name: Code Quality
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
CARGO_TERM_COLOR: always
jobs:
check:
name: Check, Lint & Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt, clippy
- name: Cache cargo registry and build artifacts
uses: actions/cache@v5
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: cargo-${{ runner.os }}-${{ hashFiles('Cargo.lock') }}
restore-keys: |
cargo-${{ runner.os }}-
- name: Check formatting
run: cargo fmt --check
- name: Run clippy
run: cargo clippy -- -D warnings
- name: Run tests
run: cargo test
- name: Build release
run: cargo build --release
security:
name: Security & Compliance
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo registry and build artifacts
uses: actions/cache@v5
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: cargo-security-${{ runner.os }}-${{ hashFiles('Cargo.lock') }}
restore-keys: |
cargo-security-${{ runner.os }}-
- name: Install cargo-deny
run: cargo install cargo-deny --locked
- name: Run cargo-deny
run: cargo deny check
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: Run cargo-audit
run: cargo audit
semver:
name: Semver Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo registry and build artifacts
uses: actions/cache@v5
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: cargo-semver-${{ runner.os }}-${{ hashFiles('Cargo.lock') }}
restore-keys: |
cargo-semver-${{ runner.os }}-
- name: Install cargo-semver-checks
run: cargo install cargo-semver-checks --locked
- name: Check semver compliance
run: |
# Use the latest published version as baseline.
# If no compatible baseline exists yet, skip gracefully.
cargo semver-checks check-release || {
echo "::warning::semver-checks failed — may need a published baseline with lib target"
true
}
coverage:
name: Code Coverage
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo registry and build artifacts
uses: actions/cache@v5
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: cargo-coverage-${{ runner.os }}-${{ hashFiles('Cargo.lock') }}
restore-keys: |
cargo-coverage-${{ runner.os }}-
- name: Install cargo-tarpaulin
run: cargo install cargo-tarpaulin
- name: Run coverage
run: cargo tarpaulin --out xml --output-dir coverage/
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5
with:
files: coverage/cobertura.xml
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: false