Implemented a CI workflow in GH actions, updated security.md to inclu…#3
Conversation
…de PGP key for emails. Tests now can run on actions
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions CI so the Rust workspace builds/lints/tests in automation, and updates the project’s security policy (including adding a PGP public key for vulnerability reports).
Changes:
- Introduce a GitHub Actions workflow running build/test (stable + nightly) plus clippy/fmt (stable).
- Update
SECURITY.mdroadmap/status and add an armored PGP public key block. - Adjust test fixtures (URL strings) and stop ignoring
.github/in.gitignore.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
engine/tests/feature_support_tests.rs |
Updates URL-related test fixtures used for parsing/resolution/caching checks. |
SECURITY.md |
Updates roadmap/status terminology and adds a PGP public key for security contact. |
.gitignore |
Allows committing .github/ (needed for workflows). |
.github/workflows/ci.yml |
Adds CI workflow for build/test/clippy/fmt across Linux + Windows (and nightly on Linux). |
Comments suppressed due to low confidence (1)
engine/tests/feature_support_tests.rs:51
test_resolve_relative_parent_directoryhas an incorrect expected URL. Given base path/rust-lang/rust/docs/guide.htmland relative../images/logo.png, resolving should drop onlydocs/and produce/rust-lang/rust/images/logo.png, not/rust-lang/images/logo.png(that would require../../images/...).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| - uses: actions/checkout@v3 | ||
|
|
There was a problem hiding this comment.
actions/checkout@v3 is on an older major version (Node16-era) and is deprecated in many repos; consider upgrading to actions/checkout@v4 to avoid future runner deprecations and get current security fixes.
| - uses: actions/checkout@v3 | ||
|
|
||
| - name: Install Rust | ||
| uses: dtolnay/rust-toolchain@master |
There was a problem hiding this comment.
Using dtolnay/rust-toolchain@master makes the workflow non-reproducible and increases supply-chain risk because the action code can change without review. Pin the action to a tagged release (if available) or a specific commit SHA, while still selecting the toolchain via toolchain: ${{ matrix.rust }}.
| uses: dtolnay/rust-toolchain@master | |
| uses: dtolnay/rust-toolchain@v1 |
| - name: Cache cargo registry | ||
| uses: actions/cache@v3 | ||
| with: |
There was a problem hiding this comment.
actions/cache@v3 is an older major version; upgrading to actions/cache@v4 is recommended for current fixes/features and to reduce the chance of future GitHub runner deprecation issues.
| ### Phase 1 (Prealpha - Current) | ||
| - Focus: Core engine stability and correctness | ||
| - Security: Basic input validation, memory safety | ||
| - Internal testing only | ||
| - Target: Q1 2026 |
There was a problem hiding this comment.
The document now describes the project as "Prealpha" in the roadmap/status, but earlier sections still say "Alpha" (e.g., intro + "Current Status"). Please make the terminology consistent throughout the file so readers don’t get mixed signals about maturity/support expectations.
| - PGP Key: | ||
|
|
||
| -----BEGIN PGP PUBLIC KEY BLOCK----- | ||
|
|
||
| xsDNBGmq3SABDADDt2htuAAYt4GspbMRDLQO5+lfZEvc5Yiq/9z2Aof5j+9LiTEs | ||
| uqCV4G6PjAo8ZbLAudp8yJKzRMNKrMtK5P4SBklN4Cgnx3mFw5FjwBh4T5FicGPK | ||
| 0tofIQNcPMbtwnuIJQLj7DaVUkxhpgEW9K0pcHUAkAGQwvw1KYMJRF/76+XjqZ4z |
There was a problem hiding this comment.
The PGP public key block should be wrapped in a fenced code block (e.g., text ... ) so Markdown renders it correctly and users can copy/paste it without line-wrapping or formatting artifacts.
…de PGP key for emails. Tests now can run on actions