Glyndor · Jaro-c · Apr 20, 2026 · Apr 20, 2026 · Apr 20, 2026 · Apr 20, 2026
@@ -17,7 +17,7 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "daily"
     open-pull-requests-limit: 5
     labels:
       - "dependencies"

@@ -0,0 +1,71 @@
+name: Bench
+
+# Weekly supervisor benchmark. Numbers feed README + site stats; rerun on
+# demand via workflow_dispatch. Pass a ref to benchmark any branch or commit.
+
+on:
+  schedule:
+    - cron: "17 6 * * 1" # Mondays 06:17 UTC
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "Branch or commit SHA to benchmark (default: current branch)"
+        required: false
+        default: ""
+      no-cache:
+        description: "Force a clean Docker build (ignore layer cache)"
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+concurrency:
+  group: bench
+  cancel-in-progress: false
+
+jobs:
+  bench:
+    name: Run supervisor bench
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+
+      - name: Build the bench image
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        with:
+          context: .
+          file: scripts/bench/Dockerfile
+          tags: lynx-bench
+          load: true
+          no-cache: ${{ inputs.no-cache == true }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Run the bench
+        run: |
+          mkdir -p out
+          docker run --rm \
+            -v "$PWD/out:/src/scripts/bench/out" \
+            lynx-bench
+
+      - name: Show results
+        run: |
+          echo "## Bench results" >> "$GITHUB_STEP_SUMMARY"
+          cat out/results.md >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: bench-${{ github.run_id }}
+          path: |
+            out/results.json
+            out/results.md
+          if-no-files-found: error
+          retention-days: 90
@@ -0,0 +1,34 @@
+name: Binary naming check
+
+on:
+  pull_request:
+    paths:
+      - "cmd/**"
+      - "internal/**"
+      - "scripts/check-binary-naming.sh"
+      - ".github/workflows/binary-naming.yml"
+  push:
+    branches: [main]
+    paths:
+      - "cmd/**"
+      - "internal/**"
+      - "scripts/check-binary-naming.sh"
+      - ".github/workflows/binary-naming.yml"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: binary-naming-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    name: Check lynxpm naming
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Run check
+        run: bash scripts/check-binary-naming.sh
@@ -40,13 +40,14 @@ jobs:
       - name: Install golangci-lint
         run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4
 
-      - name: golangci-lint (fast)
-        timeout-minutes: 3
-        run: golangci-lint run --fast-only --timeout=2m ./...
+      - name: golangci-lint
+        timeout-minutes: 5
+        run: golangci-lint run --timeout=4m ./...
 
   test:
     name: Test
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
@@ -69,15 +70,17 @@ jobs:
           retention-days: 7
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           files: coverage.out
           fail_ci_if_error: false
+          disable_file_fixes: true
           token: ${{ secrets.CODECOV_TOKEN }}
 
   build:
     name: Build (${{ matrix.goarch }})
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     strategy:
       fail-fast: false
       matrix:
@@ -90,7 +93,7 @@ jobs:
           go-version-file: go.mod
           cache: true
 
-      - name: Build lynx
+      - name: Build lynxpm
         env:
           GOOS: linux
           GOARCH: ${{ matrix.goarch }}
@@ -105,6 +108,7 @@ jobs:
   vuln:
     name: govulncheck
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 

@@ -32,15 +32,15 @@ jobs:
           cache: true
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
         with:
           languages: go
           queries: security-extended,security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
         with:
           category: "/language:go"
@@ -1,15 +1,12 @@
 name: Debian package tests
 
 on:
-  push:
+  # On main: only run after CI passes — no point building .deb if tests failed.
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
     branches: [main]
-    paths:
-      - "debian/**"
-      - ".github/workflows/debian-tests.yml"
-      - "cmd/**"
-      - "internal/**"
-      - "go.mod"
-      - "go.sum"
+  # On PRs: run directly with path filtering for fast feedback.
   pull_request:
     branches: [main]
     paths:
@@ -24,11 +21,14 @@ permissions:
   contents: read
 
 concurrency:
-  group: debian-tests-${{ github.ref }}
+  group: debian-tests-${{ github.event.workflow_run.head_sha || github.ref }}
   cancel-in-progress: true
 
 jobs:
   build-deb:
+    if: >
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
     name: Build .deb
     runs-on: ubuntu-latest
     steps:
@@ -64,6 +64,22 @@ jobs:
           path: debs/*.deb
           retention-days: 7
 
+      - name: Cross-compile sample Go binary for smoke
+        # testdata/apps/go-compiled ships as source only; install-matrix
+        # containers lack a Go toolchain, so we build it here (CGO off
+        # for matching no-shlib-deps semantics with the real release
+        # binaries) and ship it alongside the .deb.
+        env:
+          CGO_ENABLED: "0"
+        run: make -C testdata/apps/go-compiled build
+
+      - name: Upload testdata-compiled artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: testdata-compiled
+          path: testdata/apps/go-compiled/go-compiled
+          retention-days: 7
+
   lintian:
     name: Lintian
     needs: build-deb
@@ -97,11 +113,21 @@ jobs:
     container:
       image: ${{ matrix.image }}
     steps:
+      # Need the repo source (testdata/smoke.sh + testdata/apps/) in
+      # addition to the built .deb, so the smoke can exercise real apps
+      # instead of inlining everything into the workflow yaml.
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
       - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: lynxpm-deb
           path: debs
 
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: testdata-compiled
+          path: testdata/apps/go-compiled/
+
       - name: Prepare container (block service start, no interactive prompts)
         run: |
           set -eux
@@ -134,78 +160,47 @@ jobs:
           [ -d /var/lib/lynx-pm ]
           [ -d /var/log/lynx-pm ]
 
-      - name: Smoke — user-mode daemon + CLI lifecycle
-        # Exercises start/list/show/logs/restart/stop/delete end-to-end against
-        # a user-mode lynxd (no systemd, no root). Catches IPC / manager /
-        # spec-parsing regressions that pure --version + install checks miss.
+      - name: Smoke — testdata/smoke.sh against installed .deb
+        # Delegates to the repo's smoke script so the scenarios stay in
+        # one place (reusable by local dev + CI). Covers every lifecycle
+        # command plus the namespace bulk selectors, the process-group
+        # forkstorm regression, the --max-restarts cap, and a real node
+        # HTTP listener — against the binary the .deb actually installs.
+        env:
+          # The apt install below pulls tzdata in on ubuntu:22.04 via
+          # ruby's dependency chain; without the noninteractive frontend
+          # tzdata's postinst asks for a geographic area on the tty and
+          # the whole job hangs until GH Actions kills it.
+          DEBIAN_FRONTEND: noninteractive
+          TZ: Etc/UTC
         run: |
           set -eux
-          apt-get install -y --no-install-recommends procps util-linux
+          # procps+util-linux for pgrep/pkill/runuser; one of each
+          # supported interpreter for the sample apps. php-cli + ruby
+          # added in v0.9.2 alongside the go-compiled artifact. bash/
+          # coreutils ship in the base image.
+          apt-get install -y --no-install-recommends \
+              procps util-linux nodejs python3 php-cli ruby
+          # The downloaded artifact lands without +x; make the binary
+          # executable before the smoke tries to run it.
+          chmod +x testdata/apps/go-compiled/go-compiled
 
-          # Unprivileged user for the user-mode daemon.
           id testuser 2>/dev/null || useradd -m -s /bin/sh testuser
 
-          # Private XDG_RUNTIME_DIR the lynx socket helper will accept (0700).
+          # Hand the repo over to testuser so runuser can read it.
+          chown -R testuser:testuser "$GITHUB_WORKSPACE"
           install -d -m 0700 -o testuser -g testuser /tmp/xdg-test
 
-          # Run the whole lifecycle as testuser.
-          runuser -u testuser -- sh -eu <<'SMOKE'
+          runuser -u testuser -- bash -eu <<SMOKE
           export XDG_RUNTIME_DIR=/tmp/xdg-test
           export HOME=/home/testuser
+          cd "$GITHUB_WORKSPACE"
+
+          lynxd >/tmp/lynxd.log 2>&1 &
+          DAEMON_PID=\$!
+          trap 'kill "\$DAEMON_PID" 2>/dev/null || true' EXIT
 
-          LYNX_DEBUG_STOP=1 lynxd >/tmp/lynxd.log 2>&1 &
-          DAEMON_PID=$!
-          trap 'kill "$DAEMON_PID" 2>/dev/null || true' EXIT
-
-          # Wait up to 5s for the socket to become responsive.
-          for i in $(seq 1 50); do
-            lynxpm list --json >/dev/null 2>&1 && break
-            sleep 0.1
-          done
-
-          # Sanity: empty list after a fresh daemon.
-          [ "$(lynxpm list --json)" = "[]" ]
-
-          # start → list → show → stop → delete.
-          lynxpm start "/bin/sleep 300" --name smoke-proc --restart never
-          lynxpm list --json | grep -q smoke-proc
-          lynxpm show smoke-proc >/dev/null
-          lynxpm stop smoke-proc
-          lynxpm delete smoke-proc
-          [ "$(lynxpm list --json)" = "[]" ]
-
-          # Regression guard for the process-group stop bug (v0.8.1).
-          # Extra diagnostics: dump ppid chain of the to-be-forked child
-          # so the lynxd.log excerpt later correlates with what
-          # walkDescendants was seeing at /proc scan time.
-          # Spawn a bash wrapper that backgrounds a long sleep and waits;
-          # then stop the wrapper and assert the child PID is also dead.
-          # Without kill(-pid, sig) this child would leak as an orphan
-          # and EADDRINUSE the next start in real deployments.
-          PIDFILE=/tmp/xdg-test/fork-child.pid
-          rm -f "$PIDFILE"
-          lynxpm start "bash -c 'sleep 300 & echo \$! > $PIDFILE; wait'" \
-              --name fork-smoke --restart never --shell
-          for i in $(seq 1 50); do
-              [ -s "$PIDFILE" ] && break
-              sleep 0.1
-          done
-          CHILD_PID=$(cat "$PIDFILE")
-          [ -n "$CHILD_PID" ] || { echo "FAIL: child PID never recorded"; exit 1; }
-          kill -0 "$CHILD_PID" 2>/dev/null || { echo "FAIL: child $CHILD_PID not alive before stop"; exit 1; }
-          echo "----- pre-stop process tree -----"
-          ps -ef | awk 'NR==1 || $2=='"$CHILD_PID"' || $3=='"$CHILD_PID"' || $2==$(pgrep -P '"$DAEMON_PID"' | head -1) || $3==$(pgrep -P '"$DAEMON_PID"' | head -1)' || true
-          echo "----- /proc/$CHILD_PID/stat -----"
-          cat /proc/$CHILD_PID/stat 2>/dev/null || true
-          echo "-----"
-          lynxpm stop fork-smoke
-          sleep 1
-          if kill -0 "$CHILD_PID" 2>/dev/null; then
-              echo "FAIL: child $CHILD_PID survived Stop — process group not killed"
-              exit 1
-          fi
-          lynxpm delete fork-smoke
-          [ "$(lynxpm list --json)" = "[]" ]
+          bash testdata/smoke.sh
           SMOKE
 
       - name: Dump lynxd log on failure

@@ -0,0 +1,18 @@
+name: Dependency Review
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  review:
+    name: Review dependencies
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4