1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
name: ci
on:
push:
branches:
pull_request:
branches:
# Nightly run of the hardening harness — gated by the `hardening` job's `if:` below.
schedule:
- cron: "0 4 * * *"
workflow_dispatch:
# Cancel superseded runs on the same ref — fresher pushes win.
concurrency:
group: ci-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
jobs:
test:
name: test / ${{ matrix.os }} / ${{ matrix.features }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
# Default-features only on per-PR CI. The opt-in intelligence features
# (`memory`, `documents`, `crawl`, `full`) pull in kreuzberg's heavy
# system-dep stack (libheif source build, Tesseract, ONNX runtime,
# downloadable embedding models) — too expensive for fast PR feedback.
# The nightly `hardening` job runs the full feature surface against
# real OSS repos and is the authoritative signal for those builds.
features:
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt, clippy
# protoc is required by lance-encoding's build script (transitive via the
# `memory`, `documents`, `crawl`, and `full` features). Install on every
# matrix point — the default-features build doesn't need it but the cost
# is negligible and keeps the steps uniform across matrix entries.
- name: Install protoc (Linux)
if: runner.os == 'Linux'
run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
- name: Install protoc (macOS)
if: runner.os == 'macOS'
run: brew install protobuf
- uses: Swatinem/rust-cache@v2
with:
# Differentiate caches per-OS and features so the cache key is stable across runs.
key: ${{ matrix.os }}-${{ matrix.features }}
- name: cargo fmt
run: cargo fmt --all --check
- name: cargo clippy
run: cargo clippy --workspace --all-targets --tests --features "${{ matrix.features }}" -- -D warnings
- name: cargo test
run: cargo test --workspace --features "${{ matrix.features }}" --quiet
- name: cargo build --release
run: cargo build --release --quiet --bin basemind --features "${{ matrix.features }}"
deny:
name: cargo-deny
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: EmbarkStudios/cargo-deny-action@v2
with:
# Uses deny.toml at the repo root.
command: check
# Real-OSS hardening harness. Clones large upstream repos and exercises every MCP tool
# against them — too heavy for per-PR but ideal as a nightly canary. Runs on manual
# dispatch and once a day.
hardening:
name: hardening harness (nightly)
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
# protoc is required by lance-encoding's build script (transitive via the
# `full` feature surface that harden.sh builds). Mirror the `test` job.
- name: Install protoc
run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
- uses: Swatinem/rust-cache@v2
- name: run harden.sh
run: ./scripts/harden.sh
- name: upload results
if: always()
uses: actions/upload-artifact@v4
with:
name: harden-results
path: /tmp/basemind-harden/results.ndjson