 security scans (audit, deny, review)
- ✅ Performance regression prevention
- ✅ 80% coverage enforcement
- ✅ Supply chain security
- ✅ ~15 minute average pipeline time
All code merged to main is production-ready.
Last updated: 2025-10-03 CI/CD Platform: GitHub Actions Workflow File: .github/workflows/ci.yml