1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: CI
on:
push:
branches:
pull_request:
branches:
env:
CARGO_TERM_COLOR: always
# Toolchain is read from rust-toolchain.toml (pinned to stable). Don't
# override here — keeping a single source of truth means CI validates
# the same toolchain we ship.
#
# Every job runs the SAME commands the local per-commit gate runs
# (`CLAUDE.md` "Per-commit gate"): `--features test-components
# --locked`. `--locked` enforces Cargo.lock as the build manifest so a
# silent dep bump can't slip into CI. `--features test-components` is
# the feature flag every workspace member's test fixtures depend on.
#
# Ubuntu-only on this private repo. macOS Actions minutes count 10×
# against the free-tier monthly budget. Developers run the per-commit
# gate locally on macOS before push, and the public mirror's CI re-runs
# the same gate on every release (where Actions are unlimited for
# public repos), so the macOS-specific surface is covered without
# burning private-repo minutes here.
jobs:
check:
name: Check (test-components)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: stable
- uses: arduino/setup-protoc@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- run: cargo check --workspace --features test-components --all-targets --locked
check-no-default-features:
# Catches feature-gating bugs that --features test-components
# hides. If a path is accidentally outside its #[cfg(feature =
# "...")] gate, this is the job that finds it.
name: Check (no default features)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: stable
- uses: arduino/setup-protoc@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- run: cargo check --workspace --no-default-features --locked
test:
name: Test (workspace)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: stable
- uses: arduino/setup-protoc@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- run: cargo test --workspace --features test-components --locked
clippy:
name: Clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: stable
components: clippy
- uses: arduino/setup-protoc@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- run: cargo clippy --workspace --all-targets --features test-components --locked -- -D warnings
docs:
name: Docs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: stable
- uses: arduino/setup-protoc@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- run: cargo doc --workspace --no-deps --features test-components --locked
env:
RUSTDOCFLAGS: -D warnings
fmt:
name: Rustfmt
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: stable
components: rustfmt
- run: cargo fmt --all --check
deny:
# cargo-deny enforces the dependency license allow-list (see
# `deny.toml`) and the RustSec advisory database. Catches any new
# transitive dep that arrives under a GPL/LGPL/proprietary license
# incompatible with our AGPL + commercial dual-license model.
name: Cargo Deny
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check licenses advisories sources bans