chore: add security CI, Makefile, and sync with crates.io v0.1.0 #8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
27Bslash6
commented
Dec 9, 2025
27Bslash6
commented
- Add security.yml workflow (audit, deny, fuzz, kani, SBOM)
- Add codeql.yml for GitHub code scanning
- Add dependabot.yml for automated dependency updates
- Add Makefile with security and quality targets
- Sync Cargo.toml version to match published 0.1.0
- Sync release-please-manifest.json to 0.1.0
- Update cargo-vet config with audit-as-crates-io policy
- Regenerate cargo-vet exemptions for current deps
- Clean up stale deny.toml entries (unused licenses/skips)
- Bump actions/checkout to v5, create-github-app-token to v2
- Add security.yml workflow (audit, deny, fuzz, kani, SBOM) - Add codeql.yml for GitHub code scanning - Add dependabot.yml for automated dependency updates - Add Makefile with security and quality targets - Sync Cargo.toml version to match published 0.1.0 - Sync release-please-manifest.json to 0.1.0 - Update cargo-vet config with audit-as-crates-io policy - Regenerate cargo-vet exemptions for current deps - Clean up stale deny.toml entries (unused licenses/skips) - Bump actions/checkout to v5, create-github-app-token to v2
27Bslash6
force-pushed
the
chore/security-ci-tooling
branch
from
8a8c70f to
d7b967d
Compare
27Bslash6
force-pushed
the
chore/security-ci-tooling
branch
from
8cce0bf to
49c8fb1
Compare
- Add warm-up runs to stabilize CPU caches - Increase sample size from 100 to 200 - Use trimmed mean instead of median (removes 20% outliers) - Relax threshold from 20% to 150% for CI jitter tolerance - Real timing leaks show 2-10x differences, not ~100%
CodeQL needs to observe the build process to discover C/C++ code. Using autobuild instead of manual cargo build ensures the tracer captures cbindgen-generated headers and cross-language test code.
27Bslash6
force-pushed
the
chore/security-ci-tooling
branch
2 times, most recently
from
ae47101 to
900e056
Compare
CodeQL autobuild doesn't understand Rust+cbindgen workflow. Manually build Rust FFI and compile C test to give CodeQL actual C compilation units to analyze.
- Add encryption feature to match Makefile requirements - Compile C test to .o only (CodeQL needs compilation, not execution) - Avoid running test binary which may fail in CI environment
- Change Rust toolchain from specific version "1.85" to "stable" for better compatibility and updates.
Root cause: cbindgen doesn't expand macros, so opaque_handle!() generated structs were invisible. Also C test file drifted from actual API. Fixes: - cbindgen.toml: Add after_includes for opaque type forward declarations - test_c.c: Update cachekit_encryptor_new() to pass error_out parameter - test_c.c: Add handle parameter to cachekit_decrypt() calls - codeql.yml: Build with encryption feature and compile actual test
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
cargo-fuzz requires nightly Rust due to -Zsanitizer=address flag. The previous config used stable 1.85 which silently failed (masked by || true). Changes: - Switch fuzz jobs to dtolnay/rust-toolchain@nightly - Add explicit cargo fuzz build step to fail fast on compile errors - Replace || true with || [ $? -eq 124 ] to allow timeout but catch real failures - Update cache keys to include 'nightly' for separation
Fuzz targets were written against a different API and never compiled. Issues fixed: - ZeroKnowledgeEncryptor::new() returns Result, not Self - unwrap properly - ByteStorageError is an enum - use matches!() not .contains() - StorageEnvelope.checksum is [u8; 8] (xxHash3-64), not [u8; 32] - ByteStorage methods return u64/usize, not f64 for ratios All 16 fuzz targets now compile and match the actual crate API.
27Bslash6
force-pushed
the
chore/security-ci-tooling
branch
from
3d4dff8 to
ee951a7
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.