coroboros · ob-aion · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026
diff --git a/.github/renovate/sync-tool-sha.sh b/.github/renovate/sync-tool-sha.sh
@@ -6,7 +6,7 @@
 set -euo pipefail
 
 GITLEAKS_YML=".github/actions/security/gitleaks/action.yml"
-SELF_YML=".github/workflows/self.yml"
+SELF_YML=".github/workflows/self-lint.yml"
 DIST_YML=".github/actions/rust/install-dist/action.yml"
 
 sha256_of() {

diff --git a/.github/workflows/self.yml → .github/workflows/self-lint.yml b/.github/workflows/self.yml → .github/workflows/self-lint.yml
@@ -1,5 +1,5 @@
-# Self-CI
-name: Self-CI
+# Self-CI Lint
+name: Self-CI Lint
 
 on:
   push:

diff --git a/.github/workflows/self-security.yml b/.github/workflows/self-security.yml
@@ -1,8 +1,7 @@
 # Self-CI Security
 name: Self-CI Security
 
-# Local `./` refs so a PR self-tests its own composite changes — the @v0-pinned
-# security.yml can't (a reusable workflow's `./` resolves to the caller's checkout).
+# Local `./` refs so a PR self-tests its own security composites and workflows.
 on:
   push:
     branches: [main]
@@ -25,3 +24,9 @@ jobs:
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
       - uses: ./.github/actions/security/osv-scanner
+
+  security-gate:
+    uses: ./.github/workflows/security-gate.yml
+
+  security:
+    uses: ./.github/workflows/security.yml
diff --git a/.github/workflows/self-actions.yml → .github/workflows/self-test.yml b/.github/workflows/self-actions.yml → .github/workflows/self-test.yml
@@ -1,5 +1,5 @@
-# Self-CI Actions
-name: Self-CI Actions
+# Self-CI Test
+name: Self-CI Test
 
 # A PR self-tests its composites via local `./` refs against the real checkout
 # (GITHUB_SHA == HEAD); `commit-artifacts` pushes to a local bare remote, with
@@ -220,3 +220,17 @@ jobs:
             [ -f "${m}" ] || { echo "::error::javascript/base did not run ${m%-ran}"; exit 1; }
           done
           echo "::notice::javascript/base ran install (sfw + frozen lockfile), lint, build, test on the fixture"
+
+  rust-base:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          path: _src
+      - name: Stage the rust fixture at the workspace root
+        shell: bash
+        run: cp -a _src/test/fixtures/rust-crate/. .
+      - uses: ./_src/.github/actions/rust/base
+      - name: Confirm rust/base completed the gates
+        shell: bash
+        run: echo "::notice::rust/base ran fmt --check, clippy -D warnings, and test on the fixture"
diff --git a/.gitignore b/.gitignore
@@ -3,6 +3,7 @@
 .claude/output/
 CLAUDE.local.md
 node_modules/
+target/
 *.log
 *.bak
 .actionlint-cache/

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog
 
+## v0.2.1 - 08/06/2026
+
+### Refactor
+- `self.yml` → `self-lint`, `self-actions` → `self-test` — align the self-CI workflow names (`self-lint` · `self-test` · `self-security` · `self-release`).
+
+### Tests
+- `self-test` — self-test `rust/base` end-to-end on a Rust fixture crate (`test/fixtures/rust-crate`): stage it at the workspace root, run the composite, assert `fmt` / `clippy` / `test` pass.
+- `self-security` — self-test the `security-gate.yml` and `security.yml` reusable workflows via local `./` refs, now that `v0` carries the security composites.
+
+### Documentation
+- `README` — add a Self-CI section documenting how the repo tests its own workflows and composites.
+
+### Configuration
+- `.gitignore` — add `target/` for Rust build artifacts.
+
 ## v0.2.0 - 08/06/2026
 
 ### Features

diff --git a/CLAUDE.md b/CLAUDE.md
@@ -13,7 +13,7 @@ Reusable GitHub Actions workflows + composite actions for the Coroboros stack.
 - `.github/workflows/rust-packages.yml` — bundled Cargo pipeline (`preflight` matrix / `security-gate` / `package` / `publish` / `security`) + opt-in cargo-dist binary layer (`dist-plan` / `dist-build` / `dist-host` / `dist-publish`, gated on `[package.metadata.dist]` or `[workspace.metadata.dist]`).
 - `.github/workflows/security-gate.yml` — blocking gate `publish` `needs:`. `supply-chain` (auto-routed: `Cargo.toml` → `security/rust/cargo-deny` advisories+bans+sources, else `security/osv-scanner`) + `secret-scan` (gitleaks). A separate reusable workflow so the caller's `publish` can `needs:` the whole gate as one job, running each scan once. Imposed via the package workflows, importable standalone by a non-package repo.
 - `.github/workflows/security.yml` — advisory layer, never blocks: `dependency-review` (PR-only) + `licenses` (Rust, `continue-on-error`, `security/rust/cargo-deny` `checks: licenses`). License/quality policy lives here, off the gate.
-- `.github/workflows/{self,self-security,self-release,self-actions}.yml` — self-CI: lint, gitleaks + osv (composites via local `./`), the `v0` rolling-tag move, and `self-actions` smoke-testing the composites against the real checkout on every PR.
+- `.github/workflows/{self-lint,self-test,self-security,self-release}.yml` — self-CI: lint, the security composites + `security-gate`/`security` workflows via local `./`, the `v0` rolling-tag move, and `self-test` smoke-testing every composite (plus `javascript/base`/`rust/base` on `test/fixtures/`) every PR. Workflow self-tests resolve their `@v0` composites against the released `v0`, so a brand-new composite is testable only once a release moves `v0` onto it.
 - `.github/actions/{check-docs,javascript/base,rust/{base,native-deps,test-deps,install-dist,pin-version},security/{gitleaks,osv-scanner,rust/cargo-deny},release/{verify-tag,generate-changelog,github-release,commit-artifacts}}/action.yml` — composites.
 - `.github/dependabot.yml` — auto-PRs for pinned action SHAs. `renovate.json` + `.github/workflows/renovate.yml` — self-hosted Renovate (needs the `RENOVATE_TOKEN` PAT secret, scope `repo` + `workflow`) auto-bumps the version-pinned tooling; `.github/renovate/sync-tool-sha.sh` re-syncs each paired tarball SHA-256 in the same PR.
 - `security/.gitleaks.toml` — canonical gitleaks ruleset.

diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@
 Drop into any `@coroboros/*` repo via `uses: coroboros/ci/.github/workflows/<name>.yml@v0`, or compose around the composite actions under `.github/actions/`.
 
 [![latest](https://img.shields.io/github/v/release/coroboros/ci?style=flat-square&label=latest&color=000000)](https://github.com/coroboros/ci/releases)
-[![ci](https://img.shields.io/github/actions/workflow/status/coroboros/ci/self.yml?branch=main&style=flat-square&label=ci&color=000000)](https://github.com/coroboros/ci/actions/workflows/self.yml)
+[![ci](https://img.shields.io/github/checks-status/coroboros/ci/main?style=flat-square&label=ci&color=000000)](https://github.com/coroboros/ci/actions)
 [![branch](https://img.shields.io/badge/branch-main-000000?style=flat-square)](https://github.com/coroboros/ci)
 [![license](https://img.shields.io/badge/license-All%20Rights%20Reserved-000000?style=flat-square)](LICENSE.md)
 [![stars](https://img.shields.io/github/stars/coroboros/ci?style=flat-square&label=stars&color=000000)](https://github.com/coroboros/ci)
@@ -25,6 +25,7 @@ Drop into any `@coroboros/*` repo via `uses: coroboros/ci/.github/workflows/<nam
 - [Pipelines](#pipelines)
 - [Composable actions](#composable-actions)
 - [Development flow](#development-flow)
+- [Self-CI](#self-ci)
 - [Environment](#environment)
 - [Security](#security)
 - [Examples](#examples)
@@ -300,6 +301,19 @@ Section format: `## vX.Y.Z - DD/MM/YYYY`. Idempotent. Reuses an existing hand-cu
 
 ---
 
+## Self-CI
+
+`coroboros/ci` runs a CI on itself — lint, security, and the `v0` release move — plus a test layer that exercises its own composite actions, which are the product:
+
+- **Lint** (`self-lint.yml`) — `actionlint`, `yamllint`, `shellcheck`.
+- **Security** (`self-security.yml`) — the `gitleaks` / `osv-scanner` composites and the `security-gate` / `security` workflows, via local `./` refs.
+- **Release** (`self-release.yml`) — moves the rolling `v0` tag onto each stable release.
+- **Test** (`self-test.yml`) — smoke every composite (`release/*`, `rust/*`, `security/*`) against the real checkout, and run `javascript/base` + `rust/base` end-to-end on a `test/fixtures/` package and crate.
+
+A workflow self-test resolves its composites at the released `@v0`, so a brand-new composite is testable through a workflow only once a release moves `v0` onto it.
+
+---
+
 ## Environment
 
 Zero `inputs:` — configuration flows through the caller's `secrets:` block. Every value is a **secret** (encrypted at rest, masked in logs), never a GitHub `var`.
@@ -311,9 +325,9 @@ Zero `inputs:` — configuration flows through the caller's `secrets:` block. Ev
 
 | name | required | description |
 | :--- | :---: | :--- |
-| `NPM_CONFIG_FILE` | ✔ | `.npmrc` content. Written to repo root by `javascript/base`. `${VAR}` references inside are expanded by npm at install time. |
+| `NPM_CONFIG_FILE` | yes | `.npmrc` content. Written to repo root by `javascript/base`. `${VAR}` references inside are expanded by npm at install time. |
 | `NPM_EXTRA_CONFIG` |  | Extra `.npmrc` lines appended after `NPM_CONFIG_FILE`. A **secret** — it lands in `.npmrc`, so it can carry auth material and must stay masked. |
-| `NPM_PACKAGE_REGISTRY` | ✔ | npm package registry URL. |
+| `NPM_PACKAGE_REGISTRY` | yes | npm package registry URL. |
 | `NPM_PACKAGE_PROXY_REGISTRY` |  | Optional npm proxy registry URL. |
 | `NPM_PACKAGE_REGISTRY_TOKEN` |  | npm Granular Access Token, scoped to the publishing organization with create-new-package permission. Required only for the token bootstrap (first publish of a new scoped package, before npm Trusted Publisher is bound). Absent → OIDC. |
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@coroboros/ci",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "private": true,
   "description": "Reusable GitHub Actions CI for the Coroboros stack.",
   "license": "SEE LICENSE IN LICENSE.md",

diff --git a/renovate.json b/renovate.json
@@ -65,7 +65,7 @@
         "commands": ["bash .github/renovate/sync-tool-sha.sh"],
         "fileFilters": [
           ".github/actions/security/gitleaks/action.yml",
-          ".github/workflows/self.yml",
+          ".github/workflows/self-lint.yml",
           ".github/actions/rust/install-dist/action.yml"
         ],
         "executionMode": "branch"

diff --git a/test/fixtures/rust-crate/Cargo.lock b/test/fixtures/rust-crate/Cargo.lock
diff --git a/test/fixtures/rust-crate/Cargo.toml b/test/fixtures/rust-crate/Cargo.toml
@@ -0,0 +1,5 @@
+[package]
+name = "ci-fixture-rust"
+version = "0.0.0"
+edition = "2021"
+publish = false
diff --git a/test/fixtures/rust-crate/README.md b/test/fixtures/rust-crate/README.md
@@ -0,0 +1,3 @@
+# ci-fixture-rust
+
+Minimal crate exercising `rust/base` in self-CI. Not published.
diff --git a/test/fixtures/rust-crate/rust-toolchain.toml b/test/fixtures/rust-crate/rust-toolchain.toml
@@ -0,0 +1,2 @@
+[toolchain]
+channel = "stable"
diff --git a/test/fixtures/rust-crate/src/lib.rs b/test/fixtures/rust-crate/src/lib.rs
@@ -0,0 +1,16 @@
+//! Minimal crate exercising `rust/base` (fmt, clippy, test) in self-CI. Not published.
+
+/// Adds two numbers.
+pub fn add(a: i32, b: i32) -> i32 {
+    a + b
+}
+
+#[cfg(test)]
+mod tests {
+    use super::add;
+
+    #[test]
+    fn adds() {
+        assert_eq!(add(2, 2), 4);
+    }
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# ci-fixture-rust

		Minimal crate exercising `rust/base` in self-CI. Not published.