-
Notifications
You must be signed in to change notification settings - Fork 4
285 lines (229 loc) · 7.82 KB
/
Copy pathci.yml
File metadata and controls
285 lines (229 loc) · 7.82 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
name: CI
on:
push:
branches: [main, rust]
pull_request:
workflow_dispatch:
env:
CARGO_TERM_COLOR: always
RUSTFLAGS: -D warnings
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
check:
name: Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: cargo check
run: cargo check --workspace --all-targets
clippy:
name: Clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- uses: Swatinem/rust-cache@v2
- name: cargo clippy
run: cargo clippy --workspace --all-targets -- -D warnings
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: cargo test
run: cargo test --workspace
timeout-minutes: 30
fmt:
name: Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt
- name: cargo fmt
run: cargo fmt --all -- --check
doc-lint:
# REL-2-01 + ROUND8-OPS-09 + ROUND8-L4-10: guard the
# operator-facing docs against drift AND verify every
# `Status: Verified-Fixed(<sha>)` audit claim resolves to a
# SHA whose diff actually closes the recommendation.
name: Doc Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# Tier 2 (audit-of-audit) walks `git cat-file` / `git show`
# / `git ls-tree` against historical SHAs cited in
# Verified-Fixed claims. Need full history.
fetch-depth: 0
- name: Run doc-lint (tier-1 stale patterns + tier-2 audit-of-audit)
run: bash scripts/ci/doc-lint.sh
panic-freedom:
name: Panic Freedom Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Verify panic-freedom deny lints are present
run: |
MISSING=""
for lib in crates/*/src/lib.rs; do
# Match the deny attribute even when it spans multiple lines
# (e.g. `#![deny(\n clippy::unwrap_used, ...\n)]`).
if ! grep -Pzoq '#!\[deny\([^)]*clippy::unwrap_used' "$lib" 2>/dev/null; then
MISSING="$MISSING\n $lib"
fi
done
if [ -n "$MISSING" ]; then
echo "::error::Crates missing panic-freedom deny lints:$MISSING"
exit 1
fi
echo "All library crates have panic-freedom deny lints."
audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Newer cargo-audit needs a recent rustc to compile; the repo's
# rust-toolchain.toml pins 1.85 so we override with `+stable`.
- name: Install Rust stable
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-audit
run: cargo +stable install cargo-audit --locked
# SEC-2-07: fail on ANY RUSTSEC advisory. Explicit ignores must
# be added to .cargo/audit.toml with a justification + link.
- name: cargo audit -D warnings
run: cargo audit -D warnings
deny:
name: Dependency Check (cargo-deny)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust stable
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-deny
run: cargo +stable install cargo-deny --locked
# SEC-2-07: check licenses + advisories + bans + sources. The
# explicit subcommand list keeps a future cargo-deny "check"
# default from silently shrinking our gate.
- name: cargo deny check
run: cargo deny check licenses advisories bans sources
geiger:
# SEC-2-07: cargo-geiger counts unsafe blocks. Informational —
# every unsafe site is justified in audit/unsafe-justifications.md
# per Round-7 spec, so we capture the JSON inventory and archive
# it as an artifact rather than failing the build on unsafe.
name: Unsafe Inventory (cargo-geiger)
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install Rust stable
uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Install cargo-geiger
run: cargo +stable install cargo-geiger --locked
- name: cargo geiger
# `--output-format Json` lets a downstream gate parse the
# totals; `--all-features` covers the optional surfaces; we
# tee the human-readable form to the job log too.
run: |
cargo geiger --all-features --output-format Json > geiger.json
cargo geiger --all-features || true
- name: Upload geiger inventory
uses: actions/upload-artifact@v4
with:
name: cargo-geiger-inventory
path: geiger.json
retention-days: 30
machete:
# SEC-2-07: cargo-machete flags unused dependencies. Soft check —
# known feature-gated re-exports occasionally false-positive, so
# this job is informational unless an operator wires it into the
# required set in branch protection.
name: Unused Deps (cargo-machete)
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install Rust stable
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-machete
run: cargo +stable install cargo-machete --locked
- name: cargo machete
run: cargo machete
msrv:
name: MSRV (1.85)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install MSRV Rust toolchain
uses: dtolnay/rust-toolchain@1.85
- uses: Swatinem/rust-cache@v2
- name: cargo check (MSRV)
run: cargo check --workspace --all-targets
fuzz-smoke:
name: Fuzz Smoke Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust nightly (for cargo-fuzz)
uses: dtolnay/rust-toolchain@nightly
- uses: Swatinem/rust-cache@v2
- name: Install cargo-fuzz
run: cargo install cargo-fuzz --locked
- name: Smoke test all fuzz targets (10 seconds each)
run: |
cd fuzz
targets=$(cargo +nightly fuzz list)
if [ -z "$targets" ]; then
echo "::error::No fuzz targets discovered in fuzz/Cargo.toml"
exit 1
fi
for target in $targets; do
echo "::group::Fuzzing $target"
cargo +nightly fuzz run "$target" -- -max_total_time=10 2>&1
echo "::endgroup::"
done
release-build:
name: Release Build
runs-on: ubuntu-latest
needs: [check, clippy, test, fmt, panic-freedom, doc-lint]
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: cargo build --release
run: cargo build --workspace --release
timeout-minutes: 30
docker:
name: Docker Build
runs-on: ubuntu-latest
needs: [release-build]
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image (amd64)
uses: docker/build-push-action@v5
with:
context: .
file: docker/Dockerfile
platforms: linux/amd64
push: false
tags: expressgateway:ci
cache-from: type=gha
cache-to: type=gha,mode=max