1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
name: CI
on:
push:
branches:
pull_request:
env:
CARGO_TERM_COLOR: always
jobs:
fmt:
name: Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt
- run: cargo fmt -- --check
clippy:
name: Clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- run: sudo apt-get update && sudo apt-get install -y libdbus-1-dev pkg-config
- uses: Swatinem/rust-cache@v2
# --tests + --examples covers the shipping code without tripping
# the nightly-only did_benchmarks_nightly bench (uses #![feature(test)]).
- run: cargo clippy --all-features --tests --examples -- -D warnings
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- run: sudo apt-get update && sudo apt-get install -y libdbus-1-dev pkg-config
- uses: Swatinem/rust-cache@v2
- run: cargo test --all-features
msrv:
name: MSRV (1.95.0)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: "1.95.0"
- uses: Swatinem/rust-cache@v2
- run: cargo check --all-features
audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- run: sudo apt-get update && sudo apt-get install -y libdbus-1-dev pkg-config
- run: cargo install cargo-audit
# Ignored advisories are ALL transitive via the optional `ssi`
# feature; the default build has zero advisories. Reviewed and
# confirmed still warranted on every CI run.
#
# Vulnerabilities (advisories with severity):
# - RUSTSEC-2023-0071: rsa 0.6.1 Marvin Attack timing side-channel (via ssi-jwk)
# - RUSTSEC-2026-0098: rustls-webpki 0.101.7 URI name constraints (via reqwest 0.11)
# - RUSTSEC-2026-0099: rustls-webpki 0.101.7 wildcard name constraints (via reqwest 0.11)
# - RUSTSEC-2026-0104: rustls-webpki 0.101.7 CRL parse panic (via reqwest 0.11)
#
# Unmaintained warnings (no CVE, advisory category = "unmaintained"):
# - RUSTSEC-2021-0127: serde_cbor unmaintained (via ssi-vc-jose-cose)
# - RUSTSEC-2024-0370: proc-macro-error unmaintained (via did-tz)
# - RUSTSEC-2024-0388: derivative unmaintained (via ssi-jwk)
# - RUSTSEC-2025-0134: rustls-pemfile unmaintained (via reqwest 0.11)
#
# Re-audit when upstream `ssi` drops the affected dep chains
# (most are rooted in ssi-jwk / ssi-vc-jose-cose / reqwest 0.11).
- run: >-
cargo audit
--ignore RUSTSEC-2023-0071
--ignore RUSTSEC-2024-0388
--ignore RUSTSEC-2024-0370
--ignore RUSTSEC-2025-0134
--ignore RUSTSEC-2021-0127
--ignore RUSTSEC-2026-0098
--ignore RUSTSEC-2026-0099
--ignore RUSTSEC-2026-0104