Skip to content

ci: add a macOS build+test job for contributor portability#824

Merged
github-actions[bot] merged 1 commit into
mainfrom
ci/add-macos-test-job
Jun 21, 2026
Merged

ci: add a macOS build+test job for contributor portability#824
github-actions[bot] merged 1 commit into
mainfrom
ci/add-macos-test-job

Conversation

@satyakwok

@satyakwok satyakwok commented Jun 21, 2026

Copy link
Copy Markdown
Member

Adds a lean macos-latest job (build + test, protoc via Homebrew) alongside the Linux test job. All 17 workflows were ubuntu-only; this catches macOS-specific breakage (paths, mmap/MDBX, time, endianness) for contributors who develop on a Mac.

Kept as a separate job rather than matrix-ifying test so the existing Test check name stays stable (no branch-protection churn) and the platform-agnostic lint/deny/secret-scan steps don't get duplicated on the slower macOS runner.

Validators run Linux/docker only, so this is a contributor-portability signal, not a production target. Suggest letting it bake green before promoting Test (macOS) to a required check.

Summary by CodeRabbit

  • Chores
    • Added macOS platform testing to CI/CD pipeline to ensure cross-platform compatibility alongside existing Linux tests.

Every workflow runs ubuntu-22.04 only. Add a lean macos-latest job that builds
and tests the workspace (protoc via Homebrew) so OS-specific breakage (paths,
mmap/MDBX, time, endianness) surfaces in CI before it reaches a contributor's
Mac. Kept separate from the Linux `test` job — the lint/deny/secret-scan steps
there are platform-agnostic, and a separate job leaves the existing `Test`
check name untouched. Validators run Linux/docker only, so this is a portability
signal, not a production target.
@github-actions github-actions Bot enabled auto-merge (squash) June 21, 2026 03:31
@codecov

codecov Bot commented Jun 21, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@coderabbitai

coderabbitai Bot commented Jun 21, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

A new test-macos job is added to the existing GitHub Actions CI workflow. The job runs on macos-latest and performs the same steps as the existing Linux test job: checkout, pinned Rust toolchain installation, protobuf compiler installation (via Homebrew instead of apt), Cargo artifact caching (keyed with macos in the cache key using Cargo.lock), cargo build --workspace, and cargo test --workspace. The existing Linux job is not modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description is mostly complete with rationale and implementation details, but does not follow the required template structure with sections like Summary, Scope, Checks, Linked issue, and Deploy impact. Restructure the description to match the repository template, including explicit Scope checkbox selection (likely 'Deploy script / CI / docs only'), Checks verification, and Deploy impact confirmation.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title directly and accurately describes the main change: adding a macOS build+test job to CI for improving contributor portability. It is concise, specific, and clearly conveys the primary purpose of the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/add-macos-test-job

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 109-113: The Build step runs cargo build without the --release
flag, which places compiled binaries in target/debug/, but the job later uploads
artifacts from target/release/ paths. This mismatch causes missing release
artifacts. Add the --release flag to the cargo build --workspace command to
ensure binaries are compiled in release mode and placed in the target/release/
directory that matches the upload paths.
- Line 101: The `actions/cache` action reference on line 101 uses a mutable tag
(v5) instead of a pinned commit SHA, which violates the strict workflow
integrity policy. Replace the `uses: actions/cache@v5` statement with a
reference to a full commit SHA (get the SHA for the v5 release from the
actions/cache repository), and add a comment noting the tag version (e.g., # v5)
for readability, following the same pattern already applied to
`dtolnay/rust-toolchain` earlier in the workflow file.
- Line 92: In the checkout action step, replace the unpinned
`actions/checkout@v5` tag with a pinned commit SHA to match the repo's security
practices (consistent with line 95), and add `persist-credentials: false` since
no authenticated git operations occur later in the job. Additionally, in the
cargo build step, change `cargo build --workspace` to `cargo build --workspace
--release` to ensure the binary is built in release mode, matching the release
artifact paths (`target/release/sentrix` and `target/release/sentrix-faucet`)
referenced in the subsequent upload steps.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 557ba402-05a1-4b80-9f87-fb268ff2f3fa

📥 Commits

Reviewing files that changed from the base of the PR and between e0f3573 and 92ecc56.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

Comment thread .github/workflows/ci.yml
name: Test (macOS)
runs-on: macos-latest
steps:
- uses: actions/checkout@v5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/ci.yml | sed -n '80,115p'

Repository: sentrix-labs/sentrix

Length of output: 1518


🏁 Script executed:

cat -n .github/workflows/ci.yml | sed -n '115,135p'

Repository: sentrix-labs/sentrix

Length of output: 1116


🏁 Script executed:

rg 'uses: actions/(checkout|cache|upload-artifact)@' .github/workflows/ci.yml

Repository: sentrix-labs/sentrix

Length of output: 375


Pin checkout action to commit SHA, disable credential persistence, and fix build profile mismatch.

Line 92 uses unpinned actions/checkout@v5 (a moving tag) and keeps default credential persistence. This contradicts the repo's own practice of pinning actions to commit SHAs (see line 95). Pin to a commit SHA and set persist-credentials: false since no authenticated git operations occur later in the job.

Additionally, line 110 builds with cargo build --workspace (debug profile), but lines 120 and 128 attempt to upload release artifacts (target/release/sentrix and target/release/sentrix-faucet). This mismatch will cause artifact uploads to fail silently on main pushes. Change line 110 to cargo build --workspace --release.

Suggested patches
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@<commit_sha>
+        with:
+          persist-credentials: false
       - name: Build
-        run: cargo build --workspace
+        run: cargo build --workspace --release
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 92-92: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 92-92: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 92, In the checkout action step, replace
the unpinned `actions/checkout@v5` tag with a pinned commit SHA to match the
repo's security practices (consistent with line 95), and add
`persist-credentials: false` since no authenticated git operations occur later
in the job. Additionally, in the cargo build step, change `cargo build
--workspace` to `cargo build --workspace --release` to ensure the binary is
built in release mode, matching the release artifact paths
(`target/release/sentrix` and `target/release/sentrix-faucet`) referenced in the
subsequent upload steps.

Source: Linters/SAST tools

Comment thread .github/workflows/ci.yml
run: brew install protobuf

- name: Cache cargo
uses: actions/cache@v5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if the workflow file exists and read it
if [ -f .github/workflows/ci.yml ]; then
  echo "=== File exists, reading content ==="
  wc -l .github/workflows/ci.yml
  echo "=== Content around line 101 ==="
  sed -n '95,110p' .github/workflows/ci.yml
else
  echo "File not found"
fi

Repository: sentrix-labs/sentrix

Length of output: 650


🌐 Web query:

GitHub Actions security best practices pinning commit SHA vs tag version references

💡 Result:

Pinning GitHub Actions to a full-length commit SHA is the recommended security best practice for ensuring the integrity and immutability of your CI/CD pipelines [1][2][3]. The fundamental distinction lies in mutability: - Commit SHA (Immutable): A full-length commit SHA refers to a specific, unique snapshot of the action's code [4][5][6]. Once a commit is created, its content cannot change, providing a guarantee that your workflow will execute the exact same code every time it runs [4][6]. - Tags (Mutable): Git tags (e.g., v1, v4.2.1) are merely pointers [7]. A repository maintainer—or a malicious actor who compromises the repository—can move a tag at any time to point to a different commit [7][8][4]. Using tags introduces a supply chain risk where your pipeline could silently execute different, potentially malicious code without any change to your workflow file [7][4][5]. Security Recommendations: 1. Pin to Full SHA: Always use the full-length commit SHA for third-party actions to prevent "retargeting" attacks [1][2]. 2. Maintain Readability: To keep workflows maintainable, include the original tag version as a comment next to the SHA [7][6][9]. Example: uses: actions/checkout@a84108e4... # v4.1.0 [1][7] 3. Use Automated Tools: Use tools like Dependabot, Renovate, or specialized CLI tools (e.g., pin-github-action, ratchet, or zizmor) to manage these pins, automate updates, and ensure you remain on secure versions while minimizing the manual maintenance burden [7][5][10][6]. 4. Organizational Policy: GitHub allows administrators to enforce full commit SHA pinning at the organization or repository level [11][2][9]. When enabled, any workflow referencing an action by a tag will fail, ensuring compliance across your infrastructure [4][9]. 5. Trust and Verification: While SHA pinning is the primary technical control, it does not replace the need for supply chain hygiene [8]. Always verify that the SHA belongs to the legitimate upstream repository and not a fork [1][3][10]. Organizations should prioritize SHA pinning as part of a broader "secure by default" strategy, acknowledging that while tags offer convenience for local or internal development, they are inadequate for high-assurance, production-grade workflows [2][3][6].

Citations:


Pin actions/cache to a full commit SHA.

Line 101 references actions/cache@v5 by tag, which is mutable. Pinning to a commit SHA is required to satisfy strict workflow integrity policy and prevent supply-chain drift. The repository already pins dtolnay/rust-toolchain to a commit SHA (line 95); apply the same pattern here by including the tag as a comment for readability.

Suggested patch
      - name: Cache cargo
        uses: actions/cache@<full_commit_sha> # v5
        with:
🧰 Tools
🪛 zizmor (1.25.2)

[error] 101-101: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 101, The `actions/cache` action reference
on line 101 uses a mutable tag (v5) instead of a pinned commit SHA, which
violates the strict workflow integrity policy. Replace the `uses:
actions/cache@v5` statement with a reference to a full commit SHA (get the SHA
for the v5 release from the actions/cache repository), and add a comment noting
the tag version (e.g., # v5) for readability, following the same pattern already
applied to `dtolnay/rust-toolchain` earlier in the workflow file.

Source: Linters/SAST tools

Comment thread .github/workflows/ci.yml
Comment on lines +109 to +113
- name: Build
run: cargo build --workspace

- name: Test
run: cargo test --workspace

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Build profile is inconsistent with release artifact upload paths.

Line 110 builds without --release, but this job later uploads binaries from target/release/.... That mismatch can yield missing/empty release artifacts on main pushes. Build in release mode here (or update upload paths intentionally).

Suggested patch
       - name: Build
-        run: cargo build --workspace
+        run: cargo build --workspace --release
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 109 - 113, The Build step runs cargo
build without the --release flag, which places compiled binaries in
target/debug/, but the job later uploads artifacts from target/release/ paths.
This mismatch causes missing release artifacts. Add the --release flag to the
cargo build --workspace command to ensure binaries are compiled in release mode
and placed in the target/release/ directory that matches the upload paths.

@github-actions github-actions Bot merged commit 2671e95 into main Jun 21, 2026
18 checks passed
@satyakwok satyakwok deleted the ci/add-macos-test-job branch June 21, 2026 03:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant