name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
jobs:
test:
name: Test (${{ matrix.rust }})
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
rust: [stable, nightly]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
with:
rust: ${{ matrix.rust }}
- name: Cache Cargo
uses: Swatinem/rust-cache@v2
with:
shared-key: "molock-ci"
cache-targets: false
- name: Check formatting
run: cargo fmt -- --check
- name: Run Clippy
run: cargo clippy 2>&1 | grep -E "^error:" || true
- name: Run unit tests
run: cargo test --features otel -- --test-threads=1
coverage:
name: Code Coverage
runs-on: ubuntu-latest
needs: test
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Cache Tarpaulin
uses: actions/cache@v3
with:
path: ~/.cargo/bin/cargo-tarpaulin
key: ${{ runner.os }}-cargo-tarpaulin
- name: Install Tarpaulin
run: |
if ! command -v cargo-tarpaulin &> /dev/null; then
cargo install cargo-tarpaulin
fi
- name: Run coverage
run: cargo tarpaulin --all-features --ignore-tests --fail-under 80 --out xml
integration:
name: Integration Tests
runs-on: ubuntu-latest
needs: test
services:
docker:
image: docker:24.0.5
options: --privileged
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Build release binary
run: cargo build --release
- name: Build Docker image
run: |
docker build -t molock:test -f deployment/Dockerfile .
- name: Start Docker services
run: |
cd deployment
docker compose up -d otel-collector jaeger prometheus
env:
COMPOSE_DOCKER_CLI_BUILD: 1
DOCKER_BUILDKIT: 1
- name: Wait for services
run: sleep 15
- name: Build binary with OTel features
run: cargo build --features otel
- name: Run all integration tests
run: cargo test --features otel --test integration_test --test corner_cases_integration_test
- name: Validate Observability
run: |
chmod +x tests/validate_observability.sh
./tests/validate_observability.sh
- name: Stop Docker services
if: always()
run: |
cd deployment
docker compose down
security:
name: Security Audit
runs-on: ubuntu-latest
needs: test
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-audit
run: cargo install cargo-audit
- name: Run security audit
run: cargo audit
secrets-scan:
name: Secrets Detection
runs-on: ubuntu-latest
needs: test
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Trufflehog
uses: trufflesecurity/trufflehog@main
with:
base64-detector: true
exclude-paths: .trufflehog-exclude.txt
slsa-verify:
name: SLSA Verification
runs-on: ubuntu-latest
needs: secrets-scan
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
permissions:
contents: read
id-token: write
env:
GH_TOKEN: ${{ github.token }}
steps:
- uses: actions/checkout@v4
- name: Get latest release
id: latest_release
run: |
release=$(gh release list --limit 1 --repo ${{ github.repository }} --json tagName --jq '.[0].tagName')
if [ -n "$release" ]; then
echo "tag=$release" >> $GITHUB_OUTPUT
echo "has_release=true" >> $GITHUB_OUTPUT
else
echo "tag=" >> $GITHUB_OUTPUT
echo "has_release=false" >> $GITHUB_OUTPUT
fi
env:
GH_TOKEN: ${{ github.token }}
- name: Download release artifacts
if: steps.latest_release.outputs.has_release == 'true'
run: |
gh release download ${{ steps.latest_release.outputs.tag }} --repo ${{ github.repository }} --pattern "*.tar.gz" --dir ./artifacts
gh release download ${{ steps.latest_release.outputs.tag }} --repo ${{ github.repository }} --pattern "*.intoto.jsonl" --dir ./artifacts
- name: Install SLSA verifier
uses: slsa-framework/slsa-verifier/actions/installer@v2.7.1
- name: Verify SLSA provenance
if: steps.latest_release.outputs.has_release == 'true'
run: |
ls -la ./artifacts
FILENAME=$(ls ./artifacts/*.tar.gz | head -1)
PROVENANCE=$(ls ./artifacts/*.intoto.jsonl | head -1)
slsa-verifier verify-artifact "$FILENAME" \
--provenance-path "$PROVENANCE" \
--source-uri github.com/${{ github.repository }} \
--tag-name ${{ steps.latest_release.outputs.tag }}