Weekly CI/CD Health Report - 2026-03-23Β #893
Description
π Workflow Health Summary
Report Period: 2026-03-16 to 2026-03-23 | Overall Health: GOOD | Velocity: High
| Workflow | Health Score | Success Rate | Avg Duration | Status |
|---|---|---|---|---|
CI (ci.yml) |
100 β | 100% (no-op placeholder) | <1m | β Excellent |
Rust CI (rust-ci.yml) |
90 β | ~95% | ~10m | β Excellent |
Rust Release (rust-release.yml) |
85 β | ~90% (partial artifacts) | ~16m | β Good |
Docs (docs.yml) |
95 β | ~100% | ~3m | β Excellent |
Security (security.yml) |
65 |
Unknown (stale targets) | ~15m | |
| Dependency Review | 80 | Scheduled | N/A | β Good |
Overall Health Score: 86/100 β GOOD
π΄ Critical Issues
None detected this week. All merged PRs passed CI before merge. The Rust Release critical failure (0% success, weeks of 2026-03-02 to 2026-03-09) has been resolved β the release pipeline ran 10/10 successfully during 2026-03-09 to 2026-03-16.
β οΈ Warnings
1. Incomplete Release Artifacts β Linux Python Wheels Missing (Ongoing)
Only ~30% of releases have complete artifact sets. Binary tarballs are always complete; the issue is specific to manylinux wheel build jobs.
- Current release v2.6.24: Has macOS binaries and macOS wheels, but missing Linux wheels (
azlin_rs-*-manylinux*.whl) - Pattern: Linux wheels (manylinux x86_64 + aarch64) are absent in 7/10 recent releases
- Impact:
pip install azlin-rs --find-links (releases)fails silently on Linux - Recommendation: Fix
rust-release.ymlmanylinux wheel build job β investigaterust/Cargo.tomlPyO3 config (crate-type = ["cdylib"]) or thePyO3/maturin-action@v1job configuration for Linux targets
2. Security Workflow β Stale Scan Target (Ongoing)
security.yml still targets Python source (src/), but Python was retired in PR #818. The Bandit/Safety scans are now effectively no-ops.
- Impact: Security scans are not covering Rust code at all
- Risk: Undetected vulnerabilities in the active Rust codebase
- Recommendation: Update
security.ymlto addcargo audit/cargo denyfor Rust dependency auditing; remove or disable the Python Bandit/Safety steps - Note: Issue bug: tarfile extraction without filter='data' in rust_bridge.pyΒ #876 (tarfile path traversal in
rust_bridge.py) would not be caught by CI currently
3. Open Security Bug β Tarfile Extraction Without Filter
Issue #876 remains open: tarfile.extract() without filter='data' in /src/azlin/rust_bridge.py:133-137 is vulnerable to path traversal attacks (a known Python security advisory).
- Severity: HIGH (security)
- Status: PR fix(security): harden tar extraction in rust_bridge against path traversal (#876)Β #885 is open but not merged
- Recommendation: Merge PR fix(security): harden tar extraction in rust_bridge against path traversal (#876)Β #885 promptly
4. Trivy Action Version β Recently Fixed
Commit 061a92c (2026-03-21, PR #889) fixed the trivy-action missing v prefix (@0.28.0 β @v0.35.0). This was causing "Unable to resolve action" errors on every PR. Resolved β
5. Smart-Orchestrator Infrastructure Failure
Issue #882 (filed 2026-03-19) documents a classify-and-decompose producing 0 workstreams for the agentic CI infrastructure. This is a recurring pattern (previously seen in issue #871).
π Trends (Week-over-Week)
| Metric | 2026-03-09 to 03-16 | 2026-03-16 to 03-23 | Trend |
|---|---|---|---|
| Total commits to main | ~50 | ~12 | π Slower pace (focused fixes) |
| Total merged PRs | 26 | ~6 | π Focused work |
| New releases | 10 | 4 (v2.6.21βv2.6.24) | Steady |
| Overall pass rate | ~90% (excl. critical week) | ~90% estimated | β‘οΈ Stable |
| Rust CI success | ~95% | ~95% | β‘οΈ Stable |
| Rust Release success | 100% | ~90% (artifact gaps) | π Watch |
| Security scan coverage | Stale (Python-only) | Stale (Python-only) | |
| Open bug issues | 7 | 7 | β‘οΈ No change |
| CLI startup time | ~3β6ms | ~3β6ms | β Stable (Rust era) |
8-Week Historical Health Trajectory
| Week | Overall Score | Notes |
|---|---|---|
| 2026-02-09 to 02-16 | ~60 | Agentic secret failures dominating |
| 2026-02-16 to 02-23 | ~65 | CI 65% (cancels), security 100% |
| 2026-02-23 to 03-02 | ~62 | Agentic workflows 3β10%, CI improving |
| 2026-03-02 to 03-09 | 57 | Rust CI 30%, Rust Release 0% β lowest point |
| 2026-03-09 to 03-16 | ~85 | Rust CI/Release recovered, ANTHROPIC_API_KEY fixed |
| 2026-03-16 to 03-23 | 86 | Stable, warnings only, critical issues resolved |
Trend: Strong recovery over 6 weeks. The project has moved from 57% (critical) to 86% (good) overall CI health. Key milestones: ANTHROPIC_API_KEY secret added (early March), Rust CI Clippy failures resolved (March 13), Rust Release fixed (March 9-13), trivy-action fixed (March 21).
π― Recommendations
High Priority
-
[P0] Fix manylinux wheel build in
rust-release.ymlβ 70% of releases are missing Linux Python wheels. This breakspip installon Linux. CheckPyO3/maturin-action@v1configuration andrust/Cargo.tomlforcrate-type = ["cdylib"]. -
[P0] Merge PR fix(security): harden tar extraction in rust_bridge against path traversal (#876)Β #885 β Fix tarfile path traversal vulnerability in
rust_bridge.py(Issue bug: tarfile extraction without filter='data' in rust_bridge.pyΒ #876). Security bug has been open since 2026-03-19.
Medium Priority
-
[P1] Update
security.ymlto scan Rust code β Addcargo auditand/orcargo denyto catch supply chain vulnerabilities in Rust dependencies. Remove Python-only Bandit/Safety scans (targeting retired code). -
[P1] Resolve smart-orchestrator failure (Issue smart-orchestrator infrastructure failure: zero workstreams on 2026-03-19 bug-fix requestΒ #882) β
classify-and-decomposeproduces 0 workstreams, blocking agentic CI workflows. -
[P1] Merge PR fix(quality): eliminate silent failures in cli_documentation scripts (#878 #879 #880)Β #886 β Fix error-swallowing patterns in documentation scripts (Issue bug: error-swallowing pattern in documentation scriptsΒ #878, MEDIUM severity).
Low Priority
-
[P2] Add VM info caching for
azlin connectβvm_manager.get_vm()is uncached, adding 500msβ1.5s to every connect. File:rust/crates/azlin/src/cmd_connect.rs:82. -
[P2] Parallelize list command β
azlin listbastion + tmux collection could usetokio::join!. File:rust/crates/azlin/src/cmd_list.rs:178β222. -
[P2] Close stale PRs β PRs fix: azlin list --with-health shows proper health metricsΒ #850, fix: azlin list --with-health shows actual health metrics instead of uptimeΒ #852, fix: azlin list --with-health shows real health metrics (#849)Β #853 are superseded by merged PR fix: azlin list --with-health shows real health metrics (#849)Β #851.
-
[P3] Close stale branches β 30+ open branches, many appear inactive (e.g.,
docs/v0.3.1,docs/update-readme-v0.3.2,feat/azure-cli-wsl2-detection).
π Activity Summary
- Total commits this week: ~12 (focused on restore/tmux fixes, macOS support)
- Total releases: 4 (v2.6.21 β v2.6.24)
- Most active day: 2026-03-17 (Bastion/tmux bug fix workflow, 5 commits)
- Fastest workflow: Docs (~3m avg)
- Slowest workflow: CI Python legacy (~13m, now no-op)
- Open PRs: 3 (fix(security): harden tar extraction in rust_bridge against path traversal (#876)Β #885, fix(quality): eliminate silent failures in cli_documentation scripts (#878 #879 #880)Β #886, "Take the currently validated local fixes for GitHub issues #876, #878, #879, and #880 in /home/azureuser/src/azlin and turn them into actual GitHub pull requests that are ready for review. Use the reΒ #888)
- Open bugs: 7
π¦ Current Release Status
Latest release: v2.6.24-rust.f347cc8 (2026-03-22)
| Asset | Available |
|---|---|
| Linux x86_64 binary | β |
| Linux aarch64 binary | β |
| macOS x86_64 binary | β |
| macOS arm64 binary | β |
| macOS x86_64 wheel | β |
| macOS arm64 wheel | β |
| Linux x86_64 wheel (manylinux) | β Missing |
| Linux aarch64 wheel (manylinux) | β Missing |
Generated by CI/CD Workflow Health Monitor | Previous reports: #854 (2026-03-16), #791 (2026-03-09), #741 (2026-03-02), #674 (2026-02-23)
Generated by CI/CD Workflow Health Monitor