Add a simple AGENTS.md rule for the AI-Assisted trailer in commit
messages and a workflow that adds the AI assisted label when PR commits
include that trailer.
AI-Assisted: Codex
Add workflow that runs Zizmor, a static analysis tool for GitHub
Actions. This will automatically flag various common security issues
with CI workflows.
Replace all template expansions in code contexts with environment
variable substitutions. Template expansion in code contexts can be a
source of code injection vulnerabilities; for more info, see:
https://docs.zizmor.sh/audits/#template-injection
The default workflow permissions are overly broad; setting permissions
explicitly at the workflow level ensures excessive permissions are not
unintentionally granted to jobs. For details, see:
https://docs.zizmor.sh/audits/#excessive-permissions
Set `persist-credentials: false` for all uses of `actions/checkout`.
This prevents git credentials from being stored on disk, and fixes the
following Zizmor audit:
https://docs.zizmor.sh/audits/#artipacked
This improves CI security by ensuring that action dependencies cannot be
changed by upstream repositories without updating the use of the
dependency in this repo.
Official GitHub-maintained actions are excluded from this requirement
and are left pinned by a tag instead of a commit hash. This action
dependency pinning policy is codified in `.github/zizmor.yml` so that
Zizmor (a static analysis tool for GitHub Actions) doesn't flag these as
unpinned dependencies.
Also add cooldown timer for Dependabot. This fixes these two Zizmor
audits:
* https://docs.zizmor.sh/audits/#dependabot-cooldown
* https://docs.zizmor.sh/audits/#unpinned-uses
Try this since Cirrus CI ran out of compute credits last month.
Previously the tests use less than 1 CPU out of the 2 provided by Cirrus
runner. I'm not sure if CPU usage is taken into account when counting
compute credits, or if it always fully counts the 2 CPUs. But perhaps
this will help in either case?
- Use double underscores for the group targets as these targets usually
shouldn't be used directly.
- Use dash instead of underscore in the two targets that need to be used
directly. I'm not entirely sure about this, as both chars are used in
many targets, but a dash is easier to type than an underscore.
- Rename ".nvimlog" to "nvim.log"
- doesn't need to be "hidden"/dotfile
- ".log" extension helps with filetype detection
- Also rename "nvim/log" => "nvim/nvim.log"
Define a CMake target for every subdirectory of test/functional that
contains functional tests, and a functionaltest_parallel target that
depends on all those targets, allowing multiple test runners to run in
parallel.
On CI, use at most 2 parallel test runners, as using more may increase
system load and make tests unstable.
Working towards making the build.zig build actually useful for
users..
For building a full runtime distribution in /usr or /opt/nvim or
whatever, use
sudo zig build install -p /usr
by default "zig build" will now work like "make" e.g. just build the binary
and the generated parts of the runtime. This will work for development,
but you need to use both parts of the runtime, just like with
an "uninstalled" cmake build:
zig build
VIM=. ./zig-out/bin/nvim --clean --cmd "set rtp+=./zig-out/runtime"
As a wrapper, `zig build run_dev` can be used
Problem:
`clint.py` is the last python in our codebase, and beyond that it needs
some cleanup. And it lacks tests, so modifying it can be painful.
Also, we need a way to add ad-hoc lint rules for *Lua*, so it will help
to have our ad-hoc rules for C in the same language (the scripts may
share functions/techniques): https://github.com/neovim/neovim/issues/28372
Solution:
- convert to `clint.lua` (mostly AI-generated, but it now has test
coverage, unlike `clint.py`)
- drop rules that are no longer needed:
- "readability/multiline_string"
- technially still relevant, but very uncommon so doesn't really matter.
- "--line-length"
- Not used in the old clint.py, nor the new clint.lua.
- "comment whitespace" check
- It is enforced by uncrustify.
- "TODO" check
- The `-google-readability-function-size` clang-tidy rule enforces
"TODO(user)" format. (It was already enabled long ago.)
Problem:
Sed thinks the argument starting with `1i` (and triple backticks) is the
suffix for the backup file because it comes right after the `-i` flag.
See for example
https://github.com/neovim/neovim/actions/runs/19774967693/job/56665991723.
Solution:
Explicitly mark it as command using the `-e` flag.
Problem:
No way to detect at runtime if the build includes unibilium (or whatever
terminfo layer we swap it with later).
Solution:
Support `has('terminfo')`.
Problem:
On macOS Tahoe, `make unittest` started failing with the following error.
````
test/unit/testutil.lua:784: test/unit/testutil.lua:768: (string) '
test/unit/testutil.lua:295: declaration specifier expected near 'ipc_info_object_type_t' at line 2297'
exit code: 256
stack traceback:
test/unit/testutil.lua:784: in function 'itp_parent'
test/unit/testutil.lua:822: in function <test/unit/testutil.lua:812>
````
Solution:
Update filter_complex_blocks.
Problem:
scripts/check_urls.vim manually matches urls in the help pages and then
synchronously checks them via curl/wget/powershell. This is extremely
slow (~5 minutes for Nvims runtime on my machine) and prone to errors in
how the urls are matched.
Solution:
- Use Tree-sitter to find the urls in the help pages and `vim.net.request` to
check the responses.
- Add a `lintdocurls` build task and check it in CI (every Friday).
- Reopens a dedicated issue if it finds unreachable URLs.
- Drop the old check_urls.vim script.
> The macOS 13 runner image will be retired by December 4th, 2025.
Update to the macos-15-intel runner.
It seems that runners ending with "large" require an enterprise plan, so
macos-15-intel is the only other available macOS Intel runner.
- Bump zig version to 0.15.1 and workaround zig fetch hang (ziglang/zig#24916)
- add mac os zig build (currently without luajit, linker failure)
- Add windows zig build, currently with very limited testing
Problem: The wasmtime version compatible with tree-sitter 0.25.x fails
current Rust lint.
Solution: Disable wasmtime build.
Rationale:
1. As the only Rust dependency, these force us into a fast-moving update cycle (new warnings for everyone!);
2. wasmtime has a monthly release cycle, but we're locked into whatever tree-sitter supports, and there's no clear compatibility matrix (and I no longer care enough to spend the time and effort keeping this synced between tree-sitter and neovim);
3. we only test building with wasmtime but not actually using wasm parsers (this was actually broken for a while without being caught);
4. we're probably not going to go with wasmtime as our default wasm engine anyway.
Problem:
Neovim binaries are not provided for Windows ARM64.
GitHub Actions now offer native CI runners for Windows on ARM devices
(windows-11-arm), enabling automated builds and testing.
Solution:
- Modified CMake packaging to include packaging windows on arm binaries.
- Modified env script to install and initialize vs setup for arm64 arch.
Co-authored-by: Justin M. Keyes <justinkz@gmail.com>
This is matters for cross-compiling where we might not
be able to run the "nvim" binary on the host.
Instead reimplement the helptags extractor as a small
lua script, which we can run on the host using the nlua0
helper already used for other generator scripts.
Tested using cross-compiling from linux:
zig build -Dcross=true -Dtarget=x86_64-windows nvim_bin
Note: not fully functional without a runtime, which still has to be
fuddled with manually
Macos and windows builds require a recent zig 0.15+dev version
As this zig master branch is currently too much in flux, we can't make
our CI depend on zig master.
Revisit CI after zig 0.15 release or at least feature freeze.
