diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index 5d358e3..f56e586 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -1,6 +1,5 @@ # Rumpk Sovereign Kernel CI -# Two-stage build: Nim→C→.o (build_nim.sh) then Zig links everything (zig build) -# Targets: riscv64 (primary), aarch64 (secondary) +# Two-stage build: Nim->C->.o (build_nim.sh) then Zig links everything (zig build) name: Rumpk CI on: @@ -21,72 +20,38 @@ jobs: echo "=== Toolchain ===" zig version nim --version | head -1 - echo "=== Target: riscv64-freestanding ===" + qemu-system-riscv64 --version | head -1 - - name: Build LwIP (networking stack) + - name: Build LwIP run: | chmod +x build_lwip.sh - ./build_lwip.sh + bash build_lwip.sh - name: Compile Nim kernel to C objects run: | chmod +x build_nim.sh - ./build_nim.sh riscv64 + bash build_nim.sh riscv64 - - name: Build full kernel (userland + initrd + link) + - name: Build userland + initrd + final kernel run: | chmod +x build_full.sh - ./build_full.sh riscv64 - - - name: Final Zig link - run: zig build + bash build_full.sh riscv64 - name: Verify kernel ELF run: | ls -lh zig-out/bin/rumpk.elf file zig-out/bin/rumpk.elf - - name: QEMU boot test (RISC-V) + - name: QEMU boot test run: | - timeout 30 qemu-system-riscv64 \ + timeout 25 qemu-system-riscv64 \ -M virt -cpu max -m 512M -nographic \ -kernel zig-out/bin/rumpk.elf \ - 2>&1 | tee /tmp/boot.log & - QEMU_PID=$! - sleep 20 - kill $QEMU_PID 2>/dev/null || true - wait $QEMU_PID 2>/dev/null || true + 2>&1 | tee /tmp/boot.log || true echo "=== Boot log ===" - cat /tmp/boot.log - echo "=== Checking boot markers ===" - grep -q "Nim handoff" /tmp/boot.log && echo "PASS: Nim handoff reached" || echo "WARN: Nim handoff not found" - grep -q "init complete" /tmp/boot.log && echo "PASS: Init complete" || echo "WARN: Init not complete" - - build-aarch64: - name: Build ARM64 - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Verify toolchain - run: | - zig version - nim --version | head -1 - - - name: Compile Nim kernel to C objects (ARM64) - run: | - chmod +x build_nim.sh - ./build_nim.sh aarch64 - - - name: Build full kernel (ARM64) - run: | - chmod +x build_full.sh - ./build_full.sh aarch64 - - - name: Verify kernel ELF - run: | - ls -lh zig-out/bin/rumpk.elf - file zig-out/bin/rumpk.elf + cat /tmp/boot.log | tail -30 + echo "=== Boot markers ===" + grep -c "Nim handoff\|init complete\|UART\|sched" /tmp/boot.log || echo "0 markers found" security-scan: name: Security Scan @@ -97,25 +62,18 @@ jobs: - name: Check for sensitive content run: | FAIL=0 - # No agent/internal directories - if find . -path './.agent' -o -path './.vscode' -o -path './.kiro' | grep -q .; then - echo "FAIL: Sensitive directories found" + for dir in .agent .vscode .kiro competitors; do + if [ -d "$dir" ]; then + echo "FAIL: Sensitive directory '$dir' found" + FAIL=1 + fi + done + # Exclude CI workflow files from path scan (they contain the pattern as a check) + MATCHES=$(git grep -l '/home/markus' -- ':!.forgejo/' 2>/dev/null || true) + if [ -n "$MATCHES" ]; then + echo "FAIL: Internal paths found in:" + echo "$MATCHES" FAIL=1 fi - # No internal paths in tracked files - if git grep -l '/home/markus' -- ':!.git' 2>/dev/null | grep -q .; then - echo "FAIL: Internal paths found in tracked files:" - git grep -l '/home/markus' -- ':!.git' - FAIL=1 - fi - # No compiled binaries tracked - BINS=$(find . -not -path './.git/*' -type f -executable -size +100k 2>/dev/null | head -5) - if [ -n "$BINS" ]; then - echo "WARN: Large executables found (check if intentional):" - echo "$BINS" - fi - if [ $FAIL -eq 1 ]; then - echo "Security scan FAILED" - exit 1 - fi + if [ $FAIL -eq 1 ]; then exit 1; fi echo "Security scan PASSED"