# Rumpk Sovereign Kernel CI # Two-stage build: Nim->C->.o (build_nim.sh) then Zig links everything (zig build) name: Rumpk CI on: push: branches: [unstable, main, stable, testing] pull_request: branches: [unstable, main] jobs: build-riscv64: name: Build RISC-V 64 runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Verify toolchain run: | echo "=== Toolchain ===" zig version nim --version | head -1 qemu-system-riscv64 --version | head -1 - name: Build LwIP run: | chmod +x build_lwip.sh bash build_lwip.sh - name: Compile Nim kernel to C objects run: | chmod +x build_nim.sh bash build_nim.sh riscv64 - name: Build userland + initrd + final kernel run: | chmod +x build_full.sh bash build_full.sh riscv64 - name: Verify kernel ELF run: | ls -lh zig-out/bin/rumpk.elf file zig-out/bin/rumpk.elf - name: QEMU boot test run: | timeout 25 qemu-system-riscv64 \ -M virt -cpu max -m 512M -nographic \ -kernel zig-out/bin/rumpk.elf \ 2>&1 | tee /tmp/boot.log || true echo "=== Boot log ===" cat /tmp/boot.log | tail -30 echo "=== Boot markers ===" grep -c "Nim handoff\|init complete\|UART\|sched" /tmp/boot.log || echo "0 markers found" security-scan: name: Security Scan runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Check for sensitive content run: | FAIL=0 for dir in .agent .vscode .kiro competitors; do if [ -d "$dir" ]; then echo "FAIL: Sensitive directory '$dir' found" FAIL=1 fi done # Exclude CI workflow files from path scan (they contain the pattern as a check) MATCHES=$(git grep -l '/home/markus' -- ':!.forgejo/' 2>/dev/null || true) if [ -n "$MATCHES" ]; then echo "FAIL: Internal paths found in:" echo "$MATCHES" FAIL=1 fi if [ $FAIL -eq 1 ]; then exit 1; fi echo "Security scan PASSED"