fix(notary): address holder binding review followups #335
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: RegistryStack CI | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| changes: | |
| name: Changed paths | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| rust: ${{ steps.filter.outputs.rust }} | |
| release_tool: ${{ steps.filter.outputs.release_tool }} | |
| lab: ${{ steps.filter.outputs.lab }} | |
| docs: ${{ steps.filter.outputs.docs }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 | |
| with: | |
| fetch-depth: 0 | |
| submodules: false | |
| - name: Classify changed paths | |
| id: filter | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| rust=false | |
| release_tool=false | |
| lab=false | |
| docs=false | |
| all=false | |
| if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then | |
| base="${{ github.event.pull_request.base.sha }}" | |
| head="${{ github.event.pull_request.head.sha }}" | |
| else | |
| base="${{ github.event.before }}" | |
| head="${GITHUB_SHA}" | |
| if [[ "${base}" =~ ^0+$ ]]; then | |
| base="$(git rev-parse "${head}^" 2>/dev/null || true)" | |
| fi | |
| fi | |
| mark_all() { | |
| rust=true | |
| release_tool=true | |
| lab=true | |
| docs=true | |
| } | |
| changed_files="${RUNNER_TEMP}/registry-stack-changed-files" | |
| if [[ -z "${base}" ]] || | |
| ! git cat-file -e "${base}^{commit}" 2>/dev/null || | |
| ! git cat-file -e "${head}^{commit}" 2>/dev/null; then | |
| all=true | |
| else | |
| git diff --name-only -z "${base}" "${head}" > "${changed_files}" | |
| fi | |
| if [[ "${all}" == "true" ]]; then | |
| mark_all | |
| else | |
| while IFS= read -r -d '' path; do | |
| case "${path}" in | |
| .github/workflows/*) | |
| mark_all | |
| ;; | |
| esac | |
| case "${path}" in | |
| Cargo.toml|Cargo.lock|deny.toml|rust-toolchain*|crates/*|products/*) | |
| rust=true | |
| ;; | |
| esac | |
| case "${path}" in | |
| release/*) | |
| release_tool=true | |
| ;; | |
| esac | |
| case "${path}" in | |
| release/manifests/*|lab/*|vendor/*|.gitmodules) | |
| lab=true | |
| ;; | |
| esac | |
| case "${path}" in | |
| docs/site/*|crates/registry-relay/docs/*|crates/registry-relay/openapi/*|products/notary/docs/*|products/notary/openapi/*|products/manifest/docs/*) | |
| docs=true | |
| ;; | |
| esac | |
| done < "${changed_files}" | |
| fi | |
| { | |
| echo "rust=${rust}" | |
| echo "release_tool=${release_tool}" | |
| echo "lab=${lab}" | |
| echo "docs=${docs}" | |
| } >> "${GITHUB_OUTPUT}" | |
| rust: | |
| name: Rust workspace | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 | |
| with: | |
| fetch-depth: 0 | |
| submodules: false | |
| - name: Cache Cargo registry and build artifacts | |
| uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 | |
| - name: Install cargo-deny and just | |
| uses: taiki-e/install-action@25435dc8dd3baed7417e0c96d3fe89013a5b2e09 # v2.81.3 | |
| with: | |
| tool: cargo-deny@0.19.8,just@1.51.0 | |
| - name: Cargo metadata | |
| run: cargo metadata --locked --format-version 1 >/tmp/registry-stack-cargo-metadata.json | |
| - name: Format | |
| run: cargo fmt --check | |
| - name: Workspace check | |
| run: cargo check --locked --workspace --all-targets | |
| - name: Clippy | |
| run: cargo clippy --workspace --all-targets -- -D warnings | |
| - name: Workspace tests | |
| run: cargo test --locked --workspace | |
| - name: Cargo deny | |
| run: cargo deny check | |
| - name: Notary OpenAPI baseline | |
| working-directory: products/notary | |
| run: just openapi-check | |
| - name: Relay OpenAPI contract | |
| working-directory: crates/registry-relay | |
| run: just openapi-contract | |
| release-tool: | |
| name: Release tooling | |
| needs: changes | |
| if: needs.changes.outputs.release_tool == 'true' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 | |
| with: | |
| fetch-depth: 0 | |
| submodules: false | |
| - name: Test release helper | |
| run: python3 -m unittest release/scripts/test_registry_release.py | |
| - name: Validate release manifest | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| for manifest in release/manifests/registry-stack-*.yaml; do | |
| release/scripts/registry-release validate "${manifest}" | |
| done | |
| - name: Audit import map | |
| run: release/scripts/registry-release audit release/manifests/import-map-2026-06-24.yaml | |
| lab: | |
| name: Lab source proof | |
| needs: changes | |
| if: needs.changes.outputs.lab == 'true' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 | |
| with: | |
| fetch-depth: 0 | |
| submodules: false | |
| - name: Check monorepo source model | |
| run: REGISTRY_LAB_RELEASE_SOURCE_MODE=monorepo lab/scripts/check-release-source-model.sh | |
| - name: Test source model checker | |
| run: python3 -m unittest lab/scripts/test_check_release_source_model.py | |
| docs: | |
| name: Docs | |
| needs: changes | |
| if: needs.changes.outputs.docs == 'true' | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 | |
| with: | |
| fetch-depth: 0 | |
| submodules: false | |
| - name: Setup Node | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e | |
| with: | |
| node-version: 22.12.0 | |
| cache: npm | |
| cache-dependency-path: docs/site/package-lock.json | |
| - name: Install docs dependencies | |
| working-directory: docs/site | |
| run: npm ci | |
| - name: Test docs scripts | |
| working-directory: docs/site | |
| run: npm test | |
| - name: Check docs build | |
| working-directory: docs/site | |
| run: npm run check |