The ci-run.yml workflow was referenced in docs/contributing/ci-map.md
and branch protection rules but never existed in the repository,
causing push-triggered CI runs to fail immediately with zero jobs
and no logs.
This adds the workflow with all documented jobs: lint, strict delta
lint, test, build (linux + macOS), docs quality, and the CI Required
Gate composite check. Triggers on both push and pull_request to master.
Fixes#2853
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(onboard): add --reinit flag to prevent accidental config overwrite
Add --reinit flag to onboard command that:
- Backs up existing ~/.zeroclaw directory with timestamp
- Starts fresh initialization after backup
- Requires --interactive mode to work
- Prevents accidental configuration loss
This addresses issue #3013 where onboard could accidentally
overwrite all configuration without warning.
Closes#3013🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(ci): SHA-pin all third-party GitHub Actions
Replace mutable version tags with immutable commit SHAs to prevent
tag-hijacking supply chain attacks (P1 finding).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: retrigger CI after startup_failure
* fix(onboard): address PR #3102 review issues for --reinit flag
- Use resolve_runtime_dirs_for_onboarding() instead of hardcoded ~/.zeroclaw
- Remove unsafe relative path fallback, bail instead
- Add user confirmation prompt before reinitializing config
- Update docs/reference/cli/commands-reference.md with --reinit docs
* style: fix cargo fmt and clippy violations
- Fix import ordering in src/config/mod.rs (rustfmt)
- Collapse single-arg encrypt/decrypt calls in src/config/schema.rs (rustfmt)
- Box::pin large onboard futures to fix clippy::large_futures in src/main.rs
These violations were blocking CI lint checks.
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Simian Astronaut 7 <simianastronaut7@gmail.com>
- Add @theonlyhennygod as first-listed code owner on all CODEOWNERS paths
- Add SimianAstronaut7 as maintainer with PR approval authority in docs
- Normalize WORKFLOW_OWNER_LOGINS casing to canonical GitHub logins
The taiki-e/install-action is likely not on the org/repo Actions
allowlist, causing startup_failure for the entire workflow. Revert
to cargo install for cargo-audit and cargo-deny.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Instead of each build matrix job independently installing Node.js and
running npm ci/build, extract web dashboard build into a single job
that uploads web/dist/ as an artifact. Build jobs download it before
cargo build. Reduces total CI time by ~3 Node installs + builds.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
RustEmbed requires web/dist/ to exist at compile time. The PR checks
workflow used a placeholder mkdir, but release workflows need real
built assets since they produce the distributed binary. Add Node.js
setup and npm ci/build before cargo build in all three release/build
workflows.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add composite Gate job to checks-on-pr.yml so branch protection
only needs a single required check. Replace cargo-install with
taiki-e/install-action for cargo-audit and cargo-deny to cut
minutes off every PR run. Mark CI/CD P1/P2 findings as resolved
in refactor-candidates.md.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Narrow workflow-level permissions to contents:read and grant
write access only to the specific jobs that need it (publish
gets contents:write, docker gets packages:write). Reduces blast
radius if a build step is compromised (P1 finding).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace mutable version tags with immutable commit SHAs to prevent
tag-hijacking supply chain attacks (P1 finding).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Apply cargo fmt to fix formatting diffs in openrouter.rs and serial.rs.
Add web/dist placeholder step to lint, test, and build jobs so
RustEmbed compiles without the gitignored frontend assets.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rename all 4 workflow files to match trigger and purpose
- Expand PR quality gate with dedicated lint and security audit jobs
- Align workflow display names, concurrency groups, and all doc references
- Add .zeroclaw/* to .gitignore to exclude ZeroClaw files from version control.
- Update CODEOWNERS to include @SimianAstronaut7 as a maintainer alongside @jordanthejet.
- Change dependabot target branch from dev to master for all update configurations.
- Revise master-branch-flow documentation to clarify active workflows and triggers.
The macos-13 runner is deprecated by GitHub Actions, causing the
x86_64-apple-darwin build to instantly cancel with no runner assigned.
This cascades to skip publish and docker jobs since they depend on all
matrix builds succeeding.
Intel Macs have been EOL since 2022; aarch64-apple-darwin via macos-14
covers all current macOS users (Rosetta handles x86_64 if needed).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace all dev/main branch references with master across docs,
templates, CI docs, and localized files (en, vi)
- Remove dev->main promotion model (no more Main Promotion Gate)
- Rename main-branch-flow.md to master-branch-flow.md and rewrite
for single-branch workflow
- Update maintainers to theonlyhennygod and jordanthejet
- Update CODEOWNERS: replace @chumyin with @jordanthejet
- Update WORKFLOW_OWNER_LOGINS fallback references
- Update CODE_OF_CONDUCT enforcement contact to @argenistherose
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add concurrency group to promote-release workflow
- Fix markdown emphasis style in README (MD049)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
sccache GHA cache backend is fragile — fails the entire build when
GitHub's artifact cache service is unavailable. Removed in favor of
Swatinem/rust-cache which handles failures gracefully.
Kept: mold linker, cargo-nextest, CARGO_INCREMENTAL=0.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- sccache: compiler caching for test builds (11-14% faster compilation)
- mold: faster linker on Linux builds
- cargo-nextest: parallel test runner (up to 35-60% faster tests)
- CARGO_INCREMENTAL=0: disable incremental compilation overhead in CI
Allowlist impact: added mozilla-actions/sccache-action@*
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Auto CI on PRs builds linux x86_64 and macOS arm64 only.
Remaining targets (linux arm64, macOS x86, Windows) available via
manual workflow_dispatch in ci-full.yml.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- CI now builds across all 5 targets (linux x86/arm64, macOS x86/arm64,
Windows) matching the release matrix
- Fix chat_fails_without_credentials test to accept "builder error"
which occurs in CI environments without native TLS
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The default branch is master, not main. Updates CI and Beta Release
workflow triggers and corresponding docs references.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove 22 workflow files and 9 JS scripts. Replace with 3 workflows:
- ci.yml: test + build on PRs
- release.yml: auto beta release on merge to main
- promote-release.yml: manual stable release promotion
Update README Development section to document the new CI/CD system.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Register Novita AI in provider factory with NOVITA_API_KEY env var
- Add to integrations registry with active/available status detection
- Configure onboarding wizard with default model and API endpoint
- Add to PR labeler provider keyword hints
- Update providers reference documentation
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Update ci-build-fast.yml to use MIR-precise mode, which reads actual
compiler MIR to build a ground-truth call graph. This stubs 1,060 mono
items (vs 799 with syn-based analysis), reducing fresh build wall time
by 27.2% on a 48-core server (vs 9.1% with syn alone).
Update docs with new benchmark table showing both modes.
Add ci-build-fast.yml that runs a cargo-slicer-optimized release build
alongside the existing Build (Smoke) job. cargo-slicer stubs 2,059
unreachable library functions at the MIR level, skipping their LLVM
codegen. Benchmarks show -11.7% wall time on a 48-core server and
-28.6% on a Raspberry Pi 4; 2-vCPU CI runners should see ~25-30%.
The new job is non-blocking — it does not gate merges.
Replace individual >> redirects with a single grouped { ... } >> block
to resolve shellcheck SC2129 and satisfy actionlint.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- pr-auto-response.yml: restore permissions, steps, and checkout in
contributor-tier-issues job (broken by runner swap)
- pr-check-stale.yml: restore steps block and step name
- pr-intake-checks.yml: restore steps block, checkout, and timeout
- pr-check-status.yml: revert STALE_HOURS from 4 to 48 (not a cost
optimization; 4h is too aggressive), switch to ubuntu-latest per
PR description
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: Add GitHub Actions workflows for security audits, CodeQL analysis, contributor updates, performance benchmarks, integration tests, fuzz testing, and reusable Rust build jobs
- Implemented `sec-audit.yml` for Rust package security audits using `rustsec/audit-check` and `cargo-deny-action`.
- Created `sec-codeql.yml` for CodeQL analysis scheduled twice daily.
- Added `sync-contributors.yml` to update the NOTICE file with new contributors automatically.
- Introduced `test-benchmarks.yml` for performance benchmarks using Criterion.
- Established `test-e2e.yml` for running integration and end-to-end tests.
- Developed `test-fuzz.yml` for fuzz testing with configurable runtime.
- Created `test-rust-build.yml` as a reusable job for executing Rust commands with customizable parameters.
- Documented main branch delivery flows in `main-branch-flow.md` for clarity on CI/CD processes.
* ci(workflows): update workflow scripts and rename for clarity; remove obsolete lint feedback script
* chore(ci): externalize workflow scripts and relocate main flow doc
* chore(ci): align workflow names with file naming style
* ci(docker): publish image on main pushes and tags
* ci(docker): restrict publish tag checks to v* refs
Add native web search capability that works regardless of LLM tool-calling
support. This is particularly useful for GLM models via Z.AI that don't
reliably support standard tool calling formats.
Features:
- DuckDuckGo provider (free, no API key required)
- Brave Search provider (optional, requires API key)
- Configurable max results and timeout
- Enabled by default
Configuration (config.toml):
[web_search]
enabled = true
provider = "duckduckgo"
max_results = 5
The tool allows agents to search the web for current information without
requiring proper tool calling support from the LLM.
Also includes CI workflow fix for first-interaction action inputs.
