Skip to content

chore: strip redundant CI steps for self-hosted runner #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
27Bslash6 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: strip redundant CI steps for self-hosted runner #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 2 additions & 11 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,14 @@ jobs:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Install Rust toolchain
if: matrix.runner != 'cachekit' || matrix.rust == '1.85'
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: ${{ matrix.rust }}
components: ${{ matrix.rust != '1.85' && 'rustfmt, clippy' || '' }}
Comment on lines +43 to 47
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/ci.yml | head -60

Repository: cachekit-io/cachekit-core

Length of output: 2329

Install the beta toolchain on cachekit to preserve real beta coverage.

At Line 43, the condition if: matrix.runner != 'cachekit' || matrix.rust == '1.85' skips setup for beta on cachekit. This causes the beta matrix entry to run with the runner's default toolchain instead of beta, making the beta coverage misleading.

Suggested change 
-        if: matrix.runner != 'cachekit' || matrix.rust == '1.85'
+        if: matrix.runner != 'cachekit' || matrix.rust != 'stable'
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 43 - 47, The step that uses
dtolnay/rust-toolchain is skipped on the cachekit runner except for rust '1.85'
because the if condition is "if: matrix.runner != 'cachekit' || matrix.rust ==
'1.85'", which causes the beta matrix entry to run with the runner default
toolchain; update the condition so the toolchain setup runs on cachekit when
matrix.rust == 'beta' (for example add "|| matrix.rust == 'beta'" or remove the
cachekit exclusion), ensuring the uses: dtolnay/rust-toolchain step actually
installs the beta toolchain for the cachekit runner.


- name: Cache cargo registry
if: matrix.runner != 'cachekit'
uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
with:
cache-all-crates: true
Expand All @@ -71,17 +73,6 @@ jobs:
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable

- name: Cache cargo registry
uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
with:
cache-all-crates: true

- name: Install security tools
run: cargo install cargo-deny cargo-audit

- name: Check dependencies (licenses & security advisories)
run: cargo deny check

Expand Down
3 changes: 0 additions & 3 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,6 @@ jobs:
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable

- name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
with:
Expand Down
6 changes: 0 additions & 6 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,6 @@ jobs:
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable

- name: Cache cargo registry
uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2

- name: Run tests before publish
run: cargo test --all-features

Expand Down
120 changes: 6 additions & 114 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,31 +27,6 @@ jobs:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
with:
toolchain: "stable"
components: clippy

- name: Cache Rust dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-security-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-security-
${{ runner.os }}-cargo-

- name: Install cargo-audit
run: cargo install cargo-audit --locked

- name: Install cargo-deny
run: cargo install cargo-deny --locked

- name: Run cargo audit (CVE scanning)
run: cargo audit

Expand Down Expand Up @@ -92,24 +67,8 @@ jobs:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly

- name: Cache Rust dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
fuzz/target/
key: ${{ runner.os }}-cargo-fuzz-nightly-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-fuzz-nightly-
${{ runner.os }}-cargo-

- name: Install cargo-fuzz
run: cargo install cargo-fuzz --locked
- name: Use nightly toolchain
run: rustup default nightly
Comment on lines +70 to +71
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/security.yml | head -120

Repository: cachekit-io/cachekit-core

Length of output: 4566

🏁 Script executed:

wc -l .github/workflows/security.yml

Repository: cachekit-io/cachekit-core

Length of output: 104

🏁 Script executed:

cat -n .github/workflows/security.yml | tail -64

Repository: cachekit-io/cachekit-core

Length of output: 2590

🏁 Script executed:

cat -n .github/workflows/ci.yml | head -80

Repository: cachekit-io/cachekit-core

Length of output: 3018

🏁 Script executed:

fd -type f -name "*.yml" -o -name "*.yaml" | grep -E "(runner|setup)" | head -20

Repository: cachekit-io/cachekit-core

Length of output: 240

🏁 Script executed:

fd -type f "runner|setup" .github/ 2>/dev/null || find .github -type f \( -name "*runner*" -o -name "*setup*" \)

Repository: cachekit-io/cachekit-core

Length of output: 51

🏁 Script executed:

ls -la .github/

Repository: cachekit-io/cachekit-core

Length of output: 239

🏁 Script executed:

rg "cargo fuzz" .github/workflows/ -A 3 -B 3

Repository: cachekit-io/cachekit-core

Length of output: 1382

🏁 Script executed:

rg "rustup" .github/workflows/ -B 2 -A 2

Repository: cachekit-io/cachekit-core

Length of output: 625

Use cargo +nightly instead of rustup default nightly to avoid host-global state mutation on persistent self-hosted runners.

At Lines 70–71 and 109–110, rustup default nightly changes the runner's global toolchain default. On the cachekit self-hosted runner, this persists across job boundaries and can cause subsequent jobs (e.g., kani, cargo-vet) to unexpectedly use nightly instead of the stable toolchain they assume.

Replace with: cargo +nightly fuzz build ... and cargo +nightly fuzz run ...

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/security.yml around lines 70 - 71, Replace the step that
runs the shell command "rustup default nightly" (the job step named "Use nightly
toolchain" that currently mutates the host-global toolchain) with invocations
that prefix cargo commands with +nightly (for example use "cargo +nightly fuzz
build ..." and "cargo +nightly fuzz run ..." where relevant) so the workflow
uses the nightly toolchain only for those cargo actions without changing the
runner's default toolchain; update both occurrences that currently call "rustup
default nightly" to the targeted "cargo +nightly ..." variants and remove the
global rustup default change.


- name: Run quick fuzz (corpus only)
run: |
Expand Down Expand Up @@ -147,24 +106,8 @@ jobs:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly

- name: Cache Rust dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
fuzz/target/
key: ${{ runner.os }}-cargo-fuzz-nightly-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-fuzz-nightly-
${{ runner.os }}-cargo-

- name: Install cargo-fuzz
run: cargo install cargo-fuzz --locked
- name: Use nightly toolchain
run: rustup default nightly

- name: Run deep fuzz (30 minutes per target)
run: |
Expand All @@ -190,24 +133,6 @@ jobs:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: "1.85"

- name: Cache Rust dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-kani-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-kani-
${{ runner.os }}-cargo-

- name: Install Kani
run: |
cargo install --locked kani-verifier || echo "Kani install failed, skipping verification"
Expand All @@ -225,23 +150,8 @@ jobs:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: "1.85"

- name: Cache Rust dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-vet-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-vet-
${{ runner.os }}-cargo-
- name: Generate lockfile
run: cargo generate-lockfile

- name: Install cargo-vet
run: cargo install cargo-vet --locked
Expand All @@ -257,24 +167,6 @@ jobs:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
with:
toolchain: "1.85"

- name: Cache Rust dependencies
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
with:
path: |
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-sbom-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-sbom-
${{ runner.os }}-cargo-

- name: Install cargo-sbom
run: cargo install cargo-sbom --locked

Expand Down
Loading