Reformt codes and add CodeQL action

.github/workflows/base.yml

@@ -27,39 +27,49 @@
 
 jobs:
   format:
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     name: Rustfmt Check
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           submodules: recursive
-      - run: cargo fmt --all -- --check
+
+      - name: Install nightly toolchain
+        run: |
+          rustup toolchain install nightly --profile minimal
+          rustup component add rustfmt --toolchain nightly
+
+      - run: cargo +nightly fmt --all --check
 
   #
   clippy:
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     name: Clippy Check
     runs-on: ubuntu-latest
     env:
       CARGO_TERM_COLOR: always
+      RUSTUP_TOOLCHAIN: stable
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           submodules: recursive
 
       - name: Install system dependencies
         uses: ./.github/install-dep
         with:
           cache-key: sysdeps
           platform: ubuntu
 
       - name: Run cargo clippy
         run: |
           cargo clippy --all-targets --all-features -- -D warnings
 
   test:
     name: Full Test
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     strategy:
       fail-fast: false
       matrix:
@@ -71,6 +81,7 @@
     runs-on: ${{ matrix.runs-on }}
     env:
       CARGO_TERM_COLOR: always
+      RUSTUP_TOOLCHAIN: stable
       HOME: ${{ matrix.home }}
     steps:
       - name: Install Redis
@@ -108,9 +119,11 @@
 
   fuse:
     name: Fuse Clippy Check
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     runs-on: [self-hosted, Linux, X64]
     env:
       CARGO_TERM_COLOR: always
+      RUSTUP_TOOLCHAIN: stable
     steps:
       - uses: actions/checkout@v4
       - uses: actions-rust-lang/setup-rust-toolchain@v1

.github/workflows/claude-review.yml

@@ -76,12 +76,17 @@ jobs:
         if: ${{ github.event_name == 'pull_request_target' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
+          PR_HEAD_OWNER: ${{ github.event.pull_request.head.repo.owner.login }}
+          PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.name }}
+          REPO_OWNER: ${{ github.repository_owner }}
         run: |
-          PR_NUMBER=${{ github.event.pull_request.number }}
-          HEAD_REF="${{ github.event.pull_request.head.ref }}"
-          HEAD_OWNER="${{ github.event.pull_request.head.repo.owner.login }}"
-          HEAD_REPO="${{ github.event.pull_request.head.repo.name }}"
-          CURRENT_OWNER="${{ github.repository_owner }}"
+          PR_NUMBER="$PR_NUMBER"
+          HEAD_REF="$PR_HEAD_REF"
+          HEAD_OWNER="$PR_HEAD_OWNER"
+          HEAD_REPO="$PR_HEAD_REPO"
+          CURRENT_OWNER="$REPO_OWNER"
 
           # For forked PRs, temporarily change origin URL to fork repository
           # This allows claude-code-action to fetch the PR branch correctly
@@ -133,7 +138,6 @@ jobs:
 
           # Enable progress tracking and show full Claude output in logs
           track_progress: true
-          show_full_output: true
 
           # Custom review instructions passed to Claude
           prompt: |
@@ -172,3 +176,4 @@ jobs:
           # Restrict tools that Claude can use during the review
           claude_args: |
             --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"
+

.github/workflows/codeql.yml

@@ -0,0 +1,76 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: 'ubuntu-latest'
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: rust
+          build-mode: none
+        - language: javascript-typescript
+          build-mode: none
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Add any setup steps before running the `github/codeql-action/init` action.
+    # This includes steps like installing compilers or runtimes (`actions/setup-node`
+    # or others). This is typically only required for manual builds.
+    # - name: Setup runtime (example)
+    #   uses: actions/setup-example@v1
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/mega-dev-image-deploy.yml

@@ -24,6 +24,7 @@ permissions:
 
 jobs:
   build-and-push:
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:

.github/workflows/mono-engine-deploy.yml

@@ -27,63 +27,65 @@
 
 jobs:
   build:
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
 
       - name: Login to Amazon ECR Public
         id: login-ecr-public
         uses: aws-actions/amazon-ecr-login@v2
         with:
           registry-type: public
 
       - name: Build, tag, and push docker image to Amazon ECR Public
         env:
           REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
           REGISTRY_ALIAS: m8q5m4u3
           REPOSITORY: mega
           IMAGE_TAG: mono-0.1.0-pre-release
         run: |
           TIMESTAMP=$(date +%Y%m%d-%H%M%S)
 
           IMAGE_BASE="$REGISTRY/$REGISTRY_ALIAS/$REPOSITORY"
 
           docker buildx build \
           -t $IMAGE_BASE:$IMAGE_TAG \
           -t $IMAGE_BASE:$IMAGE_TAG-$TIMESTAMP \
           -f ./docker/mono-engine-dockerfile \
           --push .
 
   deploy:
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     needs: build
     runs-on: ubuntu-latest
     strategy:
       matrix:
         include:
           - cluster: gitmega-com
             service: mono-engine-dev-service-xnmoxhxb
           - cluster: gitmono-com-mega-app
             service: mono-engine
     steps:
       - name: Force ECS redeploy
         run: |
           aws ecs update-service \
             --cluster ${{ matrix.cluster }} \
             --service ${{ matrix.service }} \
             --force-new-deployment
         env:
           AWS_REGION: ap-southeast-2
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

.github/workflows/orion-client-deploy.yml

@@ -14,52 +14,53 @@
 
 jobs:
   build-and-deploy:
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     runs-on: ubuntu-latest
     timeout-minutes: 20
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       # Rust toolchain
       - name: Install Rust
         uses: dtolnay/rust-toolchain@stable
 
       - name: Rust cache
         uses: Swatinem/rust-cache@v2
         with:
           shared-key: release
           cache-on-failure: true
 
       - name: Build Orion
         run: cargo build --release -p orion --bin orion
 
       - name: Build Scorpio
         run: cargo build --release -p scorpio --bin scorpio
 
       - name: Verify build artifacts
         run: |
           ls -lh target/release || true
           file target/release/orion || true
           file target/release/scorpio || true
 
       - name: Upload binaries via rsync
         uses: burnett01/rsync-deployments@master
         with:
           switches: -avz --progress
           path: target/release/orion target/release/scorpio
           remote_path: /root/orion-runner/
           remote_host: ${{ secrets.ORION_DEPLOY_HOST }}
           remote_user: root
           remote_key: ${{ secrets.ORION_DEPLOY_SSH_KEY }}
 
       - name: Restart service
         uses: appleboy/[email protected]
         with:
           host: ${{ secrets.ORION_DEPLOY_HOST }}
           username: root
           key: ${{ secrets.ORION_DEPLOY_SSH_KEY }}
           script: |
             systemctl daemon-reload
             systemctl restart orion-runner.service
             systemctl status orion-runner.service --no-pager

.github/workflows/orion-server-deploy.yml

@@ -17,58 +17,60 @@
 
 jobs:
   build:
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
 
       - name: Login to Amazon ECR Public
         id: login-ecr-public
         uses: aws-actions/amazon-ecr-login@v2
         with:
           registry-type: public
 
       - name: Build, tag, and push docker image to Amazon ECR Public
         env:
           REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
           REGISTRY_ALIAS: m8q5m4u3
           REPOSITORY: mega
           IMAGE_TAG: orion-server-0.1.0-pre-release
         run: |
           docker buildx build \
           -t $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG \
           -f orion-server/Dockerfile \
           --push .
 
   deploy:
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     needs: build
     runs-on: ubuntu-latest
     strategy:
       matrix:
         include:
           - cluster: gitmega-com
             service: orion-server-dev-service-om0caign
           - cluster: gitmono-com-mega-app
             service: orion-server-service
     steps:
       - name: Force ECS redeploy
         run: |
           aws ecs update-service \
             --cluster ${{ matrix.cluster }} \
             --service ${{ matrix.service }} \
             --force-new-deployment
         env:
           AWS_REGION: ap-southeast-2
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

.github/workflows/rag-deploy.yml

@@ -18,42 +18,43 @@
 
 jobs:
   rag-server-deploy:
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     runs-on: ubuntu-latest
     timeout-minutes: 10
     strategy:
       fail-fast: false
       matrix:
         project:
           - extensions/rag/chat
           - extensions/rag/index
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.base.ref }}
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
 
       - name: Login to Amazon ECR Public
         id: login-ecr-public
         uses: aws-actions/amazon-ecr-login@v2
         with:
           registry-type: public
 
       - name: Build, tag, and push docker image to Amazon ECR Public
         env:
           REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
           REGISTRY_ALIAS: m8q5m4u3
           REPOSITORY: mega
         run: |
           project_name=$(basename "${{ matrix.project }}")
           IMAGE_TAG="rag-${project_name}-0.1.0-pre-release"
           echo "Building image: $IMAGE_TAG"
           docker buildx build -t $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG -f ${{ matrix.project }}/Dockerfile .
           docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG
 

.github/workflows/web-deploy.yml

@@ -19,48 +19,49 @@
 
 jobs:
   build:
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     runs-on: ubuntu-latest
     strategy:
       matrix:
         env_name: [staging, openatom, gitmono]
     timeout-minutes: 10
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.base.ref }}
 
       - uses: actions/setup-node@v4
         with:
           node-version: '20'
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
 
       - name: Login to Amazon ECR Public
         id: login-ecr-public
         uses: aws-actions/amazon-ecr-login@v2
         with:
           registry-type: public
 
       - name: Build, tag, and push docker image (${{ matrix.env_name }}) to Amazon ECR Public
         working-directory: moon
         env:
           REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
           REGISTRY_ALIAS: m8q5m4u3
           REPOSITORY: mega
           IMAGE_TAG: mega-ui-${{ matrix.env_name }}-0.1.0-pre-release
         run: |
           docker build \
             --build-arg APP_ENV=${{ matrix.env_name }} \
             -f apps/web/Dockerfile \
             -t $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG .
           docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG
   deploy:
       needs: build
       runs-on: ubuntu-latest
       strategy:

.github/workflows/web-sync-server-deploy.yml

@@ -20,51 +20,52 @@
 
 jobs:
   web-sync-server-deploy:
+    if: ${{ github.repository == 'web3infra-foundation/mega' }}
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.base.ref }}
 
       - uses: actions/setup-node@v4
         with:
           node-version: '20'
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
 
       - name: Login to Amazon ECR Public
         id: login-ecr-public
         uses: aws-actions/amazon-ecr-login@v2
         with:
           registry-type: public
 
       - name: Build, tag, and push docker image to Amazon ECR Public
         working-directory: moon
         env:
           REGISTRY: ${{ steps.login-ecr-public.outputs.registry }}
           REGISTRY_ALIAS: m8q5m4u3
           REPOSITORY: mega
           IMAGE_TAG: mega-web-sync-server-0.1.0-pre-release
         run: |
           docker build \
             -f apps/sync-server/Dockerfile \
             -t $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG .
           docker push $REGISTRY/$REGISTRY_ALIAS/$REPOSITORY:$IMAGE_TAG
 
       - name: Force ECS redeploy
         run: |
           aws ecs update-service \
             --cluster ${{ secrets.AWS_ECS_CLUSTER_NAME }} \
             --service mega-web-sync-server-dev-service-v3hdlyk8 \
             --force-new-deployment
         env:
           AWS_REGION: ap-southeast-2
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

README.md

@@ -36,6 +36,55 @@ Mega intergrates Buck2 as default, which is a build system developed by Meta wit
 
 The mega project relies on community contributions and aims to simplify getting started. To develop Mega, clone the repository, then install all dependencies and initialize the database schema, run the test suite and try it out locally. Pick an issue, make changes, and submit a pull request for community review.
 
+### Pre-submission Checks
+Before submitting a Pull Request, please ensure your code passes the following checks:
+
+```bash
+# Run clippy with all warnings treated as errors (warnings will be treated as errors)
+cargo clippy --all-targets --all-features -- -D warnings
+
+# Check code formatting (requires nightly toolchain)
+cargo +nightly fmt --all --check
+```
+
+Both commands must complete without any warnings. The clippy check treats all warnings as errors, and the formatter check ensures code follows the project style guide. Only PRs that pass these checks will be accepted for merge.
+
+
+If the formatting check fails, you can automatically fix formatting issues by running:
+
+```bash
+cargo +nightly fmt --all
+```
+
+### Buck2 Build Requirements
+
+This project builds with Buck2. Please install both Buck2 and cargo-buckal before development:
+
+```bash
+# Install buck2: download the latest release tarball from
+# https://github.com/facebook/buck2/releases, extract the binary,
+# and place it in ~/.cargo/bin (ensure ~/.cargo/bin is on PATH).
+# Example (replace <tag> and <platform> with the latest for your OS):
+wget https://github.com/facebook/buck2/releases/download/<tag>/buck2-<platform>.tar.gz
+tar -xzf buck2-<platform>.tar.gz
+mv buck2 ~/.cargo/bin/
+
+# Install cargo-buckal (requires Rust toolchain)
+cargo install --git https://github.com/buck2hub/cargo-buckal.git
+```
+
+Pull Requests must also pass the Buck2 build:
+
+```bash
+cargo buckal build
+```
+
+When you update dependencies in Cargo.toml, regenerate Buck metadata and third-party lockfiles:
+
+```bash
+cargo buckal migrate
+```
+
 More information on contributing to Mega is available in the [Contributing Guide](docs/contributing.md).
 
 ## Chat with us

ceres/src/api_service/admin_ops.rs

@@ -10,12 +10,12 @@
 //! - Cache keys are namespaced by both instance prefix and root directory
 //! - Empty paths fall back to the default directory (project)
 
-use redis::AsyncCommands;
-
-use crate::api_service::mono_api_service::MonoApiService;
 use common::errors::MegaError;
 use git_internal::internal::object::tree::Tree;
 use jupiter::utils::converter::FromMegaModel;
+use redis::AsyncCommands;
+
+use crate::api_service::mono_api_service::MonoApiService;
 
 /// Cache TTL for admin lists (10 minutes).
 pub const ADMIN_CACHE_TTL: u64 = 600;

ceres/src/api_service/blame_ops.rs

@@ -3,18 +3,23 @@
 //! This module provides a unified blame implementation that works with both
 //! MonoApiService and ImportApiService through the ApiHandler trait.
 
-use std::collections::HashMap;
-use std::path::{Component, Path, PathBuf};
-use std::sync::Arc;
-
-use git_internal::diff::{DiffOperation, compute_diff};
-use git_internal::errors::GitError;
-use git_internal::hash::ObjectHash;
-use git_internal::internal::object::commit::Commit;
-use git_internal::internal::object::tree::TreeItemMode;
-
-use crate::api_service::ApiHandler;
-use crate::model::blame::{BlameBlock, BlameInfo, BlameQuery, BlameResult, Contributor};
+use std::{
+    collections::HashMap,
+    path::{Component, Path, PathBuf},
+    sync::Arc,
+};
+
+use git_internal::{
+    diff::{DiffOperation, compute_diff},
+    errors::GitError,
+    hash::ObjectHash,
+    internal::object::{commit::Commit, tree::TreeItemMode},
+};
+
+use crate::{
+    api_service::ApiHandler,
+    model::blame::{BlameBlock, BlameInfo, BlameQuery, BlameResult, Contributor},
+};
 
 /// Internal structure to track line attribution during history traversal
 struct LineAttribution {

ceres/src/api_service/blob_ops.rs

@@ -4,17 +4,18 @@ use std::{
 };
 
 use common::model::DiffItem;
+use futures::{StreamExt, stream};
 use git_internal::{
     diff::Diff as GitDiff,
     errors::GitError,
     hash::ObjectHash,
     internal::object::{blob::Blob, tree::TreeItemMode},
 };
 
-use crate::api_service::ApiHandler;
-use crate::api_service::tree_ops;
-use crate::model::git::DiffPreviewPayload;
-use futures::{StreamExt, stream};
+use crate::{
+    api_service::{ApiHandler, tree_ops},
+    model::git::DiffPreviewPayload,
+};
 
 /// Convenience: get file blob oid at HEAD (or provided refs) by path
 pub async fn get_file_blob_id<T: ApiHandler + ?Sized>(