workflow, action, script and deny.toml

iunanua · iunanua · commit 62ce9f2deb61 · 2025-12-23T10:58:50.000+01:00
diff --git a/.github/actions/action.yml b/.github/actions/action.yml
@@ -0,0 +1,83 @@
+# Copyright 2021-Present Datadog, Inc. https://www.datadoghq.com/
+# SPDX-License-Identifier: Apache-2.0
+
+name: 'Get Changed Crates'
+description: 'Detects which Rust crates have changed files in a PR or push'
+
+inputs:
+  include-non-publishable:
+    description: 'Include crates with publish = false'
+    required: false
+    default: 'false'
+  base-ref:
+    description: 'Base ref for comparison (defaults to PR base or HEAD~1 for push)'
+    required: false
+    default: ''
+
+outputs:
+  crates:
+    description: 'JSON array of changed crate directory paths'
+    value: ${{ steps.detect.outputs.crates }}
+  crates_count:
+    description: 'Number of changed crates'
+    value: ${{ steps.detect.outputs.crates_count }}
+  base_ref:
+    description: 'The base ref used for comparison'
+    value: ${{ steps.detect.outputs.base_ref }}
+
+runs:
+  using: 'composite'
+  steps:
+    - id: detect
+      shell: bash
+      env:
+        INCLUDE_NON_PUBLISHABLE: ${{ inputs.include-non-publishable }}
+        INPUT_BASE_REF: ${{ inputs.base-ref }}
+        EVENT_NAME: ${{ github.event_name }}
+        PR_BASE_REF: ${{ github.base_ref }}
+      run: |
+        # Determine base ref for comparison
+        if [[ -n "$INPUT_BASE_REF" ]]; then
+          BASE_REF="$INPUT_BASE_REF"
+        elif [[ "$EVENT_NAME" == "pull_request" ]]; then
+          BASE_REF="origin/$PR_BASE_REF"
+        else
+          # For push events, compare with previous commit
+          BASE_REF="HEAD~1"
+        fi
+        
+        echo "Using base ref: $BASE_REF"
+        echo "base_ref=$BASE_REF" >> "$GITHUB_OUTPUT"
+        
+        # Get list of changed files
+        CHANGED_FILES=$(git diff --name-only "$BASE_REF" HEAD 2>/dev/null || git diff --name-only HEAD~1 HEAD)
+        
+        # Extract unique crate directories from changed files
+        CRATES=()
+        for file in $CHANGED_FILES; do
+          # Check if file is in a crate directory (has Cargo.toml)
+          dir=$(dirname "$file")
+          while [[ "$dir" != "." && "$dir" != "/" ]]; do
+            if [[ -f "$dir/Cargo.toml" ]]; then
+              # Check if this crate should be included
+              if [[ "$INCLUDE_NON_PUBLISHABLE" == "true" ]]; then
+                CRATES+=("$dir")
+              elif ! grep -qE '^\s*publish\s*=\s*false' "$dir/Cargo.toml"; then
+                CRATES+=("$dir")
+              fi
+              break
+            fi
+            dir=$(dirname "$dir")
+          done
+        done
+        
+        # Remove duplicates and sort
+        UNIQUE_CRATES=$(printf '%s\n' "${CRATES[@]}" | sort -u | tr '\n' ' ')
+        
+        # Convert to JSON array for output
+        JSON_ARRAY=$(printf '%s\n' "${CRATES[@]}" | sort -u | jq -R -s -c 'split("\n") | map(select(length > 0))')
+        
+        echo "Changed crates: $UNIQUE_CRATES"
+        echo "crates=$JSON_ARRAY" >> "$GITHUB_OUTPUT"
+        echo "crates_count=$(echo "$JSON_ARRAY" | jq 'length')" >> "$GITHUB_OUTPUT"
+
diff --git a/.github/workflows/pr-metadata-docs-and-deps.yml b/.github/workflows/pr-metadata-docs-and-deps.yml
@@ -0,0 +1,247 @@
+name: Metadata, docs and deps
+permissions:
+  contents: read
+  pull-requests: read
+on:
+  pull_request:
+    branches-ignore:
+      - "v[0-9]+.[0-9]+.[0-9]+.[0-9]+"
+      - release
+
+env:
+  FAIL_IF_CARGO_DENY: false  # Set to true to make cargo-deny errors fail the job
+  FAIL_IF_MISSING_DOCS: false # Set to true to make missing docs errors fail the job
+
+jobs:
+  # Get crates changed in the PR that are not flagged as publish = false
+  changed-crates:
+    runs-on: ubuntu-latest
+    outputs:
+      crates: ${{ steps.changed-crates.outputs.crates }}
+      crates_count: ${{ steps.changed-crates.outputs.crates_count }}
+      base_ref: ${{ steps.changed-crates.outputs.base_ref }}
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+      with:
+        fetch-depth: 0  # Need full history for git diff
+    - id: changed-crates
+      uses: ./.github/actions/changed-crates
+
+  # Check cargo metadata for crates that are not flagged as publish = false
+  cargo-metadata:
+    needs: changed-crates
+    if: needs.changed-crates.outputs.crates_count > 0
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+      with:
+        fetch-depth: 0  # Need full history for git diff
+    - name: Check Cargo.toml version is not changed in the PR
+      run: |
+        # Get the base ref for comparison
+        BASE_REF='${{ needs.changed-crates.outputs.base_ref }}'
+        
+        # Get the list of changed crates
+        CRATES='${{ needs.changed-crates.outputs.crates }}'
+        
+        FAILED=0
+        for crate in $(echo "$CRATES" | jq -r '.[]'); do
+          if [[ -f "$crate/Cargo.toml" ]]; then
+            echo "Checking $crate version is not changed in the PR..."
+            
+            # Get current version from Cargo.toml
+            CURRENT_VERSION=$(grep -E '^\s*version\s*=' "$crate/Cargo.toml" | head -1 | sed -E 's/.*=\s*"([^"]+)".*/\1/')
+            
+            # Get base version from Cargo.toml at base ref
+            BASE_VERSION=$(git show "$BASE_REF:$crate/Cargo.toml" 2>/dev/null | grep -E '^\s*version\s*=' | head -1 | sed -E 's/.*=\s*"([^"]+)".*/\1/' || echo "")
+            
+            if [[ -z "$BASE_VERSION" ]]; then
+              echo "  ✓ $crate is a new crate (no base version found)"
+            elif [[ "$CURRENT_VERSION" != "$BASE_VERSION" ]]; then
+              echo "  ✗ ERROR: $crate version changed from $BASE_VERSION to $CURRENT_VERSION"
+              echo "    Version changes should only happen through the release process."
+              FAILED=1
+            else
+              echo "  ✓ $crate version unchanged ($CURRENT_VERSION)"
+            fi
+          fi
+        done
+        
+        if [[ $FAILED -eq 1 ]]; then
+          echo ""
+          echo "ERROR: One or more crates have version changes in this PR."
+          echo "Version bumps should be done through the release process, not in feature PRs."
+          exit 1
+        fi
+
+    - name: Check cargo metadata for changed crates
+      run: |
+        # Get the list of changed crates
+        CRATES='${{ needs.changed-crates.outputs.crates }}'
+        
+        # Convert JSON array to space-separated arguments
+        CRATE_ARGS=$(echo "$CRATES" | jq -r '.[]' | tr '\n' ' ')
+        
+        if [[ -n "$CRATE_ARGS" ]]; then
+          echo "Checking crates: $CRATE_ARGS"
+          ./scripts/check_cargo_metadata.sh $CRATE_ARGS
+        else
+          echo "No crates to check"
+        fi
+
+  # Check for missing documentation and post results as PR comment
+  missing-docs:
+    needs: changed-crates
+    if: needs.changed-crates.outputs.crates_count > 0
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+    - uses: dtolnay/rust-toolchain@stable
+    - name: Check missing docs
+      id: missing-docs
+      run: |
+        # Get the list of changed crates
+        CRATES='${{ needs.changed-crates.outputs.crates }}'
+        
+        # Capture doc warnings for each crate
+        OUTPUT=""
+        TOTAL_WARNINGS=0
+        
+        for crate in $(echo "$CRATES" | jq -r '.[]'); do
+          echo "Checking docs for $crate..."
+          
+          # Run cargo check with missing_docs warning and capture output
+          WARNINGS=$(RUSTFLAGS="-W missing_docs" cargo check -p "$crate" --message-format=json | jq -r 'select(.reason == "compiler-message") | select(.message.code.code == "missing_docs") | .message.rendered' 2>&1 || true)
+
+          echo "WARNINGS: $WARNINGS"
+
+          WARNING_COUNT=$(echo "$WARNINGS" | grep -c "missing documentation" 2>/dev/null || true)
+          WARNING_COUNT=${WARNING_COUNT:-0}
+          
+          if [[ "$WARNING_COUNT" -gt 0 ]]; then
+            OUTPUT="${OUTPUT}\n### 📦 \`${crate}\` - ${WARNING_COUNT} warning(s)\n\n<details>\n<summary>Show warnings</summary>\n\n\`\`\`\n${WARNINGS}\n\`\`\`\n\n</details>\n"
+            TOTAL_WARNINGS=$((TOTAL_WARNINGS + WARNING_COUNT))
+          else
+            OUTPUT="${OUTPUT}\n### 📦 \`${crate}\` - ✅ No warnings\n"
+          fi
+        done
+        
+        # Create the comment body
+        if [[ $TOTAL_WARNINGS -gt 0 ]]; then
+          HEADER="## 📚 Documentation Check Results\n\n⚠️ **${TOTAL_WARNINGS} documentation warning(s) found**\n"
+        else
+          HEADER="## 📚 Documentation Check Results\n\n✅ **No documentation warnings found!**\n"
+        fi
+        
+        COMMENT_BODY="${HEADER}${OUTPUT}\n\n---\n*Updated: $(date -u '+%Y-%m-%d %H:%M:%S UTC') | Commit: ${{ github.sha }}*"
+        
+        # Write to file for the comment action (handle multi-line)
+        echo -e "$COMMENT_BODY" > doc-check-results.md
+        
+        echo "total_warnings=$TOTAL_WARNINGS" >> "$GITHUB_OUTPUT"
+    
+    - name: Fail if warnings found and FAIL_IF_MISSING_DOCS is true
+      if: env.FAIL_IF_MISSING_DOCS == 'true' && steps.missing-docs.outputs.total_warnings > 0
+      run: |
+        echo "missing-docs found ${{ steps.missing-docs.outputs.total_warnings }} warning(s) and FAIL_IF_MISSING_DOCS is enabled"
+        exit 1
+
+    - name: Find existing comment
+      uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
+      id: find-comment
+      with:
+        issue-number: ${{ github.event.pull_request.number }}
+        comment-author: 'github-actions[bot]'
+        body-includes: '## 📚 Documentation Check Results'
+        
+    - name: Create or update PR comment
+      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      with:
+        comment-id: ${{ steps.find-comment.outputs.comment-id }}
+        issue-number: ${{ github.event.pull_request.number }}
+        body-path: doc-check-results.md
+        edit-mode: replace
+
+  dependency-check:
+    needs: changed-crates
+    if: needs.changed-crates.outputs.crates_count > 0
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+    - uses: dtolnay/rust-toolchain@stable
+    - uses: taiki-e/cache-cargo-install-action@7447f04c51f2ba27ca35e7f1e28fab848c5b3ba7 # 2.3.1
+      with:
+        tool: cargo-deny
+    - name: Run cargo-deny on changed crates
+      id: cargo-deny
+      run: |
+        # Get the list of changed crates
+        CRATES='${{ needs.changed-crates.outputs.crates }}'
+        
+        OUTPUT=""
+        TOTAL_ISSUES=0
+        TOTAL_ERRORS=0
+        
+        for crate in $(echo "$CRATES" | jq -r '.[]'); do
+          echo "Running cargo-deny for $crate..."
+          
+          # Run cargo-deny and capture output (always continue, results go to PR comment)
+          DENY_OUTPUT=$(cargo deny --manifest-path "$crate/Cargo.toml" --color never check advisories bans sources 2>&1 || true)
+          
+          echo "DENY_OUTPUT: $DENY_OUTPUT"
+
+          # Count errors and warnings
+          ERROR_COUNT=$(echo "$DENY_OUTPUT" | grep -cE "^error" 2>/dev/null || true)
+          ERROR_COUNT=${ERROR_COUNT:-0}
+          WARNING_COUNT=$(echo "$DENY_OUTPUT" | grep -cE "^warning" 2>/dev/null || true)
+          WARNING_COUNT=${WARNING_COUNT:-0}
+          ISSUE_COUNT=$((ERROR_COUNT + WARNING_COUNT))
+          
+          if [[ "$ISSUE_COUNT" -gt 0 ]]; then
+            OUTPUT="${OUTPUT}\n### 📦 \`${crate}\` - ${ERROR_COUNT} error(s), ${WARNING_COUNT} warning(s)\n\n<details>\n<summary>Show output</summary>\n\n\`\`\`\n${DENY_OUTPUT}\n\`\`\`\n\n</details>\n"
+            TOTAL_ISSUES=$((TOTAL_ISSUES + ISSUE_COUNT))
+          else
+            OUTPUT="${OUTPUT}\n### 📦 \`${crate}\` - ✅ No issues\n"
+          fi
+        done
+        
+        # Create the comment body
+        if [[ $TOTAL_ISSUES -gt 0 ]]; then
+          HEADER="## 🔒 Cargo Deny Results\n\n⚠️ **${TOTAL_ISSUES} issue(s) found** (advisories, bans, sources)\n"
+        else
+          HEADER="## 🔒 Cargo Deny Results\n\n✅ **No issues found!**\n"
+        fi
+        
+        COMMENT_BODY="${HEADER}${OUTPUT}\n\n---\n*Updated: $(date -u '+%Y-%m-%d %H:%M:%S UTC') | Commit: ${{ github.sha }}*"
+        
+        # Write to file for the comment action
+        echo -e "$COMMENT_BODY" > cargo-deny-results.md
+        
+        echo "total_issues=$TOTAL_ISSUES" >> "$GITHUB_OUTPUT"
+        echo "total_errors=$TOTAL_ERRORS" >> "$GITHUB_OUTPUT"
+        
+    - name: Find existing comment
+      uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
+      id: find-comment
+      with:
+        issue-number: ${{ github.event.pull_request.number }}
+        comment-author: 'github-actions[bot]'
+        body-includes: '## 🔒 Cargo Deny Results'
+        
+    - name: Create or update PR comment
+      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      with:
+        comment-id: ${{ steps.find-comment.outputs.comment-id }}
+        issue-number: ${{ github.event.pull_request.number }}
+        body-path: cargo-deny-results.md
+        edit-mode: replace
+        
+    - name: Fail if errors found and FAIL_IF_CARGO_DENY is true
+      if: env.FAIL_IF_CARGO_DENY == 'true' && steps.cargo-deny.outputs.total_errors > 0
+      run: |
+        echo "cargo-deny found ${{ steps.cargo-deny.outputs.total_errors }} error(s) and FAIL_IF_CARGO_DENY is enabled"
+        exit 1
diff --git a/deny.toml b/deny.toml
@@ -0,0 +1,5 @@
+[advisories]
+unmaintained = "workspace"
+
+[bans]
+multiple-versions = "warn"
diff --git a/scripts/check_cargo_metadata.sh b/scripts/check_cargo_metadata.sh
