[StepSecurity] ci: Harden GitHub Actions (#80) #227
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: tests | |
| on: | |
| pull_request: | |
| merge_group: | |
| push: | |
| branches: [main] | |
| env: | |
| CARGO_TERM_COLOR: always | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| cargo-next-test: | |
| name: Cargo test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 | |
| with: | |
| egress-policy: audit | |
| - name: Fetch Repository | |
| uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 | |
| - name: Install stable toolchain | |
| uses: actions-rust-lang/setup-rust-toolchain@02be93da58aa71fb456aa9c43b301149248829d8 # v1.15.1 | |
| - name: Install Foundry | |
| uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 | |
| - name: Cache cargo-nextest binary | |
| id: cache-cargo-nextest | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: ~/.cargo/bin/cargo-nextest | |
| key: ${{ runner.os }}-cargo-nextest-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Install cargo-nextest | |
| if: steps.cache-cargo-nextest.outputs.cache-hit != 'true' | |
| uses: taiki-e/install-action@71d339ebf191fcbc3d49cd04b9484a4261f29975 # v2.62.9 | |
| with: | |
| tool: cargo-nextest | |
| - name: Cargo test | |
| run: cargo nextest run --locked --all-targets --all-features --no-tests=pass --no-fail-fast | |
| # https://github.com/rust-lang/cargo/issues/6669 | |
| - name: Run doc tests | |
| run: cargo test --locked --doc |