fix(verify): guard process-group cleanup

Author: lucifer1004

CHANGELOG.md

@@ -26,7 +26,7 @@ Release entries are curated summaries for readers. Work item traceability remain
 
 ### Fixed
 
-- Fixed guard execution for noisy commands and detached child processes by collecting output safely and reporting timeout state more clearly.
+- Fixed guard execution for noisy commands, detached child processes, and CI-safe process-group cleanup by collecting output safely, only signaling isolated guard child process groups, and reporting timeout state more clearly.
 - Fixed `self-update` archive extraction so release archives and cargo-binstall resolve binaries under `govctl-v{{ version }}-{{ target }}/{{ bin }}`.
 - Rendered acceptance-criterion category labels in `govctl work show`, giving reviewers the same category signal as raw TOML.
 

gov/releases.toml

@@ -18,6 +18,7 @@ refs = [
     "WI-2026-05-25-005",
     "WI-2026-05-25-006",
     "WI-2026-05-25-007",
+    "WI-2026-05-25-008",
 ]
 
 [[releases]]

gov/work/2026-05-25-fix-guard-process-group-cleanup-killing-ci.toml

@@ -0,0 +1,40 @@
+#:schema ../schema/work.schema.json
+
+[govctl]
+id = "WI-2026-05-25-008"
+title = "Fix guard process-group cleanup killing CI"
+status = "done"
+created = "2026-05-25"
+started = "2026-05-25"
+completed = "2026-05-25"
+
+[content]
+description = "Fix repeated GitHub Actions SIGTERM failures during verification tests after the guard process-group cleanup change. The guard runner must only signal process groups it has proven are isolated guard child groups, so timeout cleanup cannot terminate the CI runner or cargo test process."
+
+[[content.journal]]
+date = "2026-05-25"
+scope = "ci"
+content = """
+Investigated repeated GitHub Actions failures on commit 53488bb0. CI and Pre-commit both reached `cargo test --all-features` and were terminated with SIGTERM/exit 143 during `tests/test_verify.rs`, with no Rust assertion or compilation failure. This points to the recent guard process-group cleanup path rather than changelog or docs changes.
+
+Updated guard cleanup to capture the actual child process group after spawn, reject the current runner/cargo process group, require the group to match the isolated child PID, and signal it via direct Unix `kill` only after those checks. Added Unix regression coverage for rejecting the current process group and capturing an isolated child group."""
+
+[[content.journal]]
+date = "2026-05-25"
+scope = "validation"
+content = "Verified the process-group cleanup fix with cargo fmt --all -- --check, cargo test --test test_verify -- --test-threads=1, cargo test verification::unix_process_group_tests --all-features, cargo clippy --all-features -- -D warnings, full cargo test --all-features, and cargo run --quiet -- check."
+
+[[content.acceptance_criteria]]
+text = "cargo fmt, relevant tests, full tests, clippy, and govctl check pass"
+status = "done"
+category = "chore"
+
+[[content.acceptance_criteria]]
+text = "Regression coverage checks guard process-group capture rejects the current process group"
+status = "done"
+category = "chore"
+
+[[content.acceptance_criteria]]
+text = "Guard process cleanup only signals an isolated guard child process group, never the current runner process group"
+status = "done"
+category = "fixed"

src/verification.rs

@@ -229,6 +229,7 @@ pub fn run_guard(config: &Config, guard: &GuardEntry) -> Result<GuardRunResult,
         )
     })?;
     let child_id = child.id();
+    let process_group = guard_process_group(child_id);
 
     let deadline = Duration::from_secs(timeout);
     let started = Instant::now();
@@ -240,7 +241,7 @@ pub fn run_guard(config: &Config, guard: &GuardEntry) -> Result<GuardRunResult,
         match child.try_wait() {
             Ok(Some(exit_status)) => {
                 status = exit_status;
-                terminate_guard_process_group(child_id);
+                terminate_guard_process_group(process_group);
                 break;
             }
             Ok(None) if started.elapsed() < deadline => {
@@ -249,7 +250,7 @@ pub fn run_guard(config: &Config, guard: &GuardEntry) -> Result<GuardRunResult,
             Ok(None) => {
                 timed_out = true;
                 primary_shell_running_at_timeout = Some(true);
-                terminate_guard_process(&mut child);
+                terminate_guard_process(&mut child, process_group);
                 status = child.wait().map_err(|err| {
                     Diagnostic::new(
                         DiagnosticCode::E1004GuardCheckFailed,
@@ -386,30 +387,86 @@ fn configure_guard_process_group(command: &mut Command) {
 #[cfg(not(unix))]
 fn configure_guard_process_group(_command: &mut Command) {}
 
-fn terminate_guard_process(child: &mut Child) {
-    terminate_guard_process_group(child.id());
+#[cfg(unix)]
+#[derive(Clone, Copy)]
+struct GuardProcessGroup {
+    pgid: i32,
+}
+
+#[cfg(not(unix))]
+#[derive(Clone, Copy)]
+struct GuardProcessGroup;
+
+#[cfg(unix)]
+fn guard_process_group(child_id: u32) -> Option<GuardProcessGroup> {
+    let child_pid = i32::try_from(child_id).ok()?;
+    let pgid = unix_getpgid(child_pid)?;
+    let current_pgid = unix_getpgrp()?;
+
+    if pgid == current_pgid || pgid != child_pid {
+        return None;
+    }
+
+    Some(GuardProcessGroup { pgid })
+}
+
+#[cfg(not(unix))]
+fn guard_process_group(_child_id: u32) -> Option<GuardProcessGroup> {
+    None
+}
+
+fn terminate_guard_process(child: &mut Child, process_group: Option<GuardProcessGroup>) {
+    terminate_guard_process_group(process_group);
     let _ = child.kill();
 }
 
 #[cfg(unix)]
-fn terminate_guard_process_group(child_id: u32) {
-    signal_process_group(child_id, "TERM");
+fn terminate_guard_process_group(process_group: Option<GuardProcessGroup>) {
+    let Some(process_group) = process_group else {
+        return;
+    };
+
+    signal_process_group(process_group, SIGTERM);
     std::thread::sleep(Duration::from_millis(25));
-    signal_process_group(child_id, "KILL");
+    signal_process_group(process_group, SIGKILL);
 }
 
 #[cfg(unix)]
-fn signal_process_group(child_id: u32, signal: &str) {
-    let _ = Command::new("/bin/kill")
-        .arg(format!("-{signal}"))
-        .arg(format!("-{child_id}"))
-        .stdout(Stdio::null())
-        .stderr(Stdio::null())
-        .status();
+fn signal_process_group(process_group: GuardProcessGroup, signal: i32) {
+    // Negative PID targets the process group. The group is captured after spawn
+    // and rejected if it is not the isolated child group.
+    unsafe {
+        let _ = kill(-process_group.pgid, signal);
+    }
 }
 
 #[cfg(not(unix))]
-fn terminate_guard_process_group(_child_id: u32) {}
+fn terminate_guard_process_group(_process_group: Option<GuardProcessGroup>) {}
+
+#[cfg(unix)]
+const SIGTERM: i32 = 15;
+
+#[cfg(unix)]
+const SIGKILL: i32 = 9;
+
+#[cfg(unix)]
+fn unix_getpgid(pid: i32) -> Option<i32> {
+    let pgid = unsafe { getpgid(pid) };
+    (pgid > 0).then_some(pgid)
+}
+
+#[cfg(unix)]
+fn unix_getpgrp() -> Option<i32> {
+    let pgid = unsafe { getpgrp() };
+    (pgid > 0).then_some(pgid)
+}
+
+#[cfg(unix)]
+unsafe extern "C" {
+    fn getpgid(pid: i32) -> i32;
+    fn getpgrp() -> i32;
+    fn kill(pid: i32, sig: i32) -> i32;
+}
 
 pub fn unknown_guard_diagnostic(guard_id: &str, location: &str) -> Diagnostic {
     Diagnostic::new(
@@ -431,3 +488,29 @@ fn dedup_guard_ids(ids: impl IntoIterator<Item = String>) -> Vec<String> {
 
     deduped
 }
+
+#[cfg(all(test, unix))]
+mod unix_process_group_tests {
+    use super::*;
+
+    #[test]
+    fn current_process_group_is_not_treated_as_guard_group() {
+        assert!(guard_process_group(std::process::id()).is_none());
+    }
+
+    #[test]
+    fn isolated_child_process_group_is_captured() -> Result<(), Box<dyn std::error::Error>> {
+        let mut command = Command::new("/bin/sleep");
+        command.arg("5");
+        configure_guard_process_group(&mut command);
+
+        let mut child = command.spawn()?;
+        let process_group = guard_process_group(child.id());
+
+        assert!(process_group.is_some());
+        terminate_guard_process(&mut child, process_group);
+        let _ = child.wait();
+
+        Ok(())
+    }
+}