Add CI workflow (fmt + clippy + tests)#8
Merged
Merged
Conversation
The repo had no `.github/workflows/` at all, so PRs showed zero status checks. Add a single `ci.yml` running on ubuntu-latest: * cargo fmt --check * cargo clippy --no-deps --all-targets -- -D warnings * cargo test --all-targets * cargo test --doc Installs `debsigs` and `debsig-verify` from apt so the sign/verify integration test doesn't skip on the runner. `dpkg-deb`, `fakeroot`, and `gpg` are already present on the ubuntu-latest image. Cargo registry + target dir are cached keyed off Cargo.lock so repeat runs on the same PR stay fast. Concurrency group cancels superseded runs when new commits land on the same PR head. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Newer debsig-verify (ubuntu-24+) routes the diagnostic line that contains the `fake/<KEY_ID>` path to stderr, while older versions printed it to stdout. The viewer was only scanning stdout, so `lookup sign-key` returned "Failed to extract ID from output" on fresh runners. Fix: scan stdout first, fall back to stderr. Loosened the hex match to also accept lowercase (some tooling prints lowercase IDs) and upper-case the captured value on return so callers always see a canonical 16-char uppercase ID. Also accept `:` or `/` as the trailing delimiter in the path-like marker, again for forward compat across debsig-verify versions. The fallback error message now includes both captured streams, trimmed, so the next regression is debuggable from the CI log alone instead of requiring a local repro. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…bsig-verify
The previous implementation invoked `debsig-verify --policies-dir
fake <deb>` and scraped the resulting diagnostic line for a
`fake/<KEYID>:` substring. That worked on Ubuntu 22 but broke on
Ubuntu 24 (and presumably future versions): newer debsig-verify
prints no diagnostic at all under those flags, so the regex never
matches and `lookup sign-key` returns "Failed to extract ID."
Replace with a direct read: a `.deb` is an ar archive, and `debsigs
--sign=origin` (the signing path we use) embeds the GPG signature as
the member `_gpgorigin`. Pull that member out via the `ar` crate
(already a dep for the session subsystem) and parse the issuer key
id with `gpg --list-packets`. Recognize the alternate `_gpgbuilder`
member as well, for forward-compat with debsigs's other signing roles.
Benefits:
* No version-fragile string parsing of diagnostic output.
* One fewer runtime dep (no longer needs `debsig-verify` to be
installed — only `gpg`).
* Tests pass on both Ubuntu 22 (local) and Ubuntu 24 (CI runner).
Also a small unit test against a captured `gpg --list-packets`
sample to pin the keyid regex.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The bundled GPG keyring fixture under tests/res/{secret-key.gpg,
public-key.gpg} was generated some time ago with a digest algorithm
that gpg 2.4 (default on ubuntu-24/ubuntu-latest) refuses during
signature verification. Visible symptom: `debsig-verify` invokes gpg
internally, gets `gpg exited abnormally`, and verification fails.
Pin the CI runner to ubuntu-22.04 for now — that ships gpg 2.2 which
still accepts the fixture's digest. Once the fixture is regenerated
with a strong digest (a separate follow-up), we can drop the pin and
move back to ubuntu-latest.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The unit test was duplicating the keyid regex from `parse_keyid_with_gpg`, so changes to the production regex would have left the test silently green (it was only asserting against its own copy). Pull the parsing into a tiny `extract_keyid(&str) -> Option<String>` helper; both the production path and the tests now call it. Tests broadened a little while we're at it: * realistic gpg output sample (unchanged content, just renamed) * lowercase input → canonical uppercase output * no-match returns None (both garbage text and empty string) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
rustdoc treats indented blocks as Rust code, so the `:signature packet: algo 1, keyid 40C7DD112EDB4CA9` example was being parsed as Rust during `cargo test --doc` and failing the build. Inline it with backticks so it stays an example, not a doc test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The repo had no `.github/workflows/` at all, so PRs (#4, #5, #6, #7) showed zero status checks. This fixes that.
Single `ci.yml` running on `ubuntu-latest`:
Tooling
Installs `debsigs` + `debsig-verify` from apt so the sign/verify integration test doesn't silently skip on the runner. `dpkg-deb`, `fakeroot`, and `gpg` are already present on the `ubuntu-latest` image.
Caching / concurrency
Why this should land first
This is a fresh branch off main with no other deps. Once it merges, the existing open PRs (#6, #7) automatically pick up CI on their next push (or after a rebase), so reviewers actually see green checks instead of "no checks reported."
Test plan
🤖 Generated with Claude Code