pulseengine · avrabe · Mar 8, 2026 · Mar 8, 2026 · Mar 8, 2026 · Mar 8, 2026
diff --git a/.config/nextest.toml b/.config/nextest.toml
@@ -0,0 +1,10 @@
+# Nextest configuration
+# See https://nexte.st/docs/configuration/
+
+[profile.ci]
+# Fail-fast disabled so all tests run even if some fail
+fail-fast = false
+
+[profile.ci.junit]
+# Output JUnit XML for CI consumption
+path = "junit.xml"
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
@@ -0,0 +1,49 @@
+name: Benchmarks
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  benchmark:
+    name: Criterion Benchmarks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+
+      - uses: Swatinem/rust-cache@v2
+
+      - name: Run criterion benchmarks
+        run: cargo bench --bench core_benchmarks -- --output-format=bencher | tee benchmark-output.txt
+
+      - name: Store and compare benchmark results
+        continue-on-error: true
+        uses: benchmark-action/github-action-benchmark@v1
+        with:
+          name: Rivet Criterion Benchmarks
+          tool: cargo
+          output-file-path: benchmark-output.txt
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # Push results to gh-pages on main branch pushes
+          auto-push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          # Comment on PRs when there is a regression
+          comment-on-alert: true
+          # Alert threshold: warn at 120% of baseline
+          alert-threshold: "120%"
+          # Do not fail the workflow on regressions for now (baseline is being established)
+          fail-on-alert: false
+          # Keep benchmark data for the last 30 entries
+          max-items-in-chart: 30
+          # Only save data points on pushes to main (not on PRs)
+          save-data-file: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -88,22 +88,30 @@ jobs:
   # ── Code coverage (Rust nightly for source-based instrumentation) ───
   coverage:
     name: Code Coverage
+    needs: [test]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@nightly
       - uses: Swatinem/rust-cache@v2
       - name: Install cargo-llvm-cov
-        uses: taiki-e/install-action@cargo-llvm-cov
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-llvm-cov
       - name: Generate coverage (LCOV + HTML)
         run: |
-          cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info
-          cargo llvm-cov --all-features --workspace --html --output-dir coverage-html
+          cargo llvm-cov -p rivet-core --lcov --output-path lcov.info
+          cargo llvm-cov -p rivet-core --html --output-dir coverage-html
+      - name: Enforce minimum coverage threshold
+        run: cargo llvm-cov -p rivet-core --fail-under-lines 40
       - name: Upload LCOV to Codecov
+        if: env.CODECOV_TOKEN != ''
         uses: codecov/codecov-action@v4
         with:
           files: lcov.info
           fail_ci_if_error: false
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       - name: Upload HTML coverage report
         uses: actions/upload-artifact@v4
         with:
@@ -121,9 +129,9 @@ jobs:
           components: miri
       - uses: Swatinem/rust-cache@v2
       - name: Run Miri
-        run: cargo miri test --all
+        run: cargo miri test -p rivet-core --lib
         env:
-          MIRIFLAGS: "-Zmiri-strict-provenance"
+          MIRIFLAGS: "-Zmiri-strict-provenance -Zmiri-disable-isolation"
 
   # ── Property-based testing (extended) ───────────────────────────────
   proptest:
@@ -146,9 +154,17 @@ jobs:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
       - name: Install cargo-vet
-        uses: taiki-e/install-action@cargo-vet
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-vet
+      - name: Initialize cargo-vet if needed
+        run: |
+          if [ ! -d supply-chain ]; then
+            cargo vet init
+            echo "::notice::cargo-vet initialized — run 'cargo vet' locally to audit dependencies"
+          fi
       - name: Check supply chain
-        run: cargo vet --locked || echo "::warning::cargo-vet not yet configured — run 'cargo vet init'"
+        run: cargo vet --locked || echo "::warning::cargo-vet found unaudited crates — run 'cargo vet' locally"
 
   # ── MSRV check ──────────────────────────────────────────────────────
   msrv:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,103 @@
+name: Release Test Evidence
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  test-evidence:
+    name: Build Test Evidence Bundle
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@nightly
+        with:
+          components: llvm-tools-preview
+
+      - uses: Swatinem/rust-cache@v2
+
+      # Install tools: cargo-nextest for JUnit XML, cargo-llvm-cov for coverage
+      - name: Install cargo-nextest and cargo-llvm-cov
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-nextest,cargo-llvm-cov
+
+      # ── 1. Test suite with JUnit XML output ─────────────────────────────
+      - name: Run tests with JUnit XML output
+        run: |
+          mkdir -p test-evidence/test-results
+          cargo nextest run --all --profile ci
+          cp target/nextest/ci/junit.xml test-evidence/test-results/junit.xml
+
+      # ── 2. Code coverage (LCOV) ────────────────────────────────────────
+      - name: Generate code coverage (LCOV)
+        run: |
+          mkdir -p test-evidence/coverage
+          cargo llvm-cov --all-features --workspace --lcov --output-path test-evidence/coverage/lcov.info
+          cargo llvm-cov report --all-features --workspace > test-evidence/coverage/summary.txt
+
+      # ── 3. Benchmarks (criterion HTML reports) ─────────────────────────
+      - name: Run criterion benchmarks
+        run: |
+          cargo bench --bench core_benchmarks -- --output-format=criterion
+          mkdir -p test-evidence/benchmarks
+          cp -r target/criterion/* test-evidence/benchmarks/ 2>/dev/null || true
+
+      # ── 4. Rivet validate ──────────────────────────────────────────────
+      - name: Run rivet validate
+        run: |
+          mkdir -p test-evidence/validation
+          set +e
+          cargo run --release -- validate > test-evidence/validation/validate-output.txt 2>&1
+          rc=$?
+          set -e
+          echo "" >> test-evidence/validation/validate-output.txt
+          echo "exit_code=${rc}" >> test-evidence/validation/validate-output.txt
+
+      # ── 5. Metadata ────────────────────────────────────────────────────
+      - name: Generate metadata.json
+        run: |
+          TAG="${GITHUB_REF#refs/tags/}"
+          RUST_VERSION="$(rustc --version)"
+          OS_INFO="$(uname -srm)"
+          TIMESTAMP="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+
+          jq -n \
+            --arg tag "${TAG}" \
+            --arg commit "${GITHUB_SHA}" \
+            --arg timestamp "${TIMESTAMP}" \
+            --arg rust_version "${RUST_VERSION}" \
+            --arg os "${OS_INFO}" \
+            '{tag: $tag, commit: $commit, timestamp: $timestamp, rust_version: $rust_version, os: $os}' \
+            > test-evidence/metadata.json
+
+      # ── 6. Package everything ──────────────────────────────────────────
+      - name: Package test evidence tarball
+        id: package
+        run: |
+          TAG="${GITHUB_REF#refs/tags/}"
+          ARCHIVE="test-evidence-${TAG}.tar.gz"
+          tar czf "${ARCHIVE}" test-evidence/
+          echo "archive=${ARCHIVE}" >> "$GITHUB_OUTPUT"
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+
+      # ── 7. Create GitHub Release with asset ────────────────────────────
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG="${{ steps.package.outputs.tag }}"
+          ARCHIVE="${{ steps.package.outputs.archive }}"
+
+          gh release create "${TAG}" \
+            --title "Release ${TAG}" \
+            --generate-notes \
+            "${ARCHIVE}#Test Evidence (tar.gz)"