name: "๐ Github CI - Development"
on:
push:
branches: [ develop, master ]
pull_request:
branches: [ develop, master ]
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
scorecard-analysis:
name: ๐ Scorecard analysis
if: github.event_name == 'push'
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write
pull-requests: read
contents: read
actions: read
issues: read
steps:
- name: ๐ก๏ธ Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d with:
egress-policy: audit
disable-telemetry: true
- name: ๐ Check out the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with:
persist-credentials: false
- name: ๐ Scan with Scorecard
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a with:
results_file: results.sarif
results_format: sarif
publish_results: true
repo_token: ${{ secrets.GITHUB_TOKEN }}
- name: ๐ฆ Upload Scorecard scan results artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f with:
name: sarif-results
path: results.sarif
retention-days: 5
- name: ๐ฆ Upload Scorecard scan results to GitHub dashboard
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 with:
sarif_file: results.sarif
fossa:
name: ๐ FOSSA license scan
if: github.event_name == 'push'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: ๐ก๏ธ Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d with:
egress-policy: audit
disable-telemetry: true
- name: ๐ Check out the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: ๐ Run FOSSA scan
uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3 with:
api-key: ${{ secrets.FOSSA_API_KEY }}
sonarcloud-analysis:
name: ๐ SonarCloud analysis
if: github.event_name == 'push'
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
steps:
- name: ๐ก๏ธ Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d with:
egress-policy: audit
disable-telemetry: true
- name: ๐ Check out the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with:
fetch-depth: 0
persist-credentials: false
- name: ๐ Scan with SonarCloud
uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
dependency-review:
name: ๐ฆ Dependency review
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: ๐ก๏ธ Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d with:
egress-policy: audit
disable-telemetry: true
- name: ๐ Check out the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: ๐ฆ Review dependencies
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48
check-spell:
name: ๐ Check spelling
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: ๐ก๏ธ Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d with:
egress-policy: audit
disable-telemetry: true
- name: ๐ Check out the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: ๐ Check spelling
uses: crate-ci/typos@02ea592e44b3a53c302f697cddca7641cd051c3d
check-format:
name: ๐ Check formatting
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: ๐ก๏ธ Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d with:
egress-policy: audit
disable-telemetry: true
- name: ๐ Check out the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: ๐ ๏ธ Set up nightly Rust (for rustfmt)
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 with:
toolchain: nightly
components: rustfmt
- name: ๐ Check formatting
run: cargo +nightly fmt --all -- --check
build-and-test:
name: ๐ฆ Build & Test
runs-on: ubuntu-latest
needs: [check-spell]
env:
CLICOLOR: 1
SCCACHE_GHA_ENABLED: "true"
RUSTC_WRAPPER: "sccache"
REDIS_URL: redis://localhost:6379
permissions:
contents: read
services:
redis:
image: redis:7-alpine
ports:
- 6379:6379
options: >-
--health-cmd "redis-cli ping"
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
- name: ๐ก๏ธ Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d with:
egress-policy: audit
disable-telemetry: true
- name: ๐ Check out the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: ๐ฆ Set up sccache
uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad with:
disable_annotations: true
- name: ๐ฆ Cache Rust registry
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 with:
shared-key: "full"
cache-targets: false
- name: ๐ฆ Restore compiled dependencies
uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 with:
path: target/
key: target-full-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}
restore-keys: target-full-${{ runner.os }}-
- name: ๐ ๏ธ Set up Rust toolchain
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 with:
components: clippy
- name: ๐ฆ Check with Clippy
run: cargo clippy --workspace --all-features -- -D warnings
- name: ๐งช Run unit tests
run: cargo test --test unit --all-features
- name: ๐ Run integration tests
run: cargo test --test integration --all-features
doc-tests:
name: ๐ Test docs
needs: [check-spell]
runs-on: ubuntu-latest
env:
CLICOLOR: 1
SCCACHE_GHA_ENABLED: "true"
RUSTC_WRAPPER: "sccache"
permissions:
contents: read
steps:
- name: ๐ก๏ธ Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d with:
egress-policy: audit
disable-telemetry: true
- name: ๐ Check out the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: ๐ฆ Set up sccache
uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad with:
disable_annotations: true
- name: ๐ฆ Cache Rust registry
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 with:
shared-key: "full"
cache-targets: false
- name: ๐ฆ Restore compiled dependencies
uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 with:
path: target/
key: target-full-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}
restore-keys: target-full-${{ runner.os }}-
- name: ๐ ๏ธ Set up Rust toolchain
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7
- name: ๐ Run doc tests
run: cargo test --doc --workspace --all-features
e2e-tests:
name: ๐ E2E tests
needs: [build-and-test, doc-tests]
runs-on: ubuntu-latest
env:
CLICOLOR: 1
SCCACHE_GHA_ENABLED: "true"
RUSTC_WRAPPER: "sccache"
permissions:
contents: read
steps:
- name: ๐ก๏ธ Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d with:
egress-policy: audit
disable-telemetry: true
- name: ๐ Check out the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: ๐ฆ Set up sccache
uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad with:
disable_annotations: true
- name: ๐ฆ Cache Rust registry
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 with:
shared-key: "full"
cache-targets: false
- name: ๐ฆ Restore compiled dependencies
uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 with:
path: target/
key: target-full-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}
restore-keys: target-full-${{ runner.os }}-
- name: ๐ ๏ธ Set up Rust toolchain
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7
- name: ๐ ๏ธ Install ffmpeg from boul2gom/ffmpeg-builds
run: |
curl -fsSL "https://github.com/boul2gom/ffmpeg-builds/releases/latest/download/ffmpeg-linux-x64.zip" -o /tmp/ffmpeg.zip
mkdir -p /opt/ffmpeg
unzip -j /tmp/ffmpeg.zip ffmpeg -d /opt/ffmpeg
chmod +x /opt/ffmpeg/ffmpeg
rm /tmp/ffmpeg.zip
echo "/opt/ffmpeg" >> $GITHUB_PATH
- name: ๐ Run E2E tests
run: cargo test --test e2e --all-features -- --test-threads=1
analysis:
name: ๐ Static analysis
needs: [build-and-test]
runs-on: ubuntu-latest
env:
CLICOLOR: 1
permissions:
contents: read
steps:
- name: ๐ก๏ธ Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d with:
egress-policy: audit
disable-telemetry: true
- name: ๐ Check out the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: ๐ ๏ธ Install cargo-deny
uses: taiki-e/install-action@7fa572463ed6f88f64fd37a4f8ca146df751432d
- name: ๐ Security, License and Dependency Audit
run: cargo deny check
- name: ๐ ๏ธ Install cargo-machete
uses: taiki-e/install-action@6929d36b9cc9bd3c8a031f179ec7f72cffbfc6fa
- name: ๐งน Unused dependencies
run: cargo machete
coverage:
name: ๐ Code coverage
needs: [e2e-tests]
runs-on: ubuntu-latest
env:
CLICOLOR: 1
SCCACHE_GHA_ENABLED: "true"
RUSTC_WRAPPER: "sccache"
permissions:
contents: read
steps:
- name: ๐ก๏ธ Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d with:
egress-policy: audit
disable-telemetry: true
- name: ๐ Check out the repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: ๐ฆ Set up sccache
uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad with:
disable_annotations: true
- name: ๐ฆ Cache Rust artifacts
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 with:
shared-key: "coverage"
cache-targets: false
- name: ๐ ๏ธ Set up Rust toolchain
uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 with:
components: llvm-tools-preview
- name: ๐ฆ Install cargo-llvm-cov
uses: taiki-e/install-action@c1305996457413b456b636a549d9f98354fd89cf
- name: ๐ ๏ธ Install ffmpeg from boul2gom/ffmpeg-builds
run: |
curl -fsSL "https://github.com/boul2gom/ffmpeg-builds/releases/latest/download/ffmpeg-linux-x64.zip" -o /tmp/ffmpeg.zip
mkdir -p /opt/ffmpeg
unzip -j /tmp/ffmpeg.zip ffmpeg -d /opt/ffmpeg
chmod +x /opt/ffmpeg/ffmpeg
rm /tmp/ffmpeg.zip
echo "/opt/ffmpeg" >> $GITHUB_PATH
- name: ๐ Generate coverage (unit + integration + e2e)
run: |
cargo llvm-cov clean --workspace
cargo llvm-cov --no-report --test unit --all-features
cargo llvm-cov --no-report --test integration --all-features
cargo llvm-cov --no-report --test e2e --all-features -- --test-threads=1
cargo llvm-cov report --lcov --output-path lcov.info
- name: ๐ฆ Upload coverage to Codecov
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 with:
token: ${{ secrets.CODECOV_TOKEN }}
files: lcov.info
fail_ci_if_error: false