Promote S30: WS-H2 un-gate NOT-VIABLE — feasibility finding (WS-H2 st… #59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, rust] | |
| pull_request: | |
| workflow_dispatch: | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUSTFLAGS: -D warnings | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| check: | |
| name: Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: cargo check | |
| run: cargo check --workspace --all-targets | |
| clippy: | |
| name: Clippy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: cargo clippy | |
| run: cargo clippy --workspace --all-targets -- -D warnings | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: cargo test | |
| run: cargo test --workspace | |
| timeout-minutes: 30 | |
| fmt: | |
| name: Format | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| - name: cargo fmt | |
| run: cargo fmt --all -- --check | |
| doc-lint: | |
| # REL-2-01 + ROUND8-OPS-09 + ROUND8-L4-10: guard the | |
| # operator-facing docs against drift AND verify every | |
| # `Status: Verified-Fixed(<sha>)` audit claim resolves to a | |
| # SHA whose diff actually closes the recommendation. | |
| name: Doc Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # Tier 2 (audit-of-audit) walks `git cat-file` / `git show` | |
| # / `git ls-tree` against historical SHAs cited in | |
| # Verified-Fixed claims. Need full history. | |
| fetch-depth: 0 | |
| - name: Run doc-lint (tier-1 stale patterns + tier-2 audit-of-audit) | |
| run: bash scripts/ci/doc-lint.sh | |
| panic-freedom: | |
| name: Panic Freedom Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Verify panic-freedom deny lints are present | |
| run: | | |
| MISSING="" | |
| for lib in crates/*/src/lib.rs; do | |
| # Match the deny attribute even when it spans multiple lines | |
| # (e.g. `#![deny(\n clippy::unwrap_used, ...\n)]`). | |
| if ! grep -Pzoq '#!\[deny\([^)]*clippy::unwrap_used' "$lib" 2>/dev/null; then | |
| MISSING="$MISSING\n $lib" | |
| fi | |
| done | |
| if [ -n "$MISSING" ]; then | |
| echo "::error::Crates missing panic-freedom deny lints:$MISSING" | |
| exit 1 | |
| fi | |
| echo "All library crates have panic-freedom deny lints." | |
| audit: | |
| name: Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Newer cargo-audit needs a recent rustc to compile; the repo's | |
| # rust-toolchain.toml pins 1.85 so we override with `+stable`. | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Install cargo-audit | |
| run: cargo +stable install cargo-audit --locked | |
| # SEC-2-07: fail on ANY RUSTSEC advisory. Explicit ignores must | |
| # be added to .cargo/audit.toml with a justification + link. | |
| - name: cargo audit -D warnings | |
| run: cargo audit -D warnings | |
| deny: | |
| name: Dependency Check (cargo-deny) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Install cargo-deny | |
| run: cargo +stable install cargo-deny --locked | |
| # SEC-2-07: check licenses + advisories + bans + sources. The | |
| # explicit subcommand list keeps a future cargo-deny "check" | |
| # default from silently shrinking our gate. | |
| - name: cargo deny check | |
| run: cargo deny check licenses advisories bans sources | |
| geiger: | |
| # SEC-2-07: cargo-geiger counts unsafe blocks. Informational — | |
| # every unsafe site is justified in audit/unsafe-justifications.md | |
| # per Round-7 spec, so we capture the JSON inventory and archive | |
| # it as an artifact rather than failing the build on unsafe. | |
| name: Unsafe Inventory (cargo-geiger) | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Install cargo-geiger | |
| run: cargo +stable install cargo-geiger --locked | |
| - name: cargo geiger | |
| # `--output-format Json` lets a downstream gate parse the | |
| # totals; `--all-features` covers the optional surfaces; we | |
| # tee the human-readable form to the job log too. | |
| run: | | |
| cargo geiger --all-features --output-format Json > geiger.json | |
| cargo geiger --all-features || true | |
| - name: Upload geiger inventory | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cargo-geiger-inventory | |
| path: geiger.json | |
| retention-days: 30 | |
| machete: | |
| # SEC-2-07: cargo-machete flags unused dependencies. Soft check — | |
| # known feature-gated re-exports occasionally false-positive, so | |
| # this job is informational unless an operator wires it into the | |
| # required set in branch protection. | |
| name: Unused Deps (cargo-machete) | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust stable | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Install cargo-machete | |
| run: cargo +stable install cargo-machete --locked | |
| - name: cargo machete | |
| run: cargo machete | |
| msrv: | |
| name: MSRV (1.85) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install MSRV Rust toolchain | |
| uses: dtolnay/rust-toolchain@1.85 | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: cargo check (MSRV) | |
| run: cargo check --workspace --all-targets | |
| fuzz-smoke: | |
| name: Fuzz Smoke Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust nightly (for cargo-fuzz) | |
| uses: dtolnay/rust-toolchain@nightly | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Install cargo-fuzz | |
| run: cargo install cargo-fuzz --locked | |
| - name: Smoke test all fuzz targets (10 seconds each) | |
| run: | | |
| cd fuzz | |
| targets=$(cargo +nightly fuzz list) | |
| if [ -z "$targets" ]; then | |
| echo "::error::No fuzz targets discovered in fuzz/Cargo.toml" | |
| exit 1 | |
| fi | |
| for target in $targets; do | |
| echo "::group::Fuzzing $target" | |
| cargo +nightly fuzz run "$target" -- -max_total_time=10 2>&1 | |
| echo "::endgroup::" | |
| done | |
| release-build: | |
| name: Release Build | |
| runs-on: ubuntu-latest | |
| needs: [check, clippy, test, fmt, panic-freedom, doc-lint] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: cargo build --release | |
| run: cargo build --workspace --release | |
| timeout-minutes: 30 | |
| docker: | |
| name: Docker Build | |
| runs-on: ubuntu-latest | |
| needs: [release-build] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image (amd64) | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: docker/Dockerfile | |
| platforms: linux/amd64 | |
| push: false | |
| tags: expressgateway:ci | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |