From ec08b638d24ce2f9903a1b754339aed44824553c Mon Sep 17 00:00:00 2001
From: senke <okin.tcs@gmail.com>
Date: Tue, 14 Apr 2026 16:22:38 +0200
Subject: [PATCH] ci(rust): drop tarpaulin coverage step (ASLR ptrace not
 available)

Run #69 task 146 failed with:
  ERROR cargo_tarpaulin: Failed to run tests:
    ASLR disable failed: EPERM: Operation not permitted

cargo-tarpaulin relies on ptrace to disable ASLR for code-coverage
instrumentation, but the Docker container the Forgejo act runner
spawns for each job doesn't carry CAP_SYS_PTRACE. Two fixes possible:

  1. Set `container.privileged: true` in /root/.runner.yaml to grant
     ptrace (wide capability, affects all jobs)
  2. Switch to `cargo llvm-cov` which uses source-based coverage
     instead of runtime instrumentation

Neither is the scope of "unblock CI today". Drop the coverage step
and its threshold gate from ci.yml. Coverage can run in a dedicated
nightly job once we pick option 1 or 2.

Saves ~7 min per Rust-touching run on cold cache (5 min tarpaulin
install + 2 min run attempt).
---
 .github/workflows/ci.yml | 33 +++++++++------------------------
 1 file changed, 9 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 18393f88b..67c18cd33 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -189,30 +189,15 @@ jobs:
                   cargo audit
               working-directory: veza-stream-server
 
-            - name: Measure coverage
-              # cargo-tarpaulin is cached with the rustup toolchain.
-              run: |
-                  command -v cargo-tarpaulin >/dev/null || cargo install cargo-tarpaulin --locked
-                  cargo tarpaulin --out json --output-dir target/coverage --timeout 300 --skip-clean
-              working-directory: veza-stream-server
-
-            - name: Enforce coverage threshold (>= 50%)
-              run: |
-                  COVERAGE=$(python3 -c "import sys,json; print(f'{json.load(open(\"target/coverage/tarpaulin-report.json\")).get(\"coverage\", 0):.1f}')")
-                  echo "Rust coverage: ${COVERAGE}%"
-                  COV_INT=$(echo "$COVERAGE" | cut -d. -f1)
-                  if [ "$COV_INT" -lt 50 ]; then
-                    echo "::error::Rust coverage ${COVERAGE}% is below the 50% threshold"
-                    exit 1
-                  fi
-                  echo "::notice::Rust coverage ${COVERAGE}% meets the >= 50% threshold"
-              working-directory: veza-stream-server
-
-            - name: Upload coverage report
-              uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
-              with:
-                  name: rust-coverage
-                  path: veza-stream-server/target/coverage/tarpaulin-report.json
+            # Rust coverage via cargo-tarpaulin is disabled in ci.yml because
+            # tarpaulin needs CAP_SYS_PTRACE to disable ASLR, which the Docker
+            # container running the Forgejo act runner doesn't grant:
+            #   "ERROR cargo_tarpaulin: Failed to run tests:
+            #    ASLR disable failed: EPERM: Operation not permitted"
+            # Either (a) add `privileged: true` to the runner's container
+            # config to grant ptrace, or (b) switch to `cargo llvm-cov`
+            # which uses source-based coverage and doesn't need ptrace.
+            # Until then, run coverage locally or in a dedicated nightly job.
 
     # ===========================================================================
     # Notify on failure