This directory contains all GitHub Actions workflows for the Ananke project. Our CI/CD pipeline is designed to be modular, cost-effective, and comprehensive.
| Workflow | Purpose | Triggers | Duration | Cost |
|---|---|---|---|---|
| ci.yml | Main CI pipeline for Zig | Push to main/develop, PRs | ~5-8 min | Medium |
| maze-tests.yml | Rust maze orchestration tests | Push to main/develop, PRs, Daily | ~3-5 min | Low |
| release.yml | Release automation and binaries | Tags (v*..), Manual | ~15-20 min | High |
| Workflow | Purpose | Triggers | Duration | Cost |
|---|---|---|---|---|
| docs.yml | Build and deploy documentation | Push to main, PRs | ~2-3 min | Low |
| Workflow | Purpose | Triggers | Duration | Cost |
|---|---|---|---|---|
| security.yml | Security scans and audits | Push, PRs, Weekly | ~5-7 min | Low |
| Workflow | Purpose | Triggers | Duration | Cost |
|---|---|---|---|---|
| benchmarks.yml | Performance benchmarking | Weekly, Tags, Manual | ~10-15 min | Medium |
Purpose: Comprehensive continuous integration for the Zig codebase.
Jobs:
build-and-test: Multi-platform builds (Ubuntu, macOS, Windows) with Zig 0.15.2lint: Code formatting and static analysiscoverage: Test coverage reportingsecurity: Basic security scansbuild-matrix: Cross-compilation for multiple targetsintegration: Integration testingall-checks: Gate job ensuring all checks pass
Triggers:
- Push to
mainordevelopbranches - Pull requests to
mainordevelop - Manual dispatch
Caching:
- Zig cache (
~/.cache/zig,.zig-cache,zig-out) - Key: OS + Zig version + hash of
build.zigandbuild.zig.zon
Artifacts:
- Build binaries (7-day retention)
- Cross-compiled binaries for multiple platforms
Cost Optimization:
- Build artifacts only uploaded from Ubuntu runner
- Cross-compilation matrix runs only after main tests pass
- Caching reduces build times by 60-70%
Purpose: Comprehensive testing for the Maze orchestration layer written in Rust.
Jobs:
test: Run tests on Ubuntu and macOS with stable and beta Rustcoverage: Generate code coverage with tarpaulin, upload to Codecovbenchmark: Run Criterion benchmarks on PRssecurity-audit: Runcargo auditfor vulnerability scanning
Triggers:
- Push to
mainordevelop(when maze/ changes) - Pull requests to
mainordevelop(when maze/ changes) - Daily scheduled run (2 AM UTC)
- Manual dispatch
Matrix:
- OS: Ubuntu (stable, beta), macOS (stable only)
- Rust: stable, beta
Caching:
- Cargo registry, git index, and build artifacts
- Key: OS + hash of
Cargo.lock
Artifacts:
- Test results markdown (retention: indefinite)
- Coverage reports (uploaded to Codecov)
Cost Optimization:
- Beta tests only on Ubuntu to save macOS minutes
- Path filters ensure it only runs when maze/ directory changes
- Benchmark runs only on PRs (not every push)
Purpose: Automated release builds and asset publishing.
Jobs:
create-release: Generate changelog and create GitHub releasebuild-release: Build binaries for all platforms (Linux, macOS, Windows, x86_64/aarch64)build-checksums: Generate SHA256 checksums for all assetspublish-homebrew: Placeholder for Homebrew formula updatepublish-aur: Placeholder for AUR package updateannounce-release: Placeholder for release announcements
Triggers:
- Push tags matching
v*.*.*(e.g., v1.0.0) - Manual dispatch with tag input
Platforms:
- Linux: x86_64, aarch64
- macOS: x86_64, aarch64 (Apple Silicon)
- Windows: x86_64
Optimization: ReleaseFast for maximum performance
Artifacts:
- Compressed binaries (.tar.gz for Unix, .zip for Windows)
- SHA256 checksums for verification
- Combined checksum file
Cost: ~15-20 minutes per release (High cost, but infrequent)
Purpose: Build and deploy documentation to GitHub Pages.
Jobs:
build-docs: Generate API documentation and convert markdown to HTMLpreview-pr: Create PR preview artifacts with download linkdeploy-docs: Deploy to GitHub Pages (main branch only)check-links: Validate documentation linksvalidate-docs: Check documentation completeness
Triggers:
- Push to
main(when docs/, src/, or README.md change) - Pull requests to
main(when docs/, src/, or README.md change) - Manual dispatch
Features:
- Automatic API documentation extraction from Zig source
- Markdown to HTML conversion with custom styling
- PR preview artifacts for reviewing doc changes
- Broken link detection
- Documentation completeness checks
Pages URL: https://[username].github.io/ananke (after deployment)
Cost: Low (~2-3 minutes, path-filtered)
Purpose: Comprehensive security auditing across the entire codebase.
Jobs:
rust-security: Rust dependency auditing withcargo-auditandcargo-denyzig-security: Scan for hardcoded secrets, unsafe patterns, and insecure dependenciesdependency-review: GitHub dependency review (PRs only)codeql: CodeQL analysis for Python codesecret-scanning: Gitleaks secret detectionlicense-compliance: License compatibility checkingsecurity-summary: Aggregate all security reports
Triggers:
- Push to
mainordevelop - Pull requests to
mainordevelop - Weekly scheduled scan (Monday 4 AM UTC)
- Manual dispatch
Security Checks:
- Known CVEs in Rust dependencies
- License violations (GPL, AGPL)
- Hardcoded secrets (passwords, API keys, tokens)
- Unsafe Zig patterns (@ptrCast, unreachable, etc.)
- Insecure HTTP URLs in dependencies
- Leaked secrets in git history
Reports:
- Detailed markdown reports for each security domain
- SARIF uploads to GitHub Security tab
- PR comments with security summary
Tools:
cargo-audit- Rust vulnerability databasecargo-deny- Dependency policy enforcementcargo-license- License checkinggitleaks- Secret scanning- CodeQL - Static application security testing
Cost: Low-Medium (~5-7 minutes)
Purpose: Track performance metrics over time and detect regressions.
Jobs:
benchmark-zig: Run Zig benchmarks (clew, braid, ffi)benchmark-rust: Run Rust Criterion benchmarkscompare-baseline: Compare against historical baseline (manual runs)check-regressions: Basic regression detectionreport: Generate comprehensive benchmark report
Triggers:
- Weekly scheduled run (Sunday 3 AM UTC)
- Manual dispatch (with optional baseline comparison)
- Release tags (to capture baseline performance)
Benchmarks:
Zig:
- Clew extraction benchmarks
- Braid compilation benchmarks
- FFI bridge benchmarks
Rust:
- Orchestration layer performance
- Constraint compilation speed
- Cache performance
Artifacts:
- Benchmark results (90-day retention)
- Benchmark history (365-day retention for main branch)
- Performance comparison reports
Performance Targets:
| Operation | Target | Status |
|---|---|---|
| Constraint validation | <50μs | 🔄 In progress |
| Extraction | <2s (with Claude) | 🔄 In progress |
| Compilation | <50ms | 🔄 In progress |
| Generation | <5s | 🔄 In progress |
Cost: Medium (~10-15 minutes, weekly only)
Future Enhancements:
- Automated regression detection with statistical analysis
- Performance trend visualization
- Alerts for >10% regression
- Benchmark result database for historical comparison
┌─────────────────────────────────────────────────────────────┐
│ Developer Push │
└────────────┬────────────────────────────────────────────────┘
│
├──────────────┬──────────────┬──────────────┐
▼ ▼ ▼ ▼
┌─────────┐ ┌──────────┐ ┌──────────┐ ┌──────┐
│ CI │ │ Maze │ │ Docs │ │ Sec │
│ (Zig) │ │ Tests │ │ Build │ │ Scan │
└────┬────┘ └────┬─────┘ └────┬─────┘ └───┬──┘
│ │ │ │
└─────────────┴──────────────┴─────────────┘
│
▼
┌───────────────┐
│ All Checks │
│ Passed? │
└───────┬───────┘
│
┌────────────┴────────────┐
▼ ▼
┌──────────┐ ┌───────────┐
│ Merge │ │ Block │
│ PR │ │ PR │
└────┬─────┘ └───────────┘
│
┌───────────┴───────────┐
▼ ▼
┌─────────┐ ┌──────────┐
│ Tagged │ │ Weekly │
│ Release │ │ Jobs │
└────┬────┘ └────┬─────┘
│ │
▼ ▼
┌─────────┐ ┌─────────────┐
│ Release │ │ Benchmarks │
│ Workflow│ │ Security │
└─────────┘ └─────────────┘
Add these badges to your README.md:
[](https://github.com/[username]/ananke/actions/workflows/ci.yml)
[](https://github.com/[username]/ananke/actions/workflows/maze-tests.yml)
[](https://github.com/[username]/ananke/actions/workflows/security.yml)
[](https://github.com/[username]/ananke/actions/workflows/docs.yml)Assumptions:
- 20 working days/month
- 10 PRs/day average
- 5 commits to main/day
Cost Breakdown:
- Linux minutes: ~1,800 min/month × 1× multiplier
- macOS minutes: ~300 min/month × 10× multiplier = 3,000 equivalent
- Windows minutes: ~100 min/month × 2× multiplier = 200 equivalent
- Total equivalent Linux minutes: ~5,000 min/month
GitHub Free Tier: 2,000 min/month (Linux equivalent)
Estimated overage: 3,000 min/month
Cost: $0.008/min × 3,000 = **$24/month**
-
Path Filtering: Only run workflows when relevant files change
- Saves ~40% on maze-tests and docs workflows
-
Caching: Aggressive caching of dependencies
- Reduces build times by 60-70%
- CI time: 15 min → 6 min
-
Conditional Jobs:
- Benchmarks only weekly and on releases
- Beta tests only on Ubuntu
- Integration tests only after unit tests pass
-
Artifact Retention:
- Build artifacts: 7 days
- Test results: 90 days
- Benchmarks: 90 days
- Benchmark history: 365 days
-
Matrix Optimization:
- Full OS matrix only on main CI
- Reduced matrix on secondary workflows
Issue: Workflow fails with "Resource not accessible by integration"
Solution: Check workflow permissions in the YAML file. May need write permissions for certain operations.
Issue: Benchmarks show high variance Solution: GitHub Actions runners have variable performance. Run benchmarks multiple times and use median values. Consider dedicated benchmark infrastructure for production.
Issue: Security workflow fails on GPL dependencies
Solution: Review cargo-deny configuration in maze/deny.toml. Either remove the dependency or add exception with justification.
Issue: Documentation preview not working on PRs Solution: Ensure the PR is from the same repository (not a fork). Artifact downloads require authentication for fork PRs.
Issue: Cache not being restored
Solution: Check that cache keys match. Ensure hashFiles() patterns match actual files. Caches are scoped to branches.
-
Enable debug logging:
env: ACTIONS_STEP_DEBUG: true ACTIONS_RUNNER_DEBUG: true
-
Use workflow_dispatch: Most workflows support manual triggering for testing
-
Check action versions: Ensure all actions use stable versions (v4, not v3 or latest)
-
Review permissions: Many failures are permission-related
-
Test locally: Use act to test workflows locally
-
Benchmark Dashboard:
- Automated performance trend visualization
- Regression alerts (>10% slowdown)
- Historical comparison database
-
Documentation Preview:
- Deploy PR previews to temporary subdomain
- Automatic cleanup after merge
-
Release Automation:
- Automated Homebrew formula updates
- Automated AUR package publishing
- Release announcement posting (Discord, Twitter, etc.)
-
Enhanced Security:
- SBOM (Software Bill of Materials) generation
- Container image scanning (if added)
- Fuzzing integration
- Dependency update automation (Dependabot + auto-merge)
-
Test Reporting:
- Visual test result dashboard
- Flaky test detection
- Test duration tracking
- Coverage trend visualization
-
Deployment:
- Staging environment deployments
- Production deployment workflow
- Rollback automation
- Canary deployments
-
Cost Optimization:
- Self-hosted runners for expensive operations
- Spot instance usage for benchmarks
- More aggressive caching strategies
When adding or modifying workflows:
- Follow naming conventions: Use descriptive job and step names
- Add documentation: Update this README with workflow details
- Test thoroughly: Use workflow_dispatch to test before merging
- Optimize costs: Consider frequency and duration
- Add caching: Cache dependencies whenever possible
- Use path filters: Only run when relevant files change
- Set retention: Appropriate artifact retention periods
- Add permissions: Explicit permissions following least privilege
Last Updated: 2025-11-23 Maintainer: Ananke Contributors