Skip to content

fix(notary): address holder binding review followups #335

fix(notary): address holder binding review followups

fix(notary): address holder binding review followups #335

Workflow file for this run

name: RegistryStack CI
on:
pull_request:
branches:
- main
push:
branches:
- main
permissions:
contents: read
env:
CARGO_TERM_COLOR: always
jobs:
changes:
name: Changed paths
runs-on: ubuntu-24.04
outputs:
rust: ${{ steps.filter.outputs.rust }}
release_tool: ${{ steps.filter.outputs.release_tool }}
lab: ${{ steps.filter.outputs.lab }}
docs: ${{ steps.filter.outputs.docs }}
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
fetch-depth: 0
submodules: false
- name: Classify changed paths
id: filter
shell: bash
run: |
set -euo pipefail
rust=false
release_tool=false
lab=false
docs=false
all=false
if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
base="${{ github.event.pull_request.base.sha }}"
head="${{ github.event.pull_request.head.sha }}"
else
base="${{ github.event.before }}"
head="${GITHUB_SHA}"
if [[ "${base}" =~ ^0+$ ]]; then
base="$(git rev-parse "${head}^" 2>/dev/null || true)"
fi
fi
mark_all() {
rust=true
release_tool=true
lab=true
docs=true
}
changed_files="${RUNNER_TEMP}/registry-stack-changed-files"
if [[ -z "${base}" ]] ||
! git cat-file -e "${base}^{commit}" 2>/dev/null ||
! git cat-file -e "${head}^{commit}" 2>/dev/null; then
all=true
else
git diff --name-only -z "${base}" "${head}" > "${changed_files}"
fi
if [[ "${all}" == "true" ]]; then
mark_all
else
while IFS= read -r -d '' path; do
case "${path}" in
.github/workflows/*)
mark_all
;;
esac
case "${path}" in
Cargo.toml|Cargo.lock|deny.toml|rust-toolchain*|crates/*|products/*)
rust=true
;;
esac
case "${path}" in
release/*)
release_tool=true
;;
esac
case "${path}" in
release/manifests/*|lab/*|vendor/*|.gitmodules)
lab=true
;;
esac
case "${path}" in
docs/site/*|crates/registry-relay/docs/*|crates/registry-relay/openapi/*|products/notary/docs/*|products/notary/openapi/*|products/manifest/docs/*)
docs=true
;;
esac
done < "${changed_files}"
fi
{
echo "rust=${rust}"
echo "release_tool=${release_tool}"
echo "lab=${lab}"
echo "docs=${docs}"
} >> "${GITHUB_OUTPUT}"
rust:
name: Rust workspace
needs: changes
if: needs.changes.outputs.rust == 'true'
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
fetch-depth: 0
submodules: false
- name: Cache Cargo registry and build artifacts
uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- name: Install cargo-deny and just
uses: taiki-e/install-action@25435dc8dd3baed7417e0c96d3fe89013a5b2e09 # v2.81.3
with:
tool: cargo-deny@0.19.8,just@1.51.0
- name: Cargo metadata
run: cargo metadata --locked --format-version 1 >/tmp/registry-stack-cargo-metadata.json
- name: Format
run: cargo fmt --check
- name: Workspace check
run: cargo check --locked --workspace --all-targets
- name: Clippy
run: cargo clippy --workspace --all-targets -- -D warnings
- name: Workspace tests
run: cargo test --locked --workspace
- name: Cargo deny
run: cargo deny check
- name: Notary OpenAPI baseline
working-directory: products/notary
run: just openapi-check
- name: Relay OpenAPI contract
working-directory: crates/registry-relay
run: just openapi-contract
release-tool:
name: Release tooling
needs: changes
if: needs.changes.outputs.release_tool == 'true'
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
fetch-depth: 0
submodules: false
- name: Test release helper
run: python3 -m unittest release/scripts/test_registry_release.py
- name: Validate release manifest
shell: bash
run: |
set -euo pipefail
for manifest in release/manifests/registry-stack-*.yaml; do
release/scripts/registry-release validate "${manifest}"
done
- name: Audit import map
run: release/scripts/registry-release audit release/manifests/import-map-2026-06-24.yaml
lab:
name: Lab source proof
needs: changes
if: needs.changes.outputs.lab == 'true'
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
fetch-depth: 0
submodules: false
- name: Check monorepo source model
run: REGISTRY_LAB_RELEASE_SOURCE_MODE=monorepo lab/scripts/check-release-source-model.sh
- name: Test source model checker
run: python3 -m unittest lab/scripts/test_check_release_source_model.py
docs:
name: Docs
needs: changes
if: needs.changes.outputs.docs == 'true'
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
fetch-depth: 0
submodules: false
- name: Setup Node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
with:
node-version: 22.12.0
cache: npm
cache-dependency-path: docs/site/package-lock.json
- name: Install docs dependencies
working-directory: docs/site
run: npm ci
- name: Test docs scripts
working-directory: docs/site
run: npm test
- name: Check docs build
working-directory: docs/site
run: npm run check