NAUTILUS / RUST source 3eb18933
Pages

Rust CI/CD Pipeline

Relevant Rust source files

  • .github/workflows/build.yml
  • .github/workflows/build-v2.yml
  • .github/workflows/performance.yml
  • .github/workflows/codeql-analysis.yml
  • scripts/ci/plan.sh
  • scripts/ci/install-rust.sh
  • scripts/ci/install-cargo-nextest.sh

The CI system plans work from changed paths and then fans out formatting, lint, compilation, tests, security, benchmarks, and release preparation. The path planner is an optimization; branch protection must still require the jobs that prove the affected surface.

Rust validation flow

Validation proceeds in dependency order:

  1. Plan affected work from changed paths.
  2. Run rustfmt and repository policy checks.
  3. Run Clippy across required targets and feature combinations.
  4. Compile and execute cargo-nextest matrices.
  5. Run integration tests with their optional services.
  6. Run security, supply-chain, and measured performance jobs.
  7. Verify release artifacts, checksums, attestations, and registry state.

Target matrices matter because feature availability and dependencies differ across Linux, macOS, and Windows. High precision, database backends, codecs, and live adapters must be tested in the combinations they support; no single all-features command represents every shipped target.

Performance

Criterion and IAI-style benches live beside the owning crates. CodSpeed or equivalent CI jobs detect regressions on stable benchmark cases. A benchmark change requires an explanation of fixture, warm-up, sample behavior, and variance; a faster isolated microbenchmark does not prove end-to-end live latency.

Release integrity

Release workflows verify trusted publishing configuration, checksums, attestations, registry state, and GitHub assets through scripts under scripts/ci. Those checks are part of the artifact contract. Re-running only cargo publish --dry-run cannot prove attestations or multi-registry consistency.

CI workflow revisions should pin third-party actions, retain least privilege, and preserve the toolchain/source revision in emitted artifacts. Local success is necessary but not sufficient when a change touches target matrices or release automation.