Skip to content

ci: add pmat comply, binary artifact upload, and ghcr.io image push#1

Closed
noahgift wants to merge 1 commit into
mainfrom
feat/ci-pmat-binary-docker
Closed

ci: add pmat comply, binary artifact upload, and ghcr.io image push#1
noahgift wants to merge 1 commit into
mainfrom
feat/ci-pmat-binary-docker

Conversation

@noahgift
Copy link
Copy Markdown
Contributor

@noahgift noahgift commented Apr 27, 2026

Summary

  • gate job gains a pmat comply step (stable toolchain only — pmat's transitive deps may exceed our 1.85.0 MSRV, and compliance is project-level).
  • New build-binary job: static musl build of the etl CLI uploaded as the etl-x86_64-unknown-linux-musl workflow artifact on push to main; on vX.Y.Z tag pushes the same binary is attached to the GitHub Release.
  • New build-image job: multi-stage musl/scratch container pushed to ghcr.io/paiml/shipping-rust. Tags follow docker/metadata-action defaults — latest on main, vX.Y.Z and vX.Y on semver tags, plus a short-sha tag for traceability. Uses GHA-backed buildx cache.

Both new jobs depend on gate and only run on push/dispatch (PRs still get the full gate matrix; image push is naturally restricted to where GITHUB_TOKEN has packages: write).

Test plan

  • gate (1.85.0) passes — fmt / clippy / doc / test / 100% coverage / audit / deny / size budget / bench-smoke.
  • gate (stable) passes — same as above, plus pmat comply.
  • build-binary produces etl-x86_64-unknown-linux-musl artifact downloadable from the workflow run.
  • build-image push lands at ghcr.io/paiml/shipping-rust:latest after merge to main.
  • docker pull ghcr.io/paiml/shipping-rust:latest && printf 'id,fruit,weight_g\n1,apple,150\n' | docker run --rm -i ghcr.io/paiml/shipping-rust:latest round-trips a JSON Lines record post-merge.

🤖 Generated with Claude Code

@noahgift @claude
ci: add pmat comply, binary artifact upload, and ghcr.io image push
6013a4e 
The `gate` matrix gains a `pmat comply` step (stable-toolchain only — pmat's
deps may exceed our 1.85.0 MSRV, and compliance is project-level).

Two new jobs run on push to main and tag pushes:

- `build-binary` — static musl build of the `etl` CLI, uploaded as the
  `etl-x86_64-unknown-linux-musl` workflow artifact. On vX.Y.Z tag pushes
  the binary is also attached to the GitHub Release via softprops.
- `build-image` — multi-stage musl/scratch container build pushed to
  `ghcr.io/paiml/shipping-rust`. Tags: `latest` on main, `vX.Y.Z` and
  `vX.Y` on semver tags, plus a short-sha tag for traceability. Uses
  GHA-backed buildx cache.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@noahgift noahgift mentioned this pull request Apr 28, 2026
Merged
3 tasks
@noahgift
Copy link
Copy Markdown
Contributor Author

noahgift commented Apr 28, 2026

Closing in favor of two split PRs that ship the same intent more cleanly:

  • ci: add tag-driven release workflow (binaries + GHCR) #7 (merged) — tag-driven release.yml that produces cross-compiled binaries for 4 Linux targets attached to the GitHub Release, plus scratch + distroless images on ghcr.io/paiml/shipping-rust. This is the architecturally correct home for release artifacts: separate workflow, fires on tags only, doesn't bloat the CI gate.
  • ci: add pmat comply gate (salvaged from #1) #8 — the one piece of this PR worth salvaging: pmat comply added to the existing gate job, installed via the prebuilt-CLI tarball pattern instead of cargo install (saves ~3 min per CI run).

The diff here was conflicting with main and CI was failing — superseded rather than rebased.

@noahgift noahgift closed this Apr 28, 2026
@noahgift noahgift deleted the feat/ci-pmat-binary-docker branch April 28, 2026 09:23
noahgift added a commit that referenced this pull request Apr 28, 2026
@noahgift @claude
ci: add pmat comply gate (salvaged from #1) (#8)
4f85b63 
pmat is paiml's quality + compliance tool — runs the same ruleset that
gates other paiml repos. Installed via the existing prebuilt-CLI
pattern (same shape as bashrs + pv: download tarball, extract, add to
PATH) rather than `cargo install pmat --locked` which would burn ~3 min
per CI run compiling from source.

Stable-only — same reasoning as bashrs + pv: the lint runs once across
the toolchain matrix, while the MSRV (1.85.0) matrix entry still
proves the workspace itself builds.

This is the only piece of #1 worth keeping. The binary-upload + GHCR
push from #1 was superseded by today's tag-driven release.yml (#7),
which is the architecturally correct home for those (separate from the
CI gate, fires on tags only). Closing #1 in favor of that split.

Verified: `pmat comply` exits 0 on shipping-rust today.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@noahgift