diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml new file mode 100644 index 0000000..d953b67 --- /dev/null +++ b/.github/actionlint.yaml @@ -0,0 +1,3 @@ +self-hosted-runner: + labels: + - blacksmith-2vcpu-ubuntu-2404 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 27f3a5d..f0d8a06 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,27 +16,62 @@ env: GIT_CONFIG_VALUE_0: main jobs: + changes: + permissions: + contents: read + pull-requests: read + runs-on: ubuntu-latest + outputs: + code_changes: ${{ steps.filter.outputs.code_changes }} + steps: + - uses: actions/checkout@v4 + + - name: Detect build-relevant changes + id: filter + uses: dorny/paths-filter@v3 + with: + filters: | + code_changes: + - 'src/**' + - 'libs/**' + - 'assets/shaders/**' + - 'build.zig' + - 'build.zig.zon' + - 'flake.nix' + - 'flake.lock' + - '.github/actions/setup-nix/**' + build: permissions: contents: read id-token: write runs-on: blacksmith-2vcpu-ubuntu-2404 timeout-minutes: 30 + needs: changes steps: - uses: actions/checkout@v4 + - name: Skip build for workflow-only changes + if: needs.changes.outputs.code_changes != 'true' + run: | + echo "No build-relevant changes detected. Skipping binary build." + - name: Setup Nix + if: needs.changes.outputs.code_changes == 'true' uses: ./.github/actions/setup-nix - name: Build + if: needs.changes.outputs.code_changes == 'true' run: nix build -L - name: Prepare Artifact + if: needs.changes.outputs.code_changes == 'true' run: | mkdir -p dist cp -L result/bin/zigcraft dist/zigcraft-linux - name: Upload Artifact + if: needs.changes.outputs.code_changes == 'true' uses: actions/upload-artifact@v7 with: name: zigcraft @@ -49,14 +84,21 @@ jobs: id-token: write runs-on: blacksmith-2vcpu-ubuntu-2404 timeout-minutes: 15 - needs: build + needs: [changes, build] steps: - uses: actions/checkout@v4 + - name: Skip unit tests for workflow-only changes + if: needs.changes.outputs.code_changes != 'true' + run: | + echo "No build-relevant changes detected. Skipping unit tests." + - name: Setup Nix + if: needs.changes.outputs.code_changes == 'true' uses: ./.github/actions/setup-nix - name: Run unit tests + if: needs.changes.outputs.code_changes == 'true' run: nix develop --command zig build test env: ZIG_GLOBAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-global @@ -67,14 +109,21 @@ jobs: id-token: write runs-on: blacksmith-2vcpu-ubuntu-2404 timeout-minutes: 30 - needs: unit-test + needs: [changes, unit-test] steps: - uses: actions/checkout@v4 + - name: Skip integration tests for workflow-only changes + if: needs.changes.outputs.code_changes != 'true' + run: | + echo "No build-relevant changes detected. Skipping integration tests." + - name: Setup Nix + if: needs.changes.outputs.code_changes == 'true' uses: ./.github/actions/setup-nix - name: Start headless Wayland compositor + if: needs.changes.outputs.code_changes == 'true' run: | mkdir -p /tmp/runtime-runner chmod 700 /tmp/runtime-runner @@ -85,12 +134,14 @@ jobs: sleep 5 - name: Run integration smoke test + if: needs.changes.outputs.code_changes == 'true' env: ZIG_GLOBAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-global run: | nix develop --command zig build test-integration - name: Run world load smoke test (headless) + if: needs.changes.outputs.code_changes == 'true' env: ZIG_GLOBAL_CACHE_DIR: ${{ github.workspace }}/.zig-cache-global XDG_RUNTIME_DIR: /tmp/runtime-runner diff --git a/.github/workflows/opencode-audit.yml b/.github/workflows/opencode-audit.yml index e897b12..e15c76d 100644 --- a/.github/workflows/opencode-audit.yml +++ b/.github/workflows/opencode-audit.yml @@ -93,6 +93,7 @@ jobs: XDG_CACHE_HOME: /tmp/opencode-cache with: model: kimi-for-coding/k2p5 + use_github_token: true prompt: | You are a senior Zig systems programming auditor performing a deep code audit. diff --git a/.github/workflows/opencode-pr.yml b/.github/workflows/opencode-pr.yml index 97edece..ba07832 100644 --- a/.github/workflows/opencode-pr.yml +++ b/.github/workflows/opencode-pr.yml @@ -29,7 +29,7 @@ jobs: id-token: write contents: write pull-requests: write - issues: read + issues: write steps: - name: Resolve PR context @@ -48,7 +48,7 @@ jobs: with: ref: ${{ steps.resolve-pr.outputs.pr_head_sha }} fetch-depth: 0 - token: ${{ secrets.OPENCODE_PAT }} + token: ${{ github.token }} - name: Configure git run: | @@ -84,13 +84,15 @@ jobs: REVIEW_CONTENT="${REVIEW_CONTENT}No previous automated reviews found.\n" fi - echo "PREVIOUS_REVIEWS<> $GITHUB_ENV - printf '%s\n' "$REVIEW_CONTENT" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV + { + echo "PREVIOUS_REVIEWS<> "$GITHUB_ENV" echo "Previous reviews fetched and formatted for context" env: - GH_TOKEN: ${{ secrets.OPENCODE_PAT }} + GH_TOKEN: ${{ github.token }} - name: Setup Nix uses: ./.github/actions/setup-nix @@ -101,16 +103,20 @@ jobs: - name: Run opencode uses: anomalyco/opencode/github@latest env: - GITHUB_TOKEN: ${{ secrets.OPENCODE_PAT }} + GITHUB_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ github.token }} KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }} with: model: kimi-for-coding/k2p5 + use_github_token: true prompt: | You are reviewing a pull request for the ZigCraft repository. **PR to review:** #${{ steps.resolve-pr.outputs.pr_number }} Use `gh pr diff ${{ steps.resolve-pr.outputs.pr_number }}` and `gh pr view ${{ steps.resolve-pr.outputs.pr_number }}` to examine the changes. + Give full review coverage to PRs created by the automated test writer, especially PRs labeled `automated-test`, and verify whether any linked issues are fully addressed. + ZigCraft is a high-performance Minecraft-style voxel engine built with Zig, SDL3, and Vulkan. It uses Nix for dependency management, a custom RHI (Render Hardware Interface) abstraction layer, and a multithreaded job system for world generation and meshing. **Tech Stack:** diff --git a/.github/workflows/opencode-test-writer.yml b/.github/workflows/opencode-test-writer.yml index 0041da8..1963f43 100644 --- a/.github/workflows/opencode-test-writer.yml +++ b/.github/workflows/opencode-test-writer.yml @@ -199,6 +199,7 @@ jobs: XDG_CACHE_HOME: /tmp/opencode-cache with: model: kimi-for-coding/k2p5 + use_github_token: true prompt: | You are a senior Zig systems programmer writing unit tests for a voxel engine. Your job is to find untested code, write thorough tests, and submit a pull request. diff --git a/.github/workflows/opencode-triage.yml b/.github/workflows/opencode-triage.yml index 08e5843..7831ba1 100644 --- a/.github/workflows/opencode-triage.yml +++ b/.github/workflows/opencode-triage.yml @@ -19,6 +19,16 @@ jobs: uses: actions/github-script@v7 with: script: | + const trustedBots = new Set([ + 'opencode-agent[bot]', + 'github-actions[bot]', + ]); + const labels = (context.payload.issue.labels || []).map(label => label.name); + + if (trustedBots.has(context.payload.issue.user.login) || labels.includes('automated-audit')) { + return true; + } + const user = await github.rest.users.getByUsername({ username: context.payload.issue.user.login }); @@ -30,7 +40,7 @@ jobs: - uses: actions/checkout@v4 if: steps.check.outputs.result == 'true' with: - token: ${{ secrets.OPENCODE_PAT }} + token: ${{ github.token }} - name: Configure git if: steps.check.outputs.result == 'true' @@ -41,14 +51,18 @@ jobs: - uses: anomalyco/opencode/github@latest if: steps.check.outputs.result == 'true' env: - GITHUB_TOKEN: ${{ secrets.OPENCODE_PAT }} + GITHUB_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ github.token }} KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }} with: model: kimi-for-coding/k2p5 + use_github_token: true prompt: | Analyze this issue. You have access to the codebase context. **CRITICAL: Your only allowed action is to post a COMMENT on the issue. DO NOT create branches, pull requests, or attempt to modify the codebase.** + If this issue has the `automated-audit` label, treat it as a trusted machine-generated finding and focus on validating the report, checking for duplicates or related PRs, and suggesting the clearest next implementation steps. + 1. **Classify**: Determine if this is a Bug, Feature Request, or Question. 2. **Validate & Request Info**: - **Missing Data**: If critical information is needed to understand or reproduce the issue (e.g., reproduction steps, crash logs, version numbers, screenshots), explicitly ask the user to provide it. diff --git a/.github/workflows/opencode.yml b/.github/workflows/opencode.yml index 9840a3c..4c33b9c 100644 --- a/.github/workflows/opencode.yml +++ b/.github/workflows/opencode.yml @@ -27,7 +27,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: - token: ${{ secrets.OPENCODE_PAT }} + token: ${{ github.token }} - name: Configure git run: | @@ -43,7 +43,9 @@ jobs: - name: Run opencode uses: anomalyco/opencode/github@latest env: - GITHUB_TOKEN: ${{ secrets.OPENCODE_PAT }} + GITHUB_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ github.token }} KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }} with: model: kimi-for-coding/k2p5 + use_github_token: true diff --git a/.github/workflows/workflow-validation.yml b/.github/workflows/workflow-validation.yml new file mode 100644 index 0000000..926dd6a --- /dev/null +++ b/.github/workflows/workflow-validation.yml @@ -0,0 +1,45 @@ +name: Workflow Validation + +on: + push: + branches: [ main, dev ] + paths: + - '.github/workflows/**' + - '.github/actions/**' + pull_request: + branches: [ main, dev ] + paths: + - '.github/workflows/**' + - '.github/actions/**' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + actionlint: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + + - name: Run actionlint + uses: reviewdog/action-actionlint@v1 + with: + fail_level: error + + yaml-parse: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + + - name: Parse workflow YAML + run: | + ruby -e 'require "yaml"; Dir[".github/workflows/*.{yml,yaml}"].sort.each { |f| YAML.load_file(f); puts "OK #{f}" }' + + - name: Parse composite action YAML + run: | + ruby -e 'require "yaml"; Dir[".github/actions/**/action.{yml,yaml}"].sort.each { |f| YAML.load_file(f); puts "OK #{f}" }'