ci: add Forgejo Actions workflow
This commit is contained in:
parent
e3246e8509
commit
225d08908b
GPG Key ID:
07DDBEA3CBDC090A
|
|
@ -0,0 +1,79 @@
|
||||||
|
# Rumpk Sovereign Kernel CI
|
||||||
|
# Two-stage build: Nim->C->.o (build_nim.sh) then Zig links everything (zig build)
|
||||||
|
name: Rumpk CI
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: [unstable, main, stable, testing]
|
||||||
|
pull_request:
|
||||||
|
branches: [unstable, main]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build-riscv64:
|
||||||
|
name: Build RISC-V 64
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Verify toolchain
|
||||||
|
run: |
|
||||||
|
echo "=== Toolchain ==="
|
||||||
|
zig version
|
||||||
|
nim --version | head -1
|
||||||
|
qemu-system-riscv64 --version | head -1
|
||||||
|
|
||||||
|
- name: Build LwIP
|
||||||
|
run: |
|
||||||
|
chmod +x build_lwip.sh
|
||||||
|
bash build_lwip.sh
|
||||||
|
|
||||||
|
- name: Compile Nim kernel to C objects
|
||||||
|
run: |
|
||||||
|
chmod +x build_nim.sh
|
||||||
|
bash build_nim.sh riscv64
|
||||||
|
|
||||||
|
- name: Build userland + initrd + final kernel
|
||||||
|
run: |
|
||||||
|
chmod +x build_full.sh
|
||||||
|
bash build_full.sh riscv64
|
||||||
|
|
||||||
|
- name: Verify kernel ELF
|
||||||
|
run: |
|
||||||
|
ls -lh zig-out/bin/rumpk.elf
|
||||||
|
file zig-out/bin/rumpk.elf
|
||||||
|
|
||||||
|
- name: QEMU boot test
|
||||||
|
run: |
|
||||||
|
timeout 25 qemu-system-riscv64 \
|
||||||
|
-M virt -cpu max -m 512M -nographic \
|
||||||
|
-kernel zig-out/bin/rumpk.elf \
|
||||||
|
2>&1 | tee /tmp/boot.log || true
|
||||||
|
echo "=== Boot log ==="
|
||||||
|
cat /tmp/boot.log | tail -30
|
||||||
|
echo "=== Boot markers ==="
|
||||||
|
grep -c "Nim handoff\|init complete\|UART\|sched" /tmp/boot.log || echo "0 markers found"
|
||||||
|
|
||||||
|
security-scan:
|
||||||
|
name: Security Scan
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Check for sensitive content
|
||||||
|
run: |
|
||||||
|
FAIL=0
|
||||||
|
for dir in .agent .vscode .kiro competitors; do
|
||||||
|
if [ -d "$dir" ]; then
|
||||||
|
echo "FAIL: Sensitive directory '$dir' found"
|
||||||
|
FAIL=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
# Exclude CI workflow files from path scan (they contain the pattern as a check)
|
||||||
|
MATCHES=$(git grep -l '/home/markus' -- ':!.forgejo/' 2>/dev/null || true)
|
||||||
|
if [ -n "$MATCHES" ]; then
|
||||||
|
echo "FAIL: Internal paths found in:"
|
||||||
|
echo "$MATCHES"
|
||||||
|
FAIL=1
|
||||||
|
fi
|
||||||
|
if [ $FAIL -eq 1 ]; then exit 1; fi
|
||||||
|
echo "Security scan PASSED"
|
||||||
Loading…
Reference in New Issue