Skip to content

ci: add Buildkite Tart pipeline#3

Open
El-Fitz wants to merge 6 commits into
mainfrom
chore/buildkite-tart-ci
Open

ci: add Buildkite Tart pipeline#3
El-Fitz wants to merge 6 commits into
mainfrom
chore/buildkite-tart-ci

Conversation

@El-Fitz

@El-Fitz El-Fitz commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Add a lightweight Buildkite/Tart PR pipeline for Middens on:

  • Linux ARM64 via ci-linux-arm64-rust-bazel
  • macOS Apple Silicon via ghcr.io/cirruslabs/macos-sequoia-base:latest with Rust bootstrapped in the ephemeral VM

The first slice is deliberately non-credentialed and fixture-only. It runs:

  • cargo fmt --check
  • cargo test --locked
  • cargo build --release --locked
  • middens analyze tests/fixtures --split --no-python and verifies interactive/subagent/autonomous output files

Deferred on purpose: HF corpus analysis, scheduled workflows, release artifacts, x86_64 targets, Hugging Face registry/secrets, and large network downloads.

This branch also includes one rustfmt-only adjustment in middens/tests/steps/split.rs, because latest main had formatting drift that would fail the new cargo fmt --check CI slice.

Validation

Local validation passed after merging latest origin/main:

  • Buildkite YAML parse with Ruby
  • bash -n over both embedded Buildkite commands after dollar escaping
  • git diff --check
  • cd middens && cargo fmt --check
  • cd middens && cargo test --locked — 377 scenarios / 2087 steps plus 1 doctest
  • cd middens && cargo build --release --locked
  • fixture split/no-python smoke with target/release/middens

Note: I tried cargo clippy --all-targets --locked -- -D warnings, but current code has many pre-existing clippy warnings under the local/newer toolchain, so clippy is not part of this first CI slice.

Remote buildkite-agent pipeline upload --dry-run on big-cabbage was attempted but blocked by intermittent SSH publickey auth from this session; no host/config/image/secret changes were made.

@coderabbitai

coderabbitai Bot commented Jun 1, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Implemented automated CI/CD pipeline with testing and release builds for Linux ARM64 and macOS Apple Silicon platforms
    • Updated development documentation with session handoff notes regarding CI migration and validation steps

Walkthrough

This PR introduces a Buildkite CI pipeline with shared configuration and two platform-specific steps (Linux ARM64 and macOS Apple Silicon) that build, test, and validate the Middens tool; updates handoff documentation to record the migration; and includes a minor test formatting change.

Changes

Buildkite CI Setup and Session Handoff

Layer / File(s) Summary
Pipeline environment configuration
.buildkite/pipeline.yml
Pipeline-level environment sets CARGO_TERM_COLOR: always for consistent Cargo output formatting.
Linux ARM64 CI step
.buildkite/pipeline.yml
Linux ARM64 step configures tart-ci plugin with Linux image, exports build environment variables (HOME, CARGO_HOME, RUSTUP_HOME, PATH), checks Rust/cargo/Python versions, runs cargo fmt --check, executes locked test suites (--lib and cucumber smoke feature), builds release binary, runs middens analyze against fixtures with --split and temporary output isolation, and validates three expected markov.json artifacts.
macOS Apple Silicon CI step
.buildkite/pipeline.yml
macOS Apple Silicon step mirrors Linux workflow with tart-ci plugin macOS image configuration and conditional Rust toolchain setup: bootstraps rustup from rustup.rs only if cargo is absent, and conditionally installs the rustfmt component when rustup exists.
Session handoff documentation
docs/HANDOFF.md
Last-updated timestamp incremented from 2026-06-04 to 2026-06-09; added "Current session update — 2026-06-01" section documenting Buildkite/Tart CI migration details, specific pipeline command slices for lightweight verification, deferred GitHub Actions tasks, local pre-PR validation notes, and blocked SSH publickey authentication issue on pipeline upload.
Test CLI argument formatting
middens/tests/steps/split.rs
Technique-specific CLI argument slice in run_analyze_with_args reformatted from single-line to multi-line trailing-comma style without changing argument values, order, or semantics.

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 A pipeline springs to life,
Two platforms, tested with care,
Buildkite hops forward—
Linux and Mac in tandem,
CI workflows now clear. 🚀

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title 'ci: add Buildkite Tart pipeline' directly and concisely summarizes the primary change: adding a new Buildkite/Tart CI pipeline configuration.
Description check ✅ Passed The description clearly explains the purpose, implementation, and validation of the new Buildkite/Tart pipeline, covering the CI steps, fixture-based checks, deferred items, and local validation performed.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/buildkite-tart-ci

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a Buildkite/Tart CI pipeline configuration (.buildkite/pipeline.yml) with jobs for Linux ARM64 and macOS Apple Silicon, and updates the session handoff documentation. Feedback on the pipeline configuration suggests guarding the python3 --version checks to prevent failures if Python is missing, and implementing a trap to clean up temporary directories created during the smoke tests.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread .buildkite/pipeline.yml

rustc --version
cargo --version
python3 --version

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Running python3 --version directly can cause the pipeline to fail if Python 3 is not installed or configured on the runner. Since this CI slice runs with --no-python, Python is not strictly required. It is safer to guard this check so that a missing Python installation does not block the entire pipeline.

      if command -v python3 >/dev/null 2>&1; then
        python3 --version
      fi

Comment thread .buildkite/pipeline.yml
Comment on lines +36 to +38
smoke_output="$$(mktemp -d)"
smoke_xdg="$$(mktemp -d)"
XDG_DATA_HOME="$$smoke_xdg" ./target/release/middens analyze tests/fixtures --split --no-python --output "$$smoke_output"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The temporary directories created via mktemp -d are not cleaned up after the smoke test completes. While the Buildkite/Tart VM is ephemeral, it is best practice to clean up temporary resources using a trap on EXIT to prevent potential disk space issues or resource leaks.

      smoke_output="$$(mktemp -d)"
      smoke_xdg="$$(mktemp -d)"
      trap 'rm -rf "$$smoke_output" "$$smoke_xdg"' EXIT
      XDG_DATA_HOME="$$smoke_xdg" ./target/release/middens analyze tests/fixtures --split --no-python --output "$$smoke_output"

Comment thread .buildkite/pipeline.yml

rustc --version
cargo --version
python3 --version

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Running python3 --version directly on macOS Sequoia base images can fail or trigger a prompt to install Xcode Command Line Tools if Python 3 is not fully configured. Since this CI slice runs with --no-python, Python is not strictly required. It is safer to guard this check.

      if command -v python3 >/dev/null 2>&1; then
        python3 --version
      fi

Comment thread .buildkite/pipeline.yml
Comment on lines +84 to +86
smoke_output="$$(mktemp -d)"
smoke_xdg="$$(mktemp -d)"
XDG_DATA_HOME="$$smoke_xdg" ./target/release/middens analyze tests/fixtures --split --no-python --output "$$smoke_output"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The temporary directories created via mktemp -d are not cleaned up after the smoke test completes. While the Buildkite/Tart VM is ephemeral, it is best practice to clean up temporary resources using a trap on EXIT to prevent potential disk space issues or resource leaks.

      smoke_output="$$(mktemp -d)"
      smoke_xdg="$$(mktemp -d)"
      trap 'rm -rf "$$smoke_output" "$$smoke_xdg"' EXIT
      XDG_DATA_HOME="$$smoke_xdg" ./target/release/middens analyze tests/fixtures --split --no-python --output "$$smoke_output"

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
.buildkite/pipeline.yml (1)

17-41: ⚡ Quick win

Extract the shared CI body before it drifts.

Everything from the tool version checks through the smoke-file assertions is duplicated in both steps. Moving the common body into a checked-in script or YAML anchor would keep future CI edits consistent across Linux and macOS.

Also applies to: 55-89

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.buildkite/pipeline.yml around lines 17 - 41, The CI step duplicates the
block from the tool version checks (rustc --version, cargo --version, python3
--version) through the smoke-file assertions (tests creating smoke_output and
assertions like test -f "$$smoke_output/interactive/markov.json"); extract that
shared sequence into a single reusable component (either a checked-in shell
script invoked by both steps or a YAML anchor/extension for the pipeline) and
replace the duplicated bodies in both Linux and macOS steps with a call to that
script or anchor, ensuring environment exports
(HOME/CARGO_HOME/RUSTUP_HOME/PATH), cargo commands (cargo fmt --check, cargo
test --locked, cargo build --release --locked), and the smoke run and test
assertions are preserved exactly (references: rustc --version, cargo fmt
--check, cargo test --locked, cargo build --release --locked, smoke_output,
smoke_xdg, XDG_DATA_HOME, and the test -f assertions).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.buildkite/pipeline.yml:
- Around line 12-15: The pipeline uses tag-based, mutable images (image:
"ci-linux-arm64-rust-bazel" and image:
"ghcr.io/cirruslabs/macos-sequoia-base:latest") together with always_pull: false
which allows agents to use cached, potentially different images; update both
image: values to pinned immutable references (digest-based strings or fixed
version tags) for the steps that currently declare image:
"ci-linux-arm64-rust-bazel" and image:
"ghcr.io/cirruslabs/macos-sequoia-base:latest" so CI becomes deterministic while
leaving always_pull as appropriate.

In `@docs/HANDOFF.md`:
- Around line 9-12: Update the "Branch state" status block in the same HANDOFF
revision so it reflects the active feature branch/PR described under "Current
session update — 2026-06-01": change the "No open PRs. No feature branches."
statement to mention the open branch/PR `chore/buildkite-tart-ci` (and
optionally its PR number or target if known) so the two sections are consistent;
locate the "Current session update — 2026-06-01" header and the "Branch state"
block in docs/HANDOFF.md and edit the latter to indicate the active branch/PR
and its short description.
- Line 13: Replace the phrase "SSH publickey auth" in the HANDOFF.md sentence
with the corrected wording "SSH public-key auth" or "SSH public key
authentication"; update the sentence so it reads e.g. "Remote `buildkite-agent
pipeline upload --dry-run` on `big-cabbage` was attempted but blocked by
intermittent SSH public-key auth from this session" (or use "SSH public key
authentication") to fix the typo.

---

Nitpick comments:
In @.buildkite/pipeline.yml:
- Around line 17-41: The CI step duplicates the block from the tool version
checks (rustc --version, cargo --version, python3 --version) through the
smoke-file assertions (tests creating smoke_output and assertions like test -f
"$$smoke_output/interactive/markov.json"); extract that shared sequence into a
single reusable component (either a checked-in shell script invoked by both
steps or a YAML anchor/extension for the pipeline) and replace the duplicated
bodies in both Linux and macOS steps with a call to that script or anchor,
ensuring environment exports (HOME/CARGO_HOME/RUSTUP_HOME/PATH), cargo commands
(cargo fmt --check, cargo test --locked, cargo build --release --locked), and
the smoke run and test assertions are preserved exactly (references: rustc
--version, cargo fmt --check, cargo test --locked, cargo build --release
--locked, smoke_output, smoke_xdg, XDG_DATA_HOME, and the test -f assertions).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c2ee74f9-d178-48d8-bb82-b3d7ec15e3de

📥 Commits

Reviewing files that changed from the base of the PR and between eaa00c8 and 751ae86.

📒 Files selected for processing (2)
  • .buildkite/pipeline.yml
  • docs/HANDOFF.md
📜 Review details
🧰 Additional context used
🪛 LanguageTool
docs/HANDOFF.md

[grammar] ~11-~11: Ensure spelling is correct
Context: ...bs/macos-sequoia-base:latest` with Rust bootstrapped by rustup. The first slice intentionally covers o...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)


[grammar] ~13-~13: Ensure spelling is correct
Context: ...tempted but blocked by intermittent SSH publickey auth from this session; no host/config/...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🔇 Additional comments (1)
docs/HANDOFF.md (1)

3-3: LGTM!

Comment thread .buildkite/pipeline.yml
Comment on lines +12 to +15
- github.com/Bande-a-Bonnot/tart-ci#v0.1.1:
image: "ci-linux-arm64-rust-bazel"
os: "linux"
always_pull: false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".buildkite/pipeline.yml"
echo "== File exists? =="; ls -la "$FILE"
echo "== Line numbered excerpt (10-20) =="; nl -ba "$FILE" | sed -n '1,120p'
echo "== Search for tart-ci plugin and image keys ==";
rg -n "tart-ci#v0\.1\.1|always_pull|image:" "$FILE"
echo "== Extract step blocks around first image ==";
nl -ba "$FILE" | sed -n '1,90p'
echo "== Extract step blocks around second image ==";
nl -ba "$FILE" | sed -n '40,90p'

Repository: Lightless-Labs/third-thoughts

Length of output: 262


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".buildkite/pipeline.yml"
echo "== Show first 120 lines with line numbers (awk) =="
awk '{printf "%5d:%s\n", NR, $0}' "$FILE" | sed -n '1,140p'

echo "== Search for tart-ci plugin and related keys =="
rg -n "tart-ci#v0\.1\.1|always_pull|image:" "$FILE" || true

echo "== Excerpt around lines 8-25 (as cited first block) =="
awk 'NR>=8 && NR<=25 {printf "%5d:%s\n", NR, $0}' "$FILE"

echo "== Excerpt around lines 45-65 (as cited second block) =="
awk 'NR>=45 && NR<=65 {printf "%5d:%s\n", NR, $0}' "$FILE"

Repository: Lightless-Labs/third-thoughts

Length of output: 5457


🌐 Web query:

tart-ci Bande-a-Bonnot always_pull false

💡 Result:

The configuration setting always_pull: false is a parameter used in the Tart Buildkite plugin to control how the plugin manages virtual machine images [1]. When always_pull is set to false, the plugin will not automatically execute a tart pull command to update the VM image from the registry before cloning the virtual machine [1]. By default, this value is true, meaning the plugin typically attempts to pull the latest version of the specified image before proceeding [1]. The "Bande-a-Bonnot" mentioned in your query is a GitHub organization [2]. There is no direct link between a specific "tart-ci" tool and this organization in authoritative documentation; it is likely you are referencing the cirruslabs/tart tool, which is a virtualization solution for macOS and Linux that integrates with CI/CD platforms like Buildkite [3][4][1]. In broader technical contexts, the term always_pull is also commonly found in other CI/CD integrations (such as Docker GitHub Actions) to determine whether the system should attempt to pull a newer version of an image from a registry [5][6]. When set to false in those contexts, it relies on the local version of the image if it is already present [5].

Citations:


Pin the Tart images to immutable refs.

With always_pull: false on github.com/Bande-a-Bonnot/tart-ci#v0.1.1, the plugin won’t pull/update the specified image before running, so the VM can use whatever version is already cached on each agent. Both steps use tag-based, non-immutable references (ci-linux-arm64-rust-bazel at line 13 and ghcr.io/cirruslabs/macos-sequoia-base:latest at line 51); switch both image: values to pinned digests (or immutable version tags) to keep CI deterministic.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.buildkite/pipeline.yml around lines 12 - 15, The pipeline uses tag-based,
mutable images (image: "ci-linux-arm64-rust-bazel" and image:
"ghcr.io/cirruslabs/macos-sequoia-base:latest") together with always_pull: false
which allows agents to use cached, potentially different images; update both
image: values to pinned immutable references (digest-based strings or fixed
version tags) for the steps that currently declare image:
"ci-linux-arm64-rust-bazel" and image:
"ghcr.io/cirruslabs/macos-sequoia-base:latest" so CI becomes deterministic while
leaving always_pull as appropriate.

Comment thread docs/HANDOFF.md
Comment thread docs/HANDOFF.md Outdated

Started Buildkite/Tart CI migration on branch `chore/buildkite-tart-ci`. Added `.buildkite/pipeline.yml` with two non-credentialed PR jobs using `github.com/Bande-a-Bonnot/tart-ci#v0.1.1`: Linux ARM64 on local image `ci-linux-arm64-rust-bazel`, and macOS Apple Silicon on `ghcr.io/cirruslabs/macos-sequoia-base:latest` with Rust bootstrapped by rustup. The first slice intentionally covers only lightweight Middens checks: `cargo fmt --check`, `cargo test --locked`, `cargo build --release --locked`, and `middens analyze tests/fixtures --split --no-python` with checks for all three stratum outputs. HF corpus analysis, scheduled workflows, release artifacts, x86_64 targets, Hugging Face registry/secrets, and large network downloads remain on GitHub Actions/deferred.

Local validation before PR: `cd middens && cargo test` passed (376 scenarios / 2082 steps plus 1 doctest), `cargo build --release --locked` passed, fixture split/no-python smoke passed, Buildkite YAML parsed with Ruby, `bash -n` passed over both embedded commands after Buildkite dollar escaping, and `git diff --check` passed. `cargo clippy --all-targets --locked -- -D warnings` was tried but is not included in the first CI slice because current `main` has many pre-existing clippy warnings under the local/newer toolchain. Remote `buildkite-agent pipeline upload --dry-run` on `big-cabbage` was attempted but blocked by intermittent SSH publickey auth from this session; no host/config/image changes were made.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix typo in SSH auth wording.

Use “SSH public-key auth” (or “SSH public key authentication”) instead of “SSH publickey auth.”

🧰 Tools
🪛 LanguageTool

[grammar] ~13-~13: Ensure spelling is correct
Context: ...tempted but blocked by intermittent SSH publickey auth from this session; no host/config/...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/HANDOFF.md` at line 13, Replace the phrase "SSH publickey auth" in the
HANDOFF.md sentence with the corrected wording "SSH public-key auth" or "SSH
public key authentication"; update the sentence so it reads e.g. "Remote
`buildkite-agent pipeline upload --dry-run` on `big-cabbage` was attempted but
blocked by intermittent SSH public-key auth from this session" (or use "SSH
public key authentication") to fix the typo.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/hf-corpus-analysis.yml (1)

379-399: Clarify artifact find patterns (current layout makes one redundant).

actions/upload-artifact uploads .tmp/site-data/corpora/${{ matrix.id }}/, so downloaded paths contain .../.tmp/site-data/corpora/<id>/metrics.json. In that layout, find’s -path '*/site-data/corpora/*/metrics.json' already matches (because the leading * can absorb the .tmp/ segment), so -path '*/.tmp/site-data/corpora/*/metrics.json' appears redundant (line 394). Since both predicates are OR-ed inside a single find, the same metrics.json won’t be emitted twice; duplicates only happen if there are multiple distinct metrics.json files for the same corpus_id (then rm -rf is last-wins). If the extra pattern is only for a historical/alternate directory layout, document that rationale (or drop it).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/hf-corpus-analysis.yml around lines 379 - 399, The find
command in the "Collect public-safe site data" step contains a redundant pattern
(-path '*/.tmp/site-data/corpora/*/metrics.json') because the more general -path
'*/site-data/corpora/*/metrics.json' already matches downloaded artifact paths;
either remove the redundant pattern to simplify the command or add a brief
inline comment explaining that the extra pattern is intentional to support an
alternate/historical layout, and ensure the kept pattern(s) are the ones used in
the pipeline and that deduplication semantics (rm -rf last-wins) are acceptable.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/hf-corpus-analysis.yml:
- Around line 379-399: The find command in the "Collect public-safe site data"
step contains a redundant pattern (-path
'*/.tmp/site-data/corpora/*/metrics.json') because the more general -path
'*/site-data/corpora/*/metrics.json' already matches downloaded artifact paths;
either remove the redundant pattern to simplify the command or add a brief
inline comment explaining that the extra pattern is intentional to support an
alternate/historical layout, and ensure the kept pattern(s) are the ones used in
the pipeline and that deduplication semantics (rm -rf last-wins) are acceptable.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 46ad69b9-b2ee-4f4b-82e9-dd74700b3d4c

📥 Commits

Reviewing files that changed from the base of the PR and between 751ae86 and 7aae929.

📒 Files selected for processing (3)
  • .github/workflows/hf-corpus-analysis.yml
  • docs/HANDOFF.md
  • middens/tests/steps/split.rs
✅ Files skipped from review due to trivial changes (1)
  • middens/tests/steps/split.rs
📜 Review details
🧰 Additional context used
🪛 LanguageTool
docs/HANDOFF.md

[grammar] ~13-~13: Ensure spelling is correct
Context: ...tempted but blocked by intermittent SSH publickey auth from this session; no host/config/...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)


[uncategorized] ~33-~33: The official name of this software platform is spelled with a capital “H”.
Context: ... with fingerprint table, downloads) and .github/workflows/hf-corpus-analysis.yml build...

(GITHUB)


[style] ~33-~33: It seems that a subject is missing.
Context: ...COMPARATIVE_INTERPRET_COMMAND` are set. Still pending: human/external prompt review a...

(SENT_START_STILL_VBG)


[uncategorized] ~47-~47: The official name of this software platform is spelled with a capital “H”.
Context: ...fetch_hf_corpus_registry.py. Workflow: .github/workflows/hf-corpus-analysis.yml`. Meth...

(GITHUB)

🪛 zizmor (1.25.2)
.github/workflows/hf-corpus-analysis.yml

[error] 59-59: overly broad permissions (excessive-permissions): contents: write is overly broad at the workflow level

(excessive-permissions)


[warning] 173-173: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 177-177: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 178-178: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 178-178: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 186-186: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 188-188: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 189-189: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 208-208: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 208-208: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 215-215: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 215-215: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 215-215: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 215-215: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[error] 223-223: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 227-227: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 233-233: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[warning] 334-334: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 336-336: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 337-337: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[info] 338-338: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[info] 339-339: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 340-340: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 340-340: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 347-347: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[info] 349-349: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[info] 350-350: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[warning] 371-371: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[info] 413-413: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[info] 414-414: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[error] 371-371: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 374-374: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 423-423: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔇 Additional comments (2)
docs/HANDOFF.md (2)

13-13: Fix SSH authentication terminology (duplicate).

Use "SSH public-key auth" or "SSH public key authentication" instead of "SSH publickey auth" (publickey as one word is non-standard).

📝 Suggested fix
-Local validation before PR, after merging latest `origin/main`: `cd middens && cargo fmt --check`, `cargo test --locked` (377 scenarios / 2087 steps plus 1 doctest), `cargo build --release --locked`, fixture split/no-python smoke, Buildkite YAML parse with Ruby, `bash -n` over both embedded commands after Buildkite dollar escaping, and `git diff --check` all passed. A small rustfmt-only fix was included for `middens/tests/steps/split.rs` because latest `main` had one formatting drift that would fail the new CI slice. `cargo clippy --all-targets --locked -- -D warnings` was tried before merging latest `main` but is not included in the first CI slice because current code has many pre-existing clippy warnings under the local/newer toolchain. Remote `buildkite-agent pipeline upload --dry-run` on `big-cabbage` was attempted but blocked by intermittent SSH publickey auth from this session; no host/config/image changes were made. Existing GitHub Actions `Build public results site` initially failed on PR `#3`; Azure-backed log/artifact downloads were unreachable from this workstation, but workflow inspection found a likely artifact path mismatch where downloaded artifacts may contain `site-data/corpora/...` instead of `.tmp/site-data/corpora/...`. The PR branch now accepts both path shapes in the collector; workflow YAML and a local `find` fixture validated.
+Local validation before PR, after merging latest `origin/main`: `cd middens && cargo fmt --check`, `cargo test --locked` (377 scenarios / 2087 steps plus 1 doctest), `cargo build --release --locked`, fixture split/no-python smoke, Buildkite YAML parse with Ruby, `bash -n` over both embedded commands after Buildkite dollar escaping, and `git diff --check` all passed. A small rustfmt-only fix was included for `middens/tests/steps/split.rs` because latest `main` had one formatting drift that would fail the new CI slice. `cargo clippy --all-targets --locked -- -D warnings` was tried before merging latest `main` but is not included in the first CI slice because current code has many pre-existing clippy warnings under the local/newer toolchain. Remote `buildkite-agent pipeline upload --dry-run` on `big-cabbage` was attempted but blocked by intermittent SSH public-key auth from this session; no host/config/image changes were made. Existing GitHub Actions `Build public results site` initially failed on PR `#3`; Azure-backed log/artifact downloads were unreachable from this workstation, but workflow inspection found a likely artifact path mismatch where downloaded artifacts may contain `site-data/corpora/...` instead of `.tmp/site-data/corpora/...`. The PR branch now accepts both path shapes in the collector; workflow YAML and a local `find` fixture validated.

33-34: LGTM!

Also applies to: 47-51, 93-93, 124-132, 137-137, 205-206, 217-219

El-Fitz added 2 commits June 9, 2026 20:54
# Conflicts:
#	.github/workflows/hf-corpus-analysis.yml
#	docs/HANDOFF.md

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/HANDOFF.md`:
- Line 11: Update the PR objectives/summary text that incorrectly states only
`cargo test --locked` so it matches the actual CI slice in
`.buildkite/pipeline.yml`; specifically mention both `cargo test --locked --lib`
and the Cucumber smoke invocation `cargo test --locked --test cucumber --
--input tests/features/smoke.feature` (or equivalent phrasing) wherever the
objectives or handoff wording reference test commands so they accurately reflect
the lib + cucumber smoke checks.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2eff419c-c017-4c97-951e-b773dbbc00d4

📥 Commits

Reviewing files that changed from the base of the PR and between 7aae929 and c74118e.

📒 Files selected for processing (2)
  • .buildkite/pipeline.yml
  • docs/HANDOFF.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • .buildkite/pipeline.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Analyze agent-sessions-list-mixed
🧰 Additional context used
🪛 LanguageTool
docs/HANDOFF.md

[grammar] ~11-~11: Ensure spelling is correct
Context: ...bs/macos-sequoia-base:latest` with Rust bootstrapped by rustup. The first slice intentionally covers l...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)


[grammar] ~13-~13: Ensure spelling is correct
Context: ...tempted but blocked by intermittent SSH publickey auth from this session; no host/config/...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)


[uncategorized] ~33-~33: The official name of this software platform is spelled with a capital “H”.
Context: ... with fingerprint table, downloads) and .github/workflows/hf-corpus-analysis.yml build...

(GITHUB)

🔇 Additional comments (3)
docs/HANDOFF.md (3)

13-13: ⚡ Quick win

Fix the SSH authentication terminology typo.

Use "SSH public-key auth" or "SSH public key authentication" instead of "SSH publickey auth" to match standard terminology.

📝 Suggested correction
-Remote `buildkite-agent pipeline upload --dry-run` on `big-cabbage` was attempted but blocked by intermittent SSH publickey auth from this session; no host/config/image changes were made.
+Remote `buildkite-agent pipeline upload --dry-run` on `big-cabbage` was attempted but blocked by intermittent SSH public-key auth from this session; no host/config/image changes were made.

3-3: LGTM!

Also applies to: 9-9


219-220: LGTM!

Comment thread docs/HANDOFF.md

## Current session update — 2026-06-01

Started Buildkite/Tart CI migration on branch `chore/buildkite-tart-ci`. Added `.buildkite/pipeline.yml` with two non-credentialed PR jobs using `github.com/Bande-a-Bonnot/tart-ci#v0.1.1`: Linux ARM64 on local image `ci-linux-arm64-rust-bazel`, and macOS Apple Silicon on `ghcr.io/cirruslabs/macos-sequoia-base:latest` with Rust bootstrapped by rustup. The first slice intentionally covers lightweight Middens cross-platform checks: `cargo fmt --check`, `cargo test --locked --lib`, the Cucumber harness smoke feature, `cargo build --release --locked`, and `middens analyze tests/fixtures --split --no-python` with checks for all three stratum outputs. The full Cucumber/HF corpus batteries, scheduled workflows, release artifacts, x86_64 targets, Hugging Face registry/secrets, and large network downloads remain on GitHub Actions/deferred.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Extract the cargo test commands from the Buildkite pipeline configuration

rg -A 2 'cargo test' .buildkite/pipeline.yml

Repository: Lightless-Labs/third-thoughts

Length of output: 380


CI test slice matches the handoff wording (lib + cucumber smoke)

.buildkite/pipeline.yml runs cargo test --locked --lib and then cargo test --locked --test cucumber -- --input tests/features/smoke.feature, matching the handoff doc’s "cargo test --locked --lib, the Cucumber harness smoke feature" description. If any other “PR objectives” text claims only cargo test --locked, align it to include the --lib and cucumber smoke invocations.

🧰 Tools
🪛 LanguageTool

[grammar] ~11-~11: Ensure spelling is correct
Context: ...bs/macos-sequoia-base:latest` with Rust bootstrapped by rustup. The first slice intentionally covers l...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/HANDOFF.md` at line 11, Update the PR objectives/summary text that
incorrectly states only `cargo test --locked` so it matches the actual CI slice
in `.buildkite/pipeline.yml`; specifically mention both `cargo test --locked
--lib` and the Cucumber smoke invocation `cargo test --locked --test cucumber --
--input tests/features/smoke.feature` (or equivalent phrasing) wherever the
objectives or handoff wording reference test commands so they accurately reflect
the lib + cucumber smoke checks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant