1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
name: CI
on:
pull_request:
push:
release:
types: published
jobs:
#-----------------------------------------------------------------------------
build-and-test:
strategy:
matrix:
os: #, windows-latest]
rust:
python:
name: Build & Test / ${{ matrix.os }} / Rust ${{ matrix.rust }} / Python ${{ matrix.python }}
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v6
- name: Git commit info
run: git log -n 1
- name: Install Python ${{ matrix.python }}
uses: actions/setup-python@master
with:
python-version: ${{ matrix.python }}
- name: Install Rust ${{ matrix.rust }}
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: ${{ matrix.rust }}
- name: Build
run: cargo build --verbose
- name: Run tests
run: cargo test --verbose
- name: Build auditable
if: matrix.rust == 'stable' && matrix.os == 'ubuntu-latest' && matrix.python == '3.14'
run: | # https://github.com/rust-secure-code/cargo-auditable#usage
cargo install cargo-auditable cargo-audit
cargo auditable build
- name: Fail auditable build on high/critical vulnerabilities
if: matrix.rust == 'stable' && matrix.os == 'ubuntu-latest' && matrix.python == '3.14'
uses: aquasecurity/trivy-action@master
with:
scan-type: rootfs # https://trivy.dev/latest/docs/coverage/language/rust/#binaries
format: table
scan-ref: target/debug/fetter
severity: HIGH,CRITICAL
scanners: vuln
ignore-unfixed: true
exit-code: 1
trivy-config: trivy.yaml
#-----------------------------------------------------------------------------
quality:
name: Quality
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Rust
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
components: "rustfmt, clippy"
- name: Check formatting
run: |
cargo fmt -- --check
- name: Lint with Clippy
run: |
cargo clippy -- -D warnings
#-----------------------------------------------------------------------------
security:
name: Security Checks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
# https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#skipping-setup-when-calling-trivy-action-multiple-times
# The first call to the action will invoke setup-trivy and install trivy
- name: Generate Trivy vulnerability report
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
output: trivy-report.json
format: json
scan-ref: .
exit-code: 0
trivy-config: trivy.yaml
- name: Upload vulnerability report
uses: actions/upload-artifact@v6
with:
name: trivy-report
path: trivy-report.json
retention-days: 30
- name: Fail build on high/critical vulnerabilities
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
format: table
scan-ref: .
severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: 1
# On a subsequent call trivy is already installed so we can skip setup
skip-setup-trivy: true
trivy-config: trivy.yaml
#-----------------------------------------------------------------------------
# coverage:
# name: Coverage
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v6
# - name: Install Rust
# run: |
# rustup install --no-self-update nightly && rustup default nightly
# rustup component add llvm-tools-preview
# - name: Configure cache
# uses: actions/cache@v3
# with:
# path: |
# ~/.cargo/bin/
# ~/.cargo/registry
# target/
# key: coverage-${{ hashFiles('**/Cargo.lock') }}
# - name: Conditionally install grcov
# run: |
# if ! command -v grcov &> /dev/null
# then
# cargo install grcov
# fi
# - name: Build
# env:
# RUSTFLAGS: -Cinstrument-coverage
# run: cargo build
# - name: Test
# env:
# LLVM_PROFILE_FILE: grcov-%p-%m.profraw
# RUSTFLAGS: -Cinstrument-coverage
# run: cargo test
# - name: Generate coverage
# run: |
# grcov . -s . --binary-path ./target/debug/ -t lcov --branch --ignore-not-existing --excl-line cov-excl-line -o coverage.lcov
# - name: Upload coverage reports to Codecov
# uses: codecov/codecov-action@v4.0.1
# with:
# token: 6ecdfb7b-306b-4bdc-abbf-c393da9186c9
# files: coverage.lcov
# slug: flexatone/xensieve-rs
#-----------------------------------------------------------------------------
publish:
name: Publish
if: github.event_name == 'release'
needs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Rust
uses: actions-rust-lang/setup-rust-toolchain@v1
- name: Publish
run: cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }}