Joshua Liebow-Feeser

This commit **optimizes CI performance** by **skipping `u128` and `i128` types** within the `test_ptr_try_cast_into_soundness` Miri test located in `src/pointer/ptr.rs`. These specific test cases were identified as the primary cause of long execution times in the merge queue, often leading to idle CI cores and significant delays. This **maintenance improvement** substantially **reduces Miri test duration**, saving approximately 7 minutes per CI run, thereby enhancing overall developer experience and CI efficiency. The change specifically impacts the **`ptr` module's Miri soundness tests**, streamlining the build process.

This commit **optimizes the CI pipeline** by configuring the **Miri test suite** to run on a more powerful GitHub Actions runner. This **maintenance** change, primarily within the `.github/workflows/ci.yml` configuration, significantly **reduces the execution time** for these critical memory safety tests. By leveraging a beefier runner, the project aims to improve developer velocity and reduce CI queue times, saving approximately 24 minutes per run. It also adds a `workflow_dispatch` trigger for manual execution of the workflow.

This commit **refactors the CI caching mechanism** by replacing the existing bespoke solution with **Docker-based caching** within GitHub Actions. It introduces a new `.github/workflows/Dockerfile` to define the build environment and a `.dockerignore` file, while significantly updating `.github/workflows/ci.yml` to integrate Docker for dependency and toolchain caching. This **CI infrastructure improvement** simplifies the overall caching setup, paving the way for **improved CI performance and reliability** through more granular caching. The `cargo.sh` script is also adjusted to conditionally include `tools/.cargo/config.toml` for the new environment. This is a **maintenance** task focused on enhancing the project's continuous integration pipeline.

This commit performs a **documentation update** for the **Hermes project**, specifically targeting the `tools/hermes/README.md` file. The primary change involves **updating the video demonstration link** to ensure users are directed to the most current and relevant visual resource for Hermes. Additionally, an internal footnote that is no longer applicable has been removed, improving the clarity and public-facing nature of the **Hermes documentation**. This **maintenance** task enhances the user experience by providing accurate and up-to-date information about the project's capabilities.

This commit **improves the developer experience** for the **Hermes** project by updating the recommended setup command for local development. Specifically, the `check_charon_version` function within `tools/hermes/src/charon.rs` now suggests `cargo run setup` instead of the outdated `cargo hermes setup` when a `charon` version mismatch is detected. This **maintenance** change is activated for local development builds via a new `__ZEROCOPY_LOCAL_DEV` environment variable configured in `.cargo/config.toml`, ensuring developers receive accurate guidance. The corresponding test fixture `tools/hermes/tests/fixtures/charon_version_mismatch/expected.stderr` has also been updated to reflect this new recommendation, making the **Hermes local development setup more robust and user-friendly**.

[hermes] Clean up examples (#3171)

This commit performs **test maintenance** within the **Hermes JavaScript engine's integration test suite**. It updates the configuration for two specific tests, `test_6_1_external_crate` and `test_6_3_renaming`, located under `tools/hermes/tests/fixtures/edge_cases_modules/`. The expected status for these tests in their respective `hermes.toml` files has been changed from `failure` to `known_bug`. This adjustment ensures that these tests, which currently expose existing unfixed issues, no longer cause CI failures, thereby improving the accuracy of test reporting by explicitly acknowledging known problems rather than treating them as new regressions.

This commit **refines the Hermes integration test suite** by **updating test configurations and expected outputs** across various fixtures. Several tests are reclassified from `failure` to `known_bug`, acknowledging existing issues within the **Hermes compiler**. Additionally, expected standard error outputs are adjusted for `type_features` to reflect current verification failures, and unsupported union type definitions are removed from test fixtures. Minor reordering of `expected_status` lines and updates to `hermes` code block syntax in doc comments also occur. This **maintenance** work improves the **accuracy and reliability of the test suite**, ensuring it correctly reflects the current state of the **Hermes compiler's behavior and known limitations**.

This commit performs **maintenance and refinement** on the **`hermes` integration test suite**, specifically within `tools/hermes/tests/fixtures`. It updates various test configurations (`hermes.toml`) to mark certain tests as `FIXME` or `known_bug`, indicating identified issues or limitations. The changes also include updating expected error outputs for `reject_safe_requires`, clarifying test descriptions, and adding `hermes` documentation comments with `isValid` and `ensures` clauses to test source files. This work improves the accuracy and clarity of the test suite, helping developers track known issues and ensuring tests reflect the current behavior of the `hermes` tool.

This commit significantly **improves the Hermes CI workflow** and **refactors its toolchain management**. The CI now utilizes a more powerful `ubuntu-24.04-64core` runner, drastically reducing integration test execution time, and the GitHub Actions cache is optimized to only restore, preventing unnecessary saving overhead. Concurrently, the **Hermes build system** is refactored to use `build_rs` metadata and an environment variable (`HERMES_CHARON_RUST_TOOLCHAIN`) for managing the Charon Rust toolchain version. These **maintenance and refactoring** changes ensure more efficient CI execution and updated internal logic for the **Hermes project**, with corresponding updates to various test fixtures to reflect the new configurations and expected outputs.

This commit **enhances the Hermes CI workflow** by explicitly configuring the pipeline to run unit tests separately before executing all tests, which now includes integration tests. This **CI/CD improvement** ensures a more robust and comprehensive automated testing process for the **Hermes project**. The update to `.github/workflows/hermes.yml` guarantees that **integration tests** are consistently run, improving the reliability and thoroughness of the build pipeline for all future changes.

This commit **updates the documentation** for the **`hermes` tool**, specifically modifying the installation instructions within `tools/hermes/README.md`. It ensures that users are directed to install the correct new version, `0.1.0-alpha.7`, of `cargo-hermes` via the provided command. This is a **documentation update** that reflects the latest **release** of the `hermes` tool, providing accurate guidance for new installations.

This commit **streamlines the development workflow** for the **Hermes project** by configuring **auto-approval rules** for changes to `Cargo.lock` and `vendor` directories. It updates the `.github/auto-approvers.json` file to automatically approve modifications to these specific dependency-related paths. This **maintenance** change is a **developer workflow improvement** designed to **accelerate CI/CD processes** by eliminating the need for manual review of automatically generated dependency updates. Consequently, it **reduces friction** when updating Hermes's dependencies, impacting the **CI/CD pipeline** and **dependency management** aspects of the project.

This commit introduces a **new capability** to the **CI/CD pipeline** by adding an `all-jobs-succeed` job to the `.github/workflows/auto-approve.yml` workflow. This **enhancement** provides a clear signal that all preceding jobs within the auto-approval process have successfully completed. The primary purpose of this new job is to facilitate **branch protections**, ensuring that subsequent actions, such as merging, are only permitted after a comprehensive and successful workflow run. This improves the reliability and control over the automated approval and merging process.

This commit provides a **documentation update** for the **Hermes tool**, specifically by adding a detailed description of its purpose and functionality to the `tools/hermes/README.md` file. This **maintenance** task aims to improve the clarity and accessibility of information for anyone reviewing the Hermes project's top-level documentation. The change directly impacts the **developer experience** by making it easier to understand the core role of the Hermes tool within the project.

This commit performs **maintenance** on the project's **CI/CD workflows** by disambiguating the "All checks succeeded" jobs. It modifies the name of the `all-jobs-succeed` job within both `.github/workflows/ci.yml` and `.github/workflows/hermes.yml` to include the respective workflow file name. This **chore** improves the clarity and readability of job statuses within the GitHub Actions interface, making it easier to identify which specific workflow has completed all its checks. The change enhances the user experience for developers monitoring CI runs by providing more precise job identification.

This commit **introduces a new GitHub Actions workflow for Hermes tests** in `.github/workflows/hermes.yml`, accompanied by a `README.md` for the tool. To support this new capability, the **CI job dependency check script** (`ci/check_job_dependencies.sh`) was **refactored** to operate per-file, allowing multiple `all-jobs-succeed` jobs across different workflow files without blocking CI. Additionally, the **auto-approvers validation script** (`ci/validate_auto_approvers.py`) was **enhanced** to support file-level rules, enabling specific approval configurations for files like the new Hermes workflow. This **infrastructure enhancement and new feature** work enables **more modular and independent CI configurations** for different project components and granular code ownership.

This commit **fixes a bug** in the **GitHub Actions workflows** where paginated API results, returning multiple JSON arrays, caused downstream scripts to fail. It introduces a crucial step to **concatenate these JSON arrays** into a single, valid array using `jq -s add`. Specifically, the **auto-approve workflow** (`.github/workflows/auto-approve.yml`) and the **CI workflow** (`.github/workflows/ci.yml`) are updated to ensure scripts like `validate_auto_approvers.py` correctly process API data. This **maintenance** change significantly improves the **robustness of automated approval and continuous integration processes** by gracefully handling paginated GitHub API responses.

This commit performs a **maintenance update** to the project's **CI/CD pipeline**, specifically upgrading the `step-security/harden-runner` GitHub Action to version `v2.16.0`. This update, applied within the **dependency review workflow** defined in `.github/workflows/dependency-review.yml`, is a critical **security fix** that addresses known vulnerabilities (GHSA-46g3-37rh-v698 and GHSA-g699-3x6g-wm3g). The change enhances the overall **security posture** of the project's automated checks by mitigating identified risks in the runner environment.

This commit **re-enables and upgrades the `zizmor` lint to `pedantic` enforcement** across the project, significantly **improving code quality enforcement** within the **CI/CD pipelines**. It involves **refactoring** numerous **GitHub Actions workflows** by removing redundant `rust-toolchain` installations, adding explicit permission comments, and suppressing specific lints to comply with the stricter rules. A key **security enhancement** is applied to the **release workflow** (`release.yml`), which now uses granular permissions and requires manual approval via a dedicated `release` environment. Additionally, a **bug fix** in the **`cargo-zerocopy` tool** redirects `rustup` command output to stderr, preventing interference with CI jobs that capture stdout, thereby **improving CI stability**.