rsecure 0.8.0

A simple file encryption and decryption tool using AES-GCM.
name: CI/CD Pipeline

permissions:
  contents: write

env:
  CARGO_TERM_COLOR: always
  RUST_VERSION: 1.96.0

on:
  pull_request:
  push:
    paths:
      - "src/**"
      - ".github/workflows/ci-cd.yml"
      - "Cargo.toml"
      - "Cargo.lock"
      - "deny.toml"
      - ".goreleaser.yaml"
    branches:
      - main
      - dependabot/*
    tags:
      - "*.*.*"
  schedule:
    # Weekly run so new RustSec advisories surface even without a code change
    - cron: "0 7 * * 1"

jobs:
  security:
    name: Security audit
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: cargo-audit (RustSec advisories)
        uses: rustsec/audit-check@v2.0.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: cargo-deny (advisories + licenses + sources + bans)
        uses: EmbarkStudios/cargo-deny-action@v2
        with:
          command: check
          arguments: --all-features

  linting:
    name: Linting
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Rustup
        run: |
          rustup default ${{ env.RUST_VERSION }}
          rustup component add clippy rustfmt

      - name: Cache cargo registry and target
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: linting

      - name: Rustfmt
        run: cargo fmt --all -- --check

      - name: Check
        run: cargo check --all -q

      - name: Clippy
        run: cargo clippy --all-targets --all-features -- -D warnings

  test:
    name: Test
    runs-on: ubuntu-latest
    needs: linting
    steps:
      - name: Checkout
        uses: actions/checkout@v6
      - name: Rustup
        run: |
          rustup default ${{ env.RUST_VERSION }}

      - name: Cache cargo registry and target
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: test

      - name: Test
        run: cargo test --all -q

  build:
    name: Build - ${{ matrix.platform.release_for }}
    needs: test
    strategy:
      matrix:
        platform:
          - release_for: linux-arm64
            os: ubuntu-24.04-arm
            target: aarch64-unknown-linux-gnu

          - release_for: linux-amd64
            os: ubuntu-24.04
            target: x86_64-unknown-linux-gnu

          - release_for: darwin-amd64
            os: macOS-latest
            target: x86_64-apple-darwin

          - release_for: darwin-arm64
            os: macOS-latest
            target: aarch64-apple-darwin

    runs-on: ${{ matrix.platform.os }}
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Setup dependencies
        if: matrix.platform.os == 'ubuntu-latest'
        run: |
          sudo apt-get -y install linux-headers-$(uname -r)

      - name: Rustup
        run: |
          rustup update
          rustup default ${{ env.RUST_VERSION }}
          rustup target add ${{ matrix.platform.target }}
          rustc --version

      - name: Cache cargo registry and target
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: build-${{ matrix.platform.target }}
          key: ${{ matrix.platform.target }}

      - name: Build
        run: cargo build --release --target ${{ matrix.platform.target }}

  goreleaser:
    name: Publish release with goreleaser
    if: startsWith(github.ref, 'refs/tags/')
    needs: build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          # GoReleaser needs full git history + tags to build the changelog
          # (the range between the previous tag and this one). Without this it
          # only sees the tagged bump commit.
          fetch-depth: 0

      - name: Setup Zig
        # https://codeberg.org/mlugg/setup-zig/
        uses: mlugg/setup-zig@v2
        with:
          version: 0.13.0

      - name: Install Rust and dependencies
        run: |
          rustup default ${{ env.RUST_VERSION }}
          cargo install cargo-zigbuild

      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSWORD }}

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser
          version: "~> v2"
          #args: release --snapshot --clean # testing
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
          HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
          AUR_KEY: ${{ secrets.AUR_KEY }}
          AUR_USER: containerscrew

  publish-crate:
    name: Publish crate to crates.io
    if: startsWith(github.ref, 'refs/tags/')
    needs: goreleaser
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Install Rust
        run: |
          rustup update
          rustup default ${{ env.RUST_VERSION }}

      - name: Cache cargo registry and target
        uses: Swatinem/rust-cache@v2
        with:
          shared-key: publish

      - name: Publish to crates.io
        run: |
          cargo login ${{ secrets.CARGO_REGISTRY_TOKEN }}
          cargo publish --locked