Foundation-grade: contribution surface, scheduled security workflow, … #72
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| tags: ["v*"] | |
| pull_request: | |
| branches: [main] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: "1" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # ── 1. Formatting ─────────────────────────────────────────────────── | |
| fmt: | |
| name: Format (rustfmt) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| - run: cargo fmt --all --check | |
| # ── 2. Lint ───────────────────────────────────────────────────────── | |
| clippy: | |
| name: Lint (clippy, -D warnings) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - uses: Swatinem/rust-cache@v2 | |
| - run: cargo clippy --all-features --all-targets -- -D warnings | |
| # ── 3. Spelling ───────────────────────────────────────────────────── | |
| typos: | |
| name: Spelling (typos) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: crate-ci/typos@master | |
| # ── 4. Tests, stable ──────────────────────────────────────────────── | |
| test: | |
| name: Test (stable) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: All features | |
| run: cargo test --all-features --verbose | |
| - name: No default features (no_std surface) | |
| run: cargo test --no-default-features --verbose | |
| # ── 5. Tests, beta (early warning for upcoming toolchains) ────────── | |
| test-beta: | |
| name: Test (beta) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@beta | |
| - uses: Swatinem/rust-cache@v2 | |
| - run: cargo +beta test --all-features --verbose | |
| # ── 6. Minimum supported Rust version ─────────────────────────────── | |
| msrv: | |
| name: MSRV (1.75.0) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: 1.75.0 | |
| - uses: Swatinem/rust-cache@v2 | |
| - run: cargo +1.75.0 test --all-features --verbose | |
| # ── 7. Doctests ───────────────────────────────────────────────────── | |
| doctests: | |
| name: Doctests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - run: cargo test --doc --all-features --verbose | |
| # ── 8. Documentation builds clean ─────────────────────────────────── | |
| docs: | |
| name: Documentation (rustdoc, -D warnings) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: cargo doc | |
| env: | |
| RUSTDOCFLAGS: -D warnings | |
| run: cargo doc --no-deps --all-features | |
| # ── 9. Bare-metal build, Cortex-M4F (ARMv7E-M) ────────────────────── | |
| build-cortex-m4f: | |
| name: Bare-metal build (Cortex-M4F) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: thumbv7em-none-eabihf | |
| - uses: Swatinem/rust-cache@v2 | |
| - run: cargo build --target thumbv7em-none-eabihf --no-default-features --release | |
| # ── 10. Bare-metal build, Cortex-M33 (ARMv8-M, the AxonOS target) ─── | |
| build-cortex-m33: | |
| name: Bare-metal build (Cortex-M33) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: thumbv8m.main-none-eabihf | |
| - uses: Swatinem/rust-cache@v2 | |
| - run: cargo build --target thumbv8m.main-none-eabihf --no-default-features --release | |
| # ── 11. Undefined-behaviour check (Miri) ──────────────────────────── | |
| miri: | |
| name: Miri (UB detection) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@nightly | |
| with: | |
| components: miri | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: cargo miri test | |
| run: cargo +nightly miri test --all-features | |
| env: | |
| MIRIFLAGS: -Zmiri-strict-provenance | |
| # ── 12. Fuzz targets build and smoke-run ──────────────────────────── | |
| fuzz: | |
| name: Fuzz (build + smoke) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@nightly | |
| - uses: Swatinem/rust-cache@v2 | |
| - uses: taiki-e/install-action@v2 | |
| with: | |
| tool: cargo-fuzz | |
| - name: Build targets | |
| run: | | |
| cargo +nightly fuzz build wire_decode --target x86_64-unknown-linux-gnu | |
| cargo +nightly fuzz build roundtrip --target x86_64-unknown-linux-gnu | |
| cargo +nightly fuzz build fsm_sequence --target x86_64-unknown-linux-gnu | |
| - name: Smoke-run targets | |
| run: | | |
| cargo +nightly fuzz run wire_decode --target x86_64-unknown-linux-gnu -- -runs=512 | |
| cargo +nightly fuzz run roundtrip --target x86_64-unknown-linux-gnu -- -runs=512 | |
| cargo +nightly fuzz run fsm_sequence --target x86_64-unknown-linux-gnu -- -runs=512 | |
| # ── 13. Supply-chain and licence policy (cargo-deny) ──────────────── | |
| deny: | |
| name: Supply chain (cargo-deny) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: EmbarkStudios/cargo-deny-action@v2 | |
| with: | |
| command: check all | |
| # ── 14. Coverage report (cargo-llvm-cov) ──────────────────────────── | |
| coverage: | |
| name: Coverage (llvm-cov) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: llvm-tools-preview | |
| - uses: Swatinem/rust-cache@v2 | |
| - uses: taiki-e/install-action@cargo-llvm-cov | |
| - name: Generate coverage summary | |
| run: cargo llvm-cov --all-features --summary-only | |
| # ── 15. Packaging sanity (publishable to crates.io) ───────────────── | |
| package: | |
| name: Package (publish dry-run) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - run: cargo publish --dry-run | |
| # ── 16. Repository integrity (licences, SPDX, vectors) ────────────── | |
| integrity: | |
| name: Repository integrity | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Licence files present | |
| run: | | |
| test -f LICENSE | |
| test -f LICENSE-APACHE | |
| test -f LICENSE-MIT | |
| test -f LICENSE-CC-BY-SA | |
| test -f vectors/LICENSE | |
| echo "all licence files present" | |
| - name: SPDX identifiers present | |
| run: | | |
| grep -q 'SPDX-License-Identifier: Apache-2.0 OR MIT' LICENSE | |
| grep -q 'SPDX-License-Identifier: CC-BY-SA-4.0' LICENSE-CC-BY-SA | |
| grep -q 'SPDX-License-Identifier: CC0-1.0' vectors/LICENSE | |
| echo "SPDX identifiers present" | |
| - name: Conformance vectors present | |
| run: | | |
| test -d vectors | |
| test -f vectors/README.md | |
| echo "conformance vectors present" | |
| # ── 17. Aggregate gate (branch-protection target) ────────────────── | |
| ci: | |
| name: CI | |
| runs-on: ubuntu-latest | |
| if: always() | |
| needs: | |
| - fmt | |
| - clippy | |
| - typos | |
| - test | |
| - test-beta | |
| - msrv | |
| - doctests | |
| - docs | |
| - build-cortex-m4f | |
| - build-cortex-m33 | |
| - miri | |
| - fuzz | |
| - deny | |
| - coverage | |
| - package | |
| - integrity | |
| steps: | |
| - name: Verify all jobs succeeded | |
| run: | | |
| if [ "${{ contains(needs.*.result, 'failure') }}" = "true" ] || \ | |
| [ "${{ contains(needs.*.result, 'cancelled') }}" = "true" ]; then | |
| echo "one or more required jobs failed" | |
| exit 1 | |
| fi | |
| echo "all required CI jobs passed" |