1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: ci
on:
push:
branches:
paths-ignore:
- "**/*.md"
- wiki/**
- docs/**
pull_request:
paths-ignore:
- "**/*.md"
- wiki/**
- docs/**
# Least-privilege default: read-only token. A job that needs more (e.g. a docker
# publish job) opts back up with its own `permissions:` block.
permissions:
contents: read
# Cancel superseded runs on the same ref so rapid pushes don't stack.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Force HTTP/1.1 for registry downloads: curl's HTTP/2 multiplexing against the
# crates.io CDN intermittently dies with "[16] Error in the HTTP2 framing layer"
# on the hosted runners. Extra retries cover the remaining transient blips.
env:
CARGO_TERM_COLOR: always
CARGO_NET_RETRY: "10"
CARGO_HTTP_MULTIPLEXING: "false"
CARGO_INCREMENTAL: "0" # incremental caching is dead weight in CI
# CI checks compile at release opt-level but WITHOUT the shipped binary's LTO:
# LTO + codegen-units=1 change nothing for clippy/test and roughly double the
# compile. release.yml is a separate workflow, so the shipped binary keeps full
# LTO; this override only touches CI's throwaway build.
CARGO_PROFILE_RELEASE_LTO: "false"
CARGO_PROFILE_RELEASE_CODEGEN_UNITS: "16"
jobs:
fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt
- name: fmt --check
run: cargo fmt --all -- --check
# clippy → test → release build as sequential steps in ONE job per OS so the
# dep compile happens once: clippy builds deps + lints, test (nextest) reuses
# target/, the release binary falls out of it, then uploads as a 1-day
# artifact. Matrixed across all 3 OSes: clauth ships native Windows + macOS
# binaries (release.yml) and has real cfg(windows) code (src/platform.rs,
# src/runtime.rs), so ubuntu-only clippy would never see it. mold self-gates
# on linux. Trade: a clippy failure aborts before test/build on that OS.
check:
name: check / ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
steps:
- uses: actions/checkout@v7
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy
# mold is the fast linker on linux; self-gates so the mac/windows legs
# fall back to the platform default. Runs before rust-cache so RUSTFLAGS
# is part of the cache key.
- name: fast linker (mold on linux)
if: runner.os == 'Linux'
run: |
sudo apt-get update && sudo apt-get install -y mold
echo "RUSTFLAGS=${RUSTFLAGS} -C link-arg=-fuse-ld=mold" >> "$GITHUB_ENV"
- uses: Swatinem/rust-cache@v2
- uses: taiki-e/install-action@nextest
- name: clippy (-D warnings)
run: cargo clippy --all-targets --all-features --release -- -D warnings
- name: test
run: cargo nextest run --release --all-targets --all-features
# nextest can't run doctests, so cover them with cargo test. Self-gates on
# a doctest target so a bin-only crate skips instead of erroring with "no
# library targets found". shell: bash so all 3 OS legs get grep (windows
# runners ship Git Bash).
- name: doctests
shell: bash
run: |
if cargo metadata --no-deps --format-version 1 | grep -q '"doctest":true'; then
cargo test --release --doc --all-features
else
echo "no doctest targets; skipping"
fi
- name: build release binary
run: cargo build --release
- name: upload binary
uses: actions/upload-artifact@v7
with:
name: clauth-${{ matrix.os }}
if-no-files-found: error
retention-days: 1
path: |
target/release/clauth
target/release/clauth.exe
deny:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check advisories licenses bans sources
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- uses: taiki-e/install-action@cargo-audit
- name: cargo audit
run: cargo audit