From 62196e5d742e5adde0e455da2434f0609fd95724 Mon Sep 17 00:00:00 2001
From: Sharang Parnerkar <parnerkarsharang@gmail.com>
Date: Mon, 2 Mar 2026 17:26:27 +0100
Subject: [PATCH] Add CI pipeline for Gitea Actions

Format, clippy, security audit, and test stages adapted from certifai.
Clippy and tests run per-crate with proper feature gating for the
dashboard's server/web split.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 126 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 126 insertions(+)
 create mode 100644 .gitea/workflows/ci.yml

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
new file mode 100644
index 0000000..63f51b8
--- /dev/null
+++ b/.gitea/workflows/ci.yml
@@ -0,0 +1,126 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - "**"
+  pull_request:
+    branches:
+      - main
+
+env:
+  CARGO_TERM_COLOR: always
+  RUSTFLAGS: "-D warnings"
+  # sccache caches compilation artifacts within a job so that compiling
+  # both --features server and --features web shares common crate work.
+  RUSTC_WRAPPER: /usr/local/bin/sccache
+  SCCACHE_DIR: /tmp/sccache
+
+# Cancel in-progress runs for the same branch/PR
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # ---------------------------------------------------------------------------
+  # Stage 1: Code quality checks (run in parallel)
+  # ---------------------------------------------------------------------------
+  fmt:
+    name: Format
+    runs-on: docker
+    container:
+      image: rust:1.89-bookworm
+    steps:
+      - name: Checkout
+        run: |
+          git init
+          git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          git fetch --depth=1 origin "${GITHUB_SHA}"
+          git checkout FETCH_HEAD
+      - run: rustup component add rustfmt
+      # Format check does not compile, so sccache is not needed here.
+      - run: cargo fmt --all --check
+        env:
+          RUSTC_WRAPPER: ""
+
+  clippy:
+    name: Clippy
+    runs-on: docker
+    container:
+      image: rust:1.89-bookworm
+    steps:
+      - name: Checkout
+        run: |
+          git init
+          git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          git fetch --depth=1 origin "${GITHUB_SHA}"
+          git checkout FETCH_HEAD
+      - name: Install sccache
+        run: |
+          curl -fsSL https://github.com/mozilla/sccache/releases/download/v0.9.1/sccache-v0.9.1-x86_64-unknown-linux-musl.tar.gz \
+            | tar xz --strip-components=1 -C /usr/local/bin/ sccache-v0.9.1-x86_64-unknown-linux-musl/sccache
+          chmod +x /usr/local/bin/sccache
+      - run: rustup component add clippy
+      # Lint the agent (native only).
+      - name: Clippy (agent)
+        run: cargo clippy -p compliance-agent -- -D warnings
+      # Lint the dashboard for both feature sets independently.
+      # sccache deduplicates shared crates between the two compilations.
+      - name: Clippy (dashboard server)
+        run: cargo clippy -p compliance-dashboard --features server --no-default-features -- -D warnings
+      - name: Clippy (dashboard web)
+        run: cargo clippy -p compliance-dashboard --features web --no-default-features -- -D warnings
+      - name: Show sccache stats
+        run: sccache --show-stats
+        if: always()
+
+  audit:
+    name: Security Audit
+    runs-on: docker
+    if: github.ref == 'refs/heads/main'
+    container:
+      image: rust:1.89-bookworm
+    steps:
+      - name: Checkout
+        run: |
+          git init
+          git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          git fetch --depth=1 origin "${GITHUB_SHA}"
+          git checkout FETCH_HEAD
+      - run: cargo install cargo-audit
+        env:
+          RUSTC_WRAPPER: ""
+      - run: cargo audit
+        env:
+          RUSTC_WRAPPER: ""
+
+  # ---------------------------------------------------------------------------
+  # Stage 2: Tests (only after all quality checks pass)
+  # ---------------------------------------------------------------------------
+  test:
+    name: Tests
+    runs-on: docker
+    needs: [fmt, clippy, audit]
+    container:
+      image: rust:1.89-bookworm
+    steps:
+      - name: Checkout
+        run: |
+          git init
+          git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          git fetch --depth=1 origin "${GITHUB_SHA}"
+          git checkout FETCH_HEAD
+      - name: Install sccache
+        run: |
+          curl -fsSL https://github.com/mozilla/sccache/releases/download/v0.9.1/sccache-v0.9.1-x86_64-unknown-linux-musl.tar.gz \
+            | tar xz --strip-components=1 -C /usr/local/bin/ sccache-v0.9.1-x86_64-unknown-linux-musl/sccache
+          chmod +x /usr/local/bin/sccache
+      - name: Run tests (core + agent)
+        run: cargo test -p compliance-core -p compliance-agent
+      - name: Run tests (dashboard server)
+        run: cargo test -p compliance-dashboard --features server --no-default-features
+      - name: Run tests (dashboard web)
+        run: cargo test -p compliance-dashboard --features web --no-default-features
+      - name: Show sccache stats
+        run: sccache --show-stats
+        if: always()