name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
CARGO_TERM_COLOR: always
CARGO_INCREMENTAL: "0"
RUSTFLAGS: -Dwarnings
jobs:
fmt:
name: Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 with:
components: rustfmt
- run: cargo fmt --all --check
clippy:
name: Clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 with:
components: clippy
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 - run: cargo clippy --all-targets -- -D warnings
test:
name: Test (${{ matrix.os }})
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 - run: cargo test --workspace
coverage:
name: Coverage (100% production lines)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 with:
components: llvm-tools-preview
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 - run: cargo install cargo-llvm-cov --locked
- name: Fail on any uncovered production line (DA:n,0), honoring cov:unreachable
run: |
cargo llvm-cov --workspace --lcov --output-path cov.lcov
python3 - <<'PY'
import sys
def marked(path, n):
try:
return "cov:unreachable" in open(path).read().splitlines()[n - 1]
except Exception:
return False
cur, bad = None, []
for line in open("cov.lcov").read().splitlines():
if line.startswith("SF:"):
cur = line[3:]
elif line.startswith("DA:") and cur:
if "/tests/" in cur or "/fuzz/" in cur:
continue
n, hits = line[3:].split(",")
if hits == "0" and not marked(cur, int(n)):
bad.append(f"{cur}:{n}")
if bad:
print("Uncovered production lines — add a test or // cov:unreachable:")
print("\n".join(f" {b}" for b in bad))
sys.exit(1)
print("100% production line coverage — no uncovered DA:n,0")
PY
deny:
name: Cargo Deny
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979
msrv:
name: MSRV (1.75)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: dtolnay/rust-toolchain@1.75
- uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 - run: cargo test
fuzz-check:
name: Fuzz (build check)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 with:
toolchain: nightly
components: rust-src
- run: cargo install cargo-fuzz --locked
- run: cargo +nightly fuzz build
secrets:
name: Secret Scan (gitleaks)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with:
fetch-depth: 0
- name: Install gitleaks
run: |
VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | jq -r '.tag_name[1:]')
curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
| tar xz -C /tmp gitleaks
- name: Run gitleaks
run: /tmp/gitleaks detect --source .
geiger:
name: Unsafe Audit (cargo-geiger)
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 - run: cargo install cargo-geiger --locked
- run: cargo geiger 2>&1 || true