name: Main Branch CI/CD
on:
push:
branches:
- main
workflow_dispatch:
permissions:
contents: read
security-events: write
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
jobs:
license-check:
name: Verify SPDX License Headers
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Check license headers
uses: firestoned/github-actions/security/license-check@v1.3.4
with:
copyright-holder: "Erick Bourgeois, firestoned"
license-id: "MIT"
verify-commits:
name: Verify Signed Commits
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Verify commits are signed
uses: firestoned/github-actions/security/verify-signed-commits@v1.3.4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
verify-mode: push
build:
name: Build - ${{ matrix.platform.name }}
runs-on: ${{ matrix.platform.os }}
needs: [license-check, verify-commits]
strategy:
fail-fast: false
matrix:
platform:
- name: Linux x86_64
os: ubuntu-latest
target: x86_64-unknown-linux-gnu
artifact_name: hornet-linux-amd64
binary_name: hornet
- name: Linux ARM64
os: ubuntu-latest
target: aarch64-unknown-linux-gnu
artifact_name: hornet-linux-arm64
binary_name: hornet
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Rust build environment
uses: firestoned/github-actions/rust/setup-rust-build@v1.3.4
with:
target: ${{ matrix.platform.target }}
- name: Build binary
uses: firestoned/github-actions/rust/build-binary@v1.3.4
with:
target: ${{ matrix.platform.target }}
- name: Generate SBOM
uses: firestoned/github-actions/rust/generate-sbom@v1.3.4
with:
target: ${{ matrix.platform.target }}
- name: Upload binary and SBOM artifacts
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.platform.artifact_name }}
path: |
target/${{ matrix.platform.target }}/release/${{ matrix.platform.binary_name }}
*.cdx.*
retention-days: 7
test:
name: Test
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo dependencies
uses: firestoned/github-actions/rust/cache-cargo@v1.3.4
- name: Run tests
run: make test
lint:
name: Lint
runs-on: ubuntu-latest
needs: [license-check, verify-commits]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt, clippy
- name: Cache cargo dependencies
uses: firestoned/github-actions/rust/cache-cargo@v1.3.4
- name: Check formatting
run: make fmt-check
- name: Run clippy
run: make clippy
security:
name: Security Vulnerability Scan
runs-on: ubuntu-latest
needs: [license-check, verify-commits]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run security scan
uses: firestoned/github-actions/rust/security-scan@v1.3.4
with:
cargo-audit-version: "0.22.0"
coverage:
name: Code Coverage
runs-on: ubuntu-latest
needs: test
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Setup Rust cache
uses: Swatinem/rust-cache@v2
- name: Install cargo-llvm-cov
uses: taiki-e/install-action@v2
with:
tool: cargo-llvm-cov
- name: Generate coverage report
run: make coverage-lcov
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5
with:
files: lcov.info
fail_ci_if_error: false
token: ${{ secrets.CODECOV_TOKEN }}
verbose: true
- name: Generate HTML coverage report
run: make coverage-html
- name: Upload HTML coverage as artifact
uses: actions/upload-artifact@v4
with:
name: coverage-report
path: target/llvm-cov/html/
retention-days: 30