Skip to content

[Repo Assist] ci: add Rust guard unit tests to CI pipeline #3388

Open
#3396
Open
[Repo Assist] ci: add Rust guard unit tests to CI pipeline#3388
#3396
Assignees
lpcoxcopilot-swe-agent
Labels
agentic-workflowsautomationrepo-assist
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 8, 2026

🤖 This is an automated draft PR from Repo Assist.

Summary

Adds a rust-guard-test CI job that runs the 251 Rust unit tests for guards/github-guard/rust-guard on every PR and push. Until now, these tests only ran locally via make test-unit in the guard directory — they were not part of the automated CI pipeline.

Motivation

The Rust guard (guards/github-guard/) is a security-critical DIFC (Decentralized Information Flow Control) component compiled to WASM and loaded at runtime. Without CI coverage, regressions like the one fixed in #3314 (misuse of to_lowercase()) can slip through unnoticed until a manual local test run.

The 251 Rust unit tests cover:

  • allow_only scope enforcement (public, owner, repo, prefix, multi)
  • Integrity baseline establishment and propagation
  • Tool classification (read/write/blocked operations)
  • Label inference for all GitHub MCP tool calls

Changes

.github/workflows/ci.yml

  1. Added guards/** to pull_request path filters — Rust guard changes now trigger CI
  2. New rust-guard-test job (runs in parallel with unit-test, lint, integration-test):
    • Checkout, set up Rust stable toolchain
    • Uses actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 (same SHA as release.yml)
    • cache-workspaces: guards/github-guard/rust-guard for Cargo caching
    • Runs cargo test --lib in guards/github-guard/rust-guard (native unit tests; no WASM target needed)
  3. Downstream trigger jobs (smoke-copilot-pr, smoke-copilot, large-payload-tester, language-support-tester) now also require rust-guard-test to pass before triggering

Test Status

  • ✅ 251 Rust unit tests pass locally: cargo test --lib in guards/github-guard/rust-guard
  • ✅ YAML validated (no syntax errors)
  • ✅ No Go code changed; no Go tests affected

Warning

Protected Files — Push Permission Denied

This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.

Protected files

The push was rejected because GitHub Actions does not have workflows permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.

Create the pull request manually 
# Download the patch from the workflow run
gh run download 24135660709 -n agent -D /tmp/agent-24135660709

# Create a new branch
git checkout -b repo-assist/eng-rust-guard-ci-2026-04-08-33c0639e7f84fc00 main

# Apply the patch (--3way handles cross-repo patches)
git am --3way /tmp/agent-24135660709/aw-repo-assist-eng-rust-guard-ci-2026-04-08.patch

# Push the branch and create the pull request
git push origin repo-assist/eng-rust-guard-ci-2026-04-08-33c0639e7f84fc00
gh pr create --title '[Repo Assist] ci: add Rust guard unit tests to CI pipeline' --base main --head repo-assist/eng-rust-guard-ci-2026-04-08-33c0639e7f84fc00 --repo github/gh-aw-mcpg

Generated by Repo Assist · ● 4.7M ·

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@851905c06e905bf362a9f6cc54f912e3df747d55

Metadata

Metadata

Assignees

Labels

agentic-workflowsautomationrepo-assist

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions