Skip to content

ci: add GitHub Actions workflow for Rust and Flutter checks#173

Open
AndreaDiazCorreia wants to merge 4 commits into
mainfrom
ci/add-ci-workflow
Open

ci: add GitHub Actions workflow for Rust and Flutter checks#173
AndreaDiazCorreia wants to merge 4 commits into
mainfrom
ci/add-ci-workflow

Conversation

@AndreaDiazCorreia

@AndreaDiazCorreia AndreaDiazCorreia commented Jul 9, 2026

Copy link
Copy Markdown
Member

Adds .github/workflows/ci.yml, running on every PR and on push to main.

  • rust: cargo build, cargo test, cargo clippy -- -D warnings, cargo check --target wasm32-unknown-unknown
  • flutter: FRB codegen (flutter_rust_bridge_codegen generate), flutter analyze, flutter test

Caches cargo, the Flutter SDK, and the codegen tools (incl. cargo-expand, required by codegen).

Closes #151.

Note: the flutter analyze step stays red until the pending Dart lint cleanup lands on main (3 pre-existing infos); the Rust job is already green after the clippy cleanup.

Summary by CodeRabbit

  • Tests
    • Added automated CI checks for Rust and Flutter code.
    • CI now runs builds, tests, linting, static analysis, and WebAssembly compatibility checks.
    • Pull requests and changes to the main branch are validated automatically.
    • In-progress checks are canceled when newer updates are submitted.

- Add a CI workflow that runs on pull requests and pushes to main, with concurrency control to cancel superseded runs.
- Rust job: build, test, clippy (deny warnings), and check wasm32 target.
- Flutter job: install Rust toolchain (required for flutter_rust_bridge_codegen), generate Dart bindings, analyze, and test.
- Cache cargo registry/target, Flutter SDK, and codegen tools (flutter_rust_bridge_codegen + cargo-expand) to speed up runs.
- Pin Flutter 3.38.2 and flutter_rust_bridge_codegen 2.11.1.
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@AndreaDiazCorreia, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 18 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7ab33ab1-e70e-4513-bb83-be3b518b5797

📥 Commits

Reviewing files that changed from the base of the PR and between bf9a2ef and fb99525.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • rust/src/api/orders.rs

Walkthrough

Adds a GitHub Actions CI workflow triggered by pull requests and pushes to main. It validates Rust builds, tests, clippy, and WebAssembly compilation, then installs Flutter tooling, generates bridge bindings, and runs Flutter analysis and tests.

Changes

CI validation

Layer / File(s) Summary
Workflow orchestration
.github/workflows/ci.yml
Configures pull request and main push triggers, cancels duplicate runs, and defines shared tool versions.
Rust validation
.github/workflows/ci.yml
Installs Rust tooling, caches Cargo artifacts, and runs build, test, clippy, and WebAssembly checks.
Flutter validation
.github/workflows/ci.yml
Installs Flutter and codegen tools, generates Rust bridge bindings, and runs flutter analyze and flutter test.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Poem

A rabbit hops through workflows bright,
Rust builds strong from morn till night.
Flutter bridges neatly grow,
Tests and clippy join the show.
CI carrots crunch—green lights glow!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately describes the main change: adding a GitHub Actions CI workflow for Rust and Flutter checks.
Linked Issues check ✅ Passed The workflow matches #151: it runs on PRs and pushes to main, includes Rust build/test/clippy and Flutter analyze/test, and adds caching.
Out of Scope Changes check ✅ Passed No clear unrelated changes are present; the extra wasm and FRB/codegen steps support the CI workflow goals.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/add-ci-workflow

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/ci.yml (1)

1-101: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add a top-level permissions block with least-privilege.

The workflow has no permissions block, so the GITHUB_TOKEN gets the repo's default permissions — often overly broad (e.g., contents: write). This job only needs to read source and report status checks, so contents: read is sufficient. This is flagged by zizmor's excessive-permissions check.

🔒️ Suggested change
 on:
   pull_request:
   push:
     branches: [main]

+permissions:
+  contents: read
+
 # Cancel superseded runs on the same ref to save CI minutes.
 concurrency:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 1 - 101, Add a top-level permissions
block near the workflow metadata, setting contents to read so all jobs use
least-privilege GITHUB_TOKEN access. Do not grant write permissions or add
unnecessary scopes.

Source: Linters/SAST tools

🧹 Nitpick comments (2)
.github/workflows/ci.yml (2)

25-25: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false on both actions/checkout steps.

By default, actions/checkout@v4 persists the GitHub token in the local git config. Neither job pushes commits, so there's no need to keep credentials. Disabling this reduces the risk of token leakage in artifacts or logs (zizmor artipacked).

🔒️ Suggested change (apply to both checkout steps)
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false

Also applies to: 54-54

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 25, Both actions/checkout@v4 steps
currently persist GitHub credentials unnecessarily. Add persist-credentials:
false to each checkout action configuration, including the steps in both jobs.

Source: Linters/SAST tools


82-88: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Pin cargo-expand and include it in the cache key.

flutter_rust_bridge_codegen is pinned with --version and --locked, but cargo-expand is installed unpinned. On a cache miss, a different cargo-expand version may be installed than on a previous run, making codegen non-reproducible. Additionally, the cache key only includes FRB_VERSION, so a new cargo-expand release won't invalidate the cache — the stale binary is kept (acceptable), but the inconsistency between pinned and unpinned tools is a reproducibility gap.

♻️ Suggested changes
       env:
         FLUTTER_VERSION: "3.38.2"
         FRB_VERSION: "2.11.1"
+        CARGO_EXPAND_VERSION: "1.0.0"  # pin to a specific version
           key: frb-tools-${{ runner.os }}-frb${{ env.FRB_VERSION }}-expand${{ env.CARGO_EXPAND_VERSION }}
       - name: Install codegen tools
         if: steps.tools-cache.outputs.cache-hit != 'true'
         run: |
           cargo install flutter_rust_bridge_codegen --version ${{ env.FRB_VERSION }} --locked
-          cargo install cargo-expand
+          cargo install cargo-expand --version ${{ env.CARGO_EXPAND_VERSION }} --locked
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 82 - 88, Pin the cargo-expand
installation to an explicit version using --version and --locked, and define
that version alongside FRB_VERSION in the workflow environment. Update the tools
cache key to include the cargo-expand version so cache entries invalidate when
either codegen tool changes; adjust the Install codegen tools step accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 1-101: Add a top-level permissions block near the workflow
metadata, setting contents to read so all jobs use least-privilege GITHUB_TOKEN
access. Do not grant write permissions or add unnecessary scopes.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 25: Both actions/checkout@v4 steps currently persist GitHub credentials
unnecessarily. Add persist-credentials: false to each checkout action
configuration, including the steps in both jobs.
- Around line 82-88: Pin the cargo-expand installation to an explicit version
using --version and --locked, and define that version alongside FRB_VERSION in
the workflow environment. Update the tools cache key to include the cargo-expand
version so cache entries invalidate when either codegen tool changes; adjust the
Install codegen tools step accordingly.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c5ea95f7-9691-4ace-a670-2df052898540

📥 Commits

Reviewing files that changed from the base of the PR and between 129bd5a and bf9a2ef.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bf9a2efa63

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yml Outdated
- Pin dtolnay/rust-toolchain to 1.97.0 in both rust and flutter jobs so a newer stable clippy can't introduce lints that break `-D warnings` on unrelated PRs.
- Replace `sort_by` with `sort_by_key` in list_trades for cleaner code.
- Drop wasm32-unknown-unknown target installation and check step: the project doesn't currently build for wasm32, so the check adds no value and only slows down CI.
@AndreaDiazCorreia

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 781513fa10

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yml
Comment on lines +45 to +46
- name: Clippy (deny warnings)
run: cargo clippy --locked -- -D warnings

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Add the wasm check to the Rust CI job

The Rust job stops after native build/test/clippy, but this repo has a supported web/WASM target and the existing pre-commit hook still runs cargo check --target wasm32-unknown-unknown. With this workflow, a PR can break the cfg(target_arch = "wasm32") code or WASM-only dependencies while all Rust CI still passes; add the wasm target install/check after clippy so CI covers the same web build path.

Useful? React with 👍 / 👎.

- Set workflow permissions to contents:read (least-privilege: jobs only read source and report status).
- Add persist-credentials:false to checkout steps to prevent credential leakage in subsequent steps.
- Pin cargo-expand to 1.0.123 and include version in cache key so updates don't silently break the build.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CI: cargo clippy -D warnings + cargo test + flutter analyze + flutter test

1 participant