rust-rapport 0.1.2

Formats cargo clippy JSON output for GitHub Actions (step summary, PR annotations, human-readable).
Documentation

rust-rapport

CI crates.io MSRV License: MIT

Formats cargo clippy --message-format json output into three views tailored for CI:

  • github-summary — a Markdown table suitable for $GITHUB_STEP_SUMMARY.
  • github-pr-annotation — GitHub workflow commands that render inline annotations on PR diffs.
  • human — the plain rendered diagnostics, for local terminal use.

Malformed JSON lines are logged to stderr with the offending line number and skipped; valid lines still render. The exit code is 0 on success, 1 on I/O failure.

Install

From crates.io (once released):

cargo install rust-rapport --locked

In GitHub Actions — zero-compile, downloads a prebuilt binary:

- uses: taiki-e/install-action@v2
  with:
    tool: rust-rapport

From GitHub Releases — download a pre-built archive from the Releases page and extract it onto your PATH.

Usage

cargo clippy --message-format json | rust-rapport github-summary >> "$GITHUB_STEP_SUMMARY"
cargo clippy --message-format json | rust-rapport github-pr-annotation
cargo clippy --message-format json | rust-rapport human

GitHub Actions

- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
  with: { components: clippy }
- uses: taiki-e/install-action@v2
  with:
    tool: rust-rapport
- name: Clippy
  run: |
    set +e
    cargo clippy --message-format json \
      | tee >(rust-rapport github-summary >> "$GITHUB_STEP_SUMMARY") \
            >(rust-rapport github-pr-annotation) \
      > /dev/null
    exit "${PIPESTATUS[0]}"

Requirements

  • Rust 1.85+ (edition 2024, MSRV enforced in CI).

Supply chain

Two orthogonal checks run in CI:

  • cargo-audit (RUSTSEC) — fails if a published advisory matches any locked dependency. Also runs daily against main via .github/workflows/audit.yml.
  • cargo-vet — requires every dependency version to be either human-audited or exempted. Audits are imported from Mozilla, Google, Bytecode Alliance, and Divvi Up; the project's own audits live in supply-chain/audits.toml.

Releasing

Releases are fully automated by release-plz. You never tag or bump Cargo.toml by hand — you just commit with Conventional Commits messages:

  • feat: … — minor bump
  • fix: … — patch bump
  • feat!: … or BREAKING CHANGE: in the body — major bump
  • chore: …, ci: …, docs: …, refactor: …, test: … — no bump (but still visible in the PR)

Flow:

  1. Land conventional commits on main (either directly or via merged PRs).
  2. The release-plz workflow opens (or updates) a release PR titled chore: release vX.Y.Z that bumps the version in Cargo.toml and rewrites the [Unreleased] section of CHANGELOG.md into a dated version entry.
  3. Review the PR. Edit the changelog prose freely — release-plz won't clobber your edits on subsequent runs as long as the version stays the same.
  4. Merge the PR. release-plz then pushes the tag vX.Y.Z, creates the GitHub Release, and publishes to crates.io.
  5. The Upload release binaries workflow reacts to the GitHub Release being published and attaches the four cross-platform archives as release assets.

License

MIT. See LICENSE and CHANGELOG.md.