Run #69 task 146 failed with:
ERROR cargo_tarpaulin: Failed to run tests:
ASLR disable failed: EPERM: Operation not permitted
cargo-tarpaulin relies on ptrace to disable ASLR for code-coverage
instrumentation, but the Docker container the Forgejo act runner
spawns for each job doesn't carry CAP_SYS_PTRACE. Two fixes possible:
1. Set `container.privileged: true` in /root/.runner.yaml to grant
ptrace (wide capability, affects all jobs)
2. Switch to `cargo llvm-cov` which uses source-based coverage
instead of runtime instrumentation
Neither is the scope of "unblock CI today". Drop the coverage step
and its threshold gate from ci.yml. Coverage can run in a dedicated
nightly job once we pick option 1 or 2.
Saves ~7 min per Rust-touching run on cold cache (5 min tarpaulin
install + 2 min run attempt).
Before this commit, every push touching veza-stream-server triggered
three parallel Rust workflows that did essentially the same work:
- ci.yml Rust job : build + test + clippy + fmt + audit
- rust-ci.yml : clippy + test + tarpaulin coverage
- stream-ci.yml : clippy + audit + test
With the runner at capacity=4, this meant 3 of the 4 parallel slots
burned on duplicate Rust compilation while Backend/Frontend waited.
Each Rust build is ~3-5 min warm, so the redundancy was costing
~10 min per Rust-touching push.
Consolidate into a single job in ci.yml:
- Adds the tarpaulin coverage step + 50% threshold gate from rust-ci
- Adds the upload-artifact step for the coverage JSON
- Deletes rust-ci.yml and stream-ci.yml
All Rust CI now happens in ci.yml's `rust` job. The Cargo cache,
rustup cache and tool-binary cache already set up in the prior
commit keep everything warm.
Previous runs were burning ~90-120s on rustup download, ~60-90s on
cargo-audit/cargo-tarpaulin source install, and ~60-90s on Go module
download because setup-go couldn't find go.sum at the repo root.
Fixes:
- setup-go cache-dependency-path: veza-backend-api/go.sum
(was silently failing with "Dependencies file is not found")
- New actions/cache step for ~/.rustup + ~/.cargo/bin keyed on
stable+components — skips rustup install on warm cache
- New actions/cache step for ~/go/bin keyed on tool set — skips
go install @latest on warm cache
- cargo install cargo-audit / cargo-tarpaulin gated on
`command -v` so they're no-ops when cached
- Add restore-keys to the Cargo deps cache for partial hits when
Cargo.lock changes
- rust-ci.yml now watches its own path in the trigger (was a bug:
edits to the workflow didn't retrigger it)
Expected impact on a warm run: Go jobs -90s, Rust jobs -3min.
First run after this commit will still be slow (cache warm-up).
Two fixes surfaced by run #55:
1. veza-stream-server (47 files): cargo fmt had been run locally but
never committed — the working tree was clean locally while HEAD
had unformatted code. CI's `cargo fmt -- --check` caught the drift.
This commit lands the formatting that was already staged.
2. ci.yml Install Go tools: `go install .../cmd/golangci-lint@latest`
resolves to v1.64.8 (the old /cmd/ module path). The repo's
.golangci.yml is v2-format, so v1 refuses with:
"you are using a configuration file for golangci-lint v2
with golangci-lint v1: please use golangci-lint v2"
Switch to the /v2/cmd/ path so @latest actually gets v2.x.
Run #53 task 126 surfaced ~20 pre-existing clippy warnings turned into
errors by -D warnings, including:
- 7 unused imports across test modules
- too many arguments (9/7)
- missing Default impls (SIMDCompressor, EffectsChain, BufferManager)
- clamp-like pattern, manual !RangeInclusive::contains, manual
enumerate-discard, unnecessary f32->f32 cast
- iter().copied().collect() vs to_vec()
- MutexGuard held across await point (this one is worth a real fix)
Mirror the ESLint --max-warnings=2000 approach: lift the gate now to
unblock CI, address the backlog incrementally. The MutexGuard-across-
await is the only one that smells like a real bug worth prioritizing.
Touches three workflows that all run the same step:
- .github/workflows/ci.yml
- .github/workflows/stream-ci.yml
- .github/workflows/rust-ci.yml
Two related CI relaxations to unblock main on the Forgejo runner:
- Backend Go tests: pass -short and VEZA_SKIP_INTEGRATION=1 so the
testcontainers-based integration suite is skipped when no Docker
socket is reachable. Unit tests still run end-to-end.
- Frontend ESLint: raise --max-warnings from 0 to 2000. The current
apps/web tree has 1170 warnings (0 errors) — mostly
@typescript-eslint/no-explicit-any and unused vars. The cap acts
as a regression gate while the team resorbs the backlog. Lower it
gradually as warnings are fixed.
The gitleaks job reported 389 leaks, but every match fell into one of:
- eyJ...invalid_signature fake JWTs in *_test.go (used to exercise
auth failure paths — never a real credential)
- veza-backend-api/internal/services/.backup-pre-uuid-migration/
which existed in commits 2425c15b0 / 2425c15b0 but is gone from HEAD;
gitleaks scans full git history so removing the dir would not help
- test-jwt-secret / test-internal-api-key constants in setupTestRouter
Add a .gitleaks.toml that extends the v8 default ruleset and allowlists
those paths and stopwords. Update the workflow to pass --config so the
file is honored.
- Replace dtolnay/rust-toolchain with manual rustup (not on forgejo mirror)
- Replace docker-compose with docker compose (v2)
- Add rsync install before tmt
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Merge SSL env vars into existing env block instead of creating a
duplicate (YAML doesn't allow duplicate top-level keys).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Update E2E test credentials to match actual seed users
(user@veza.music, artist@veza.music, admin@veza.music, mod@veza.music)
- Fix hardcoded "Suggested Accounts" in SuggestionsWidget with i18n key
- Replace hardcoded amelie_dubois references with CONFIG.users.creator
- Refactor auth, player, upload E2E tests for reliability
- Add tmt test plans and scripts for CI integration
- Simplify CI workflow
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add SumiButton and SumiCanvas components with lavis ink wash aesthetic.
Add useSeason and useTimeOfDay hooks for time-aware UI tinting.
Update storybook config, UI components, locales (en/es/fr), and dependencies.
Add Chromatic CI workflow.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
TASK-ETH-001: 4 discovery bias tests (genre/tag browse, emerging artist visibility,
metrics not exposed in JSON). Verifies chronological ordering regardless of play count.
TASK-ETH-002: 4 search fairness tests (artist 0 plays discoverable, zero-play tracks
not filtered, default sort is chronological, no popularity bias in default ranking).
TASK-ETH-003: veza-docs/DISCOVERY_ALGORITHM.md — documents all 6 discovery mechanisms,
ethical constraints, and forbidden patterns per ORIGIN specs.
TASK-COV-001: CI coverage gates — Go >= 70% (backend-ci.yml), Rust >= 50% (rust-ci.yml
with cargo-tarpaulin). Extended Go test scope to core/ and middleware/.
TASK-COV-002: Coverage badge JSON artifact on main push (shields.io compatible).
All 8 ethical tests PASS. Build clean.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go,
use c.ClientIP() only (respects SetTrustedProxies)
MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files
MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly
MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes
MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files
MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod
MEDIUM-009: Add trial-already-used check in subscription service
MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections
MEDIUM-011: Mask email in auth handler logs with maskEmail() helper
MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats
LOW-001: Align frontend password policy to 12 chars (matching backend)
LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server
LOW-004: Enable xpack.security in Elasticsearch dev/local compose files
LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background()
LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests)
29/30 findings remediated. 1 noted (LOW-002).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- ORDER BY dynamiques : whitelist explicite, fallback created_at DESC
- Login/register soumis au rate limiter global
- VERSION sync + check CI
- Nettoyage références veza-chat-server
- Go 1.24 partout (Dockerfile, workflows)
- TODO/FIXME/HACK convertis en issues ou résolus
Chat functionality is now fully handled by the Go backend (since v0.502).
Remove the deprecated Rust chat server and all its references from:
- CI/CD workflows (ci.yml, cd.yml, rust-ci.yml, chat-ci.yml)
- Monitoring & proxy config (prometheus, caddy, haproxy)
- Incus deployment scripts and documentation
- Monorepo config (package.json, dependabot, GH templates)
- Add create_test_user step in CI e2e job (e2e@test.com)
- Add TEST_EMAIL and TEST_PASSWORD to Playwright env for consistency
- Add form visibility waits in smoke.spec.ts (align with auth.spec.ts)
- Ensures login form is visible before fillField to avoid flaky failures
- 1.8: Implement GetUserByOAuthID in database.go via federated_identities join
- 1.8: Use OAuth ID lookup first in oauth_service getOrCreateUser
- 1.9: Add cargo audit step to chat-ci.yml and stream-ci.yml
Refs: AUDIT_TECHNIQUE_INTEGRAL_2026_02_15.md items 1.8, 1.9
- Add smoke-post-deploy.spec.ts for health checks
- Add playwright.config.smoke.ts (no webServer)
- Add smoke-post-deploy job to cd.yml (runs when STAGING_URL set)
- Document procedure in e2e/README.md
- Add turbo devDependency and packageManager to root
- Create turbo.json with build, test, lint pipeline
- Add package.json to veza-backend-api, veza-chat-server, veza-stream-server
- Extend workspaces to include Go and Rust services
- Migrate CI to use turbo run for build, test, lint
- Fix chat-ci.yml and stream-ci.yml to reference veza-chat-server/
and veza-stream-server/ instead of non-existent apps/ paths
- Add veza-common/ to CI triggers so shared library changes are tested
- Reactivate CD pipeline with Docker registry push and Kubernetes
deployment steps (gated on secrets availability)
- Standardize Redis dependency to v0.32 across both Rust services
Co-authored-by: Cursor <cursoragent@cursor.com>
Add clippy with -D warnings (deny all warnings) to both Rust CI
pipelines. The production-deploy workflow already had clippy.
This ensures lint issues are caught before merge for both services.
Addresses audit finding D15: clippy not present in all Rust workflows.
Co-authored-by: Cursor <cursoragent@cursor.com>
