jedarden/pdftract

Fork 0

Commit graph

Author	SHA1	Message	Date
jedarden	c621947686	feat(bf-1g1fd): implement CI memory-ceiling gate with cgroup MemoryMax enforcement Implements Tier-1 memory ceiling gate that enforces RSS budgets for PDF extraction, analogous to cargo-bloat for binary size. Changes: - CI: Add memory-ceiling template with cgroup MemoryMax (1.5 GB) - CI: Add cgroup MemoryMax enforcement to test-glibc (6 GB) and test-musl (4 GB) - CI: Add cgroup MemoryMax + libfuzzer rss/malloc limits to fuzz workflow - xtask: Implement memory-ceiling command with peak RSS sampling - Add perf fixtures (100-page, 10k-page) for memory testing - Add run-fuzz-with-limits.sh for local fuzz testing with memory caps - Register perf fixtures in PROVENANCE.md Memory budgets enforced: - Buffered 100-page PDF: < 512 MB - Streaming mode: < 256 MB (constant in page count) - Adversarial fixtures: < 1 GB hard ceiling Closes bf-1g1fd Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-23 13:22:55 -04:00
jedarden	a2b9e73a88	feat(pdftract-4b0z): implement publish-if-tag step for GitHub Releases Implement the publish-if-tag step in pdftract-ci that activates on version tags (v..*) and publishes cross-compiled binaries to GitHub Releases. Changes: - Add tools/extract-release-notes.sh script for CHANGELOG parsing - Update publish-if-tag template in pdftract-ci.yaml: - Downloads all 5 build artifacts from build-matrix - Generates SHA256SUMS checksums - Extracts release notes from CHANGELOG.md - Creates GitHub Release via gh CLI - Supports both stable and pre-release tags (--prerelease flag) - Uses --clobber for idempotent re-runs The step uses Chainguard's gh:latest image and authenticates via github-pdftract-release Secret (GH_TOKEN key). Optional signing infrastructure is deferred to Release Engineering epic. Co-Authored-By: Claude Code (glm-4.7) <noreply@anthropic.com>	2026-05-20 19:06:16 -04:00

Author

SHA1

Message

Date

jedarden

c621947686

feat(bf-1g1fd): implement CI memory-ceiling gate with cgroup MemoryMax enforcement

Implements Tier-1 memory ceiling gate that enforces RSS budgets for PDF
extraction, analogous to cargo-bloat for binary size.

Changes:
- CI: Add memory-ceiling template with cgroup MemoryMax (1.5 GB)
- CI: Add cgroup MemoryMax enforcement to test-glibc (6 GB) and test-musl (4 GB)
- CI: Add cgroup MemoryMax + libfuzzer rss/malloc limits to fuzz workflow
- xtask: Implement memory-ceiling command with peak RSS sampling
- Add perf fixtures (100-page, 10k-page) for memory testing
- Add run-fuzz-with-limits.sh for local fuzz testing with memory caps
- Register perf fixtures in PROVENANCE.md

Memory budgets enforced:
- Buffered 100-page PDF: < 512 MB
- Streaming mode: < 256 MB (constant in page count)
- Adversarial fixtures: < 1 GB hard ceiling

Closes bf-1g1fd

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-23 13:22:55 -04:00

jedarden

a2b9e73a88

feat(pdftract-4b0z): implement publish-if-tag step for GitHub Releases

Implement the publish-if-tag step in pdftract-ci that activates on
version tags (v*.*.*) and publishes cross-compiled binaries to
GitHub Releases.

Changes:
- Add tools/extract-release-notes.sh script for CHANGELOG parsing
- Update publish-if-tag template in pdftract-ci.yaml:
  - Downloads all 5 build artifacts from build-matrix
  - Generates SHA256SUMS checksums
  - Extracts release notes from CHANGELOG.md
  - Creates GitHub Release via gh CLI
  - Supports both stable and pre-release tags (--prerelease flag)
  - Uses --clobber for idempotent re-runs

The step uses Chainguard's gh:latest image and authenticates via
github-pdftract-release Secret (GH_TOKEN key). Optional signing
infrastructure is deferred to Release Engineering epic.

Co-Authored-By: Claude Code (glm-4.7) <noreply@anthropic.com>

2026-05-20 19:06:16 -04:00

2 commits