name: CI/CD Pipeline
permissions:
contents: write
env:
CARGO_TERM_COLOR: always
RUST_VERSION: 1.96.0
on:
pull_request:
push:
paths:
- "src/**"
- ".github/workflows/ci-cd.yml"
- "Cargo.toml"
- "Cargo.lock"
- "deny.toml"
- ".goreleaser.yaml"
branches:
- main
- dependabot/*
tags:
- "*.*.*"
schedule:
- cron: "0 7 * * 1"
jobs:
security:
name: Security audit
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: cargo-audit (RustSec advisories)
uses: rustsec/audit-check@v2.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: cargo-deny (advisories + licenses + sources + bans)
uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check
arguments: --all-features
linting:
name: Linting
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Rustup
run: |
rustup default ${{ env.RUST_VERSION }}
rustup component add clippy rustfmt
- name: Cache cargo registry and target
uses: Swatinem/rust-cache@v2
with:
shared-key: linting
- name: Rustfmt
run: cargo fmt --all -- --check
- name: Check
run: cargo check --all -q
- name: Clippy
run: cargo clippy --all-targets --all-features -- -D warnings
test:
name: Test
runs-on: ubuntu-latest
needs: linting
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Rustup
run: |
rustup default ${{ env.RUST_VERSION }}
- name: Cache cargo registry and target
uses: Swatinem/rust-cache@v2
with:
shared-key: test
- name: Test
run: cargo test --all -q
build:
name: Build - ${{ matrix.platform.release_for }}
needs: test
strategy:
matrix:
platform:
- release_for: linux-arm64
os: ubuntu-24.04-arm
target: aarch64-unknown-linux-gnu
- release_for: linux-amd64
os: ubuntu-24.04
target: x86_64-unknown-linux-gnu
- release_for: darwin-amd64
os: macOS-latest
target: x86_64-apple-darwin
- release_for: darwin-arm64
os: macOS-latest
target: aarch64-apple-darwin
runs-on: ${{ matrix.platform.os }}
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup dependencies
if: matrix.platform.os == 'ubuntu-latest'
run: |
sudo apt-get -y install linux-headers-$(uname -r)
- name: Rustup
run: |
rustup update
rustup default ${{ env.RUST_VERSION }}
rustup target add ${{ matrix.platform.target }}
rustc --version
- name: Cache cargo registry and target
uses: Swatinem/rust-cache@v2
with:
shared-key: build-${{ matrix.platform.target }}
key: ${{ matrix.platform.target }}
- name: Build
run: cargo build --release --target ${{ matrix.platform.target }}
goreleaser:
name: Publish release with goreleaser
if: startsWith(github.ref, 'refs/tags/')
needs: build
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Setup Zig
uses: mlugg/setup-zig@v2
with:
version: 0.13.0
- name: Install Rust and dependencies
run: |
rustup default ${{ env.RUST_VERSION }}
cargo install cargo-zigbuild
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSWORD }}
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: "~> v2"
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
AUR_KEY: ${{ secrets.AUR_KEY }}
AUR_USER: containerscrew
publish-crate:
name: Publish crate to crates.io
if: startsWith(github.ref, 'refs/tags/')
needs: goreleaser
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Install Rust
run: |
rustup update
rustup default ${{ env.RUST_VERSION }}
- name: Cache cargo registry and target
uses: Swatinem/rust-cache@v2
with:
shared-key: publish
- name: Publish to crates.io
run: |
cargo login ${{ secrets.CARGO_REGISTRY_TOKEN }}
cargo publish --locked