Merge pull request #15 from bitwarden/anders/add-ci-workflow

PM-32832: Add CI workflow for build, test, clippy, and formatting checks

Author: abergs

.claude/CLAUDE.md

@@ -107,6 +107,17 @@ Storage directory: `~/.bw-remote/`
 - Session cache: `session_cache_{name}.json` — array of sessions keyed by `IdentityFingerprint`, with optional `PersistentTransportState` (CBOR) for session resumption without re-handshake
 - Transport auto-rekeys every 24 hours; replay nonces are not persisted (reset on load, 24h max message age)
 
+## Before Committing
+
+Always run these checks before committing:
+
+```bash
+cargo fmt --all -- --check         # Verify formatting
+cargo clippy --workspace           # Lint check
+cargo build --workspace            # Verify it compiles
+cargo test --workspace             # Run all tests
+```
+
 ## Rust Conventions
 
 - Edition 2024, minimum Rust version 1.85, toolchain channel 1.93

.github/workflows/ci.yml

@@ -0,0 +1,109 @@
+name: CI
+
+on:
+  workflow_dispatch:
+  push:
+    branches: ["main"]
+  pull_request:
+
+permissions: {}
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  fmt:
+    name: Formatting
+    runs-on: ubuntu-24.04
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install rust
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
+        with:
+          toolchain: stable
+          components: rustfmt
+
+      - name: Cargo fmt
+        run: cargo fmt --all -- --check
+
+  clippy:
+    name: Clippy
+    runs-on: ubuntu-24.04
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install rust
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
+        with:
+          toolchain: stable
+          components: clippy
+
+      - name: Cache cargo registry
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+
+      - name: Cargo clippy
+        run: cargo clippy --workspace -- -D warnings
+
+  build:
+    name: Build
+    runs-on: ubuntu-24.04
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install rust
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
+        with:
+          toolchain: stable
+
+      - name: Cache cargo registry
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+
+      - name: Build
+        run: cargo build --workspace
+
+  test:
+    name: Tests
+    runs-on: ubuntu-24.04
+    needs: build
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install rust
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
+        with:
+          toolchain: stable
+
+      - name: Cache cargo registry
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
+
+      - name: Run tests
+        run: cargo test --workspace

crates/bw-noise-protocol/src/handshake.rs

@@ -120,6 +120,12 @@ impl InitiatorHandshake {
     }
 }
 
+impl Default for InitiatorHandshake {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
 /// The handshake from the responder side. The handshake consists of 2 messages:
 /// 1. HandshakeInit (I → R)
 /// 2. HandshakeResponse (R → I)
@@ -215,6 +221,12 @@ impl ResponderHandshake {
     }
 }
 
+impl Default for ResponderHandshake {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
 #[instrument(skip(psk))]
 fn new_handshake(ciphersuite: Ciphersuite, psk: Psk, initiator: bool) -> HandshakeState {
     debug!("Creating handshake with PSK");

crates/bw-noise-protocol/src/transport.rs

@@ -117,7 +117,7 @@ impl MultiDeviceTransport {
             recv_key,
             recv_rekey_counter: 1,
             seen_nonces: BTreeMap::new(),
-            timeprovider: timeprovider,
+            timeprovider,
         }
     }
 

crates/bw-proxy/src/auth.rs

@@ -13,6 +13,8 @@ use rand::RngCore;
 use serde::{Deserialize, Serialize};
 use sha2::Digest;
 
+use crate::error::ProxyError;
+
 /// Signature algorithm selection for key generation.
 #[derive(Clone, Copy, Debug, PartialEq, Eq)]
 pub enum SignatureAlgorithm {
@@ -23,6 +25,7 @@ pub enum SignatureAlgorithm {
     MlDsa65,
 }
 
+#[allow(clippy::derivable_impls)]
 impl Default for SignatureAlgorithm {
     fn default() -> Self {
         #[cfg(not(feature = "experimental-post-quantum-crypto"))]
@@ -38,6 +41,7 @@ impl Default for SignatureAlgorithm {
 
 /// A cryptographic identity key-pair for signing challenges.
 #[derive(Clone)]
+#[allow(clippy::large_enum_variant)]
 pub enum IdentityKeyPair {
     Ed25519 {
         private_key_encoded: [u8; 32],
@@ -147,10 +151,13 @@ impl IdentityKeyPair {
     }
 
     /// Deserialize a key pair from COSE key format.
-    pub fn from_cose(cose_bytes: &[u8]) -> Result<Self, ()> {
-        let cose_key = CoseKey::from_slice(cose_bytes).map_err(|_| ())?;
+    pub fn from_cose(cose_bytes: &[u8]) -> Result<Self, ProxyError> {
+        let cose_key = CoseKey::from_slice(cose_bytes)
+            .map_err(|_| ProxyError::InvalidMessage("Invalid COSE key encoding".to_string()))?;
 
-        let alg = cose_key.alg.as_ref().ok_or(())?;
+        let alg = cose_key.alg.as_ref().ok_or_else(|| {
+            ProxyError::InvalidMessage("Missing algorithm in COSE key".to_string())
+        })?;
 
         match alg {
             coset::Algorithm::Assigned(iana::Algorithm::EdDSA) => {
@@ -168,7 +175,11 @@ impl IdentityKeyPair {
                     }
                 }
 
-                let seed = seed.ok_or(())?;
+                let seed = seed.ok_or_else(|| {
+                    ProxyError::InvalidMessage(
+                        "Missing Ed25519 private key seed in COSE key".to_string(),
+                    )
+                })?;
                 let private_key = SigningKey::from_bytes(&seed);
                 let public_key = VerifyingKey::from(&private_key);
 
@@ -196,7 +207,11 @@ impl IdentityKeyPair {
                     }
                 }
 
-                let seed = seed.ok_or(())?;
+                let seed = seed.ok_or_else(|| {
+                    ProxyError::InvalidMessage(
+                        "Missing ML-DSA-65 private key seed in COSE key".to_string(),
+                    )
+                })?;
                 let keypair = MlDsa65::key_gen_internal(&seed.into());
                 let private_key = keypair.signing_key();
                 let public_key = keypair.verifying_key();
@@ -207,7 +222,9 @@ impl IdentityKeyPair {
                     public_key: public_key.clone(),
                 })
             }
-            _ => Err(()),
+            _ => Err(ProxyError::InvalidMessage(
+                "Unsupported algorithm in COSE key".to_string(),
+            )),
         }
     }
 
@@ -514,8 +531,10 @@ impl Challenge {
                     .sign_deterministic(&self.0, &[])
                     .expect("ML-DSA signing should succeed");
 
-                let mut header = coset::Header::default();
-                header.alg = Some(coset::Algorithm::Assigned(iana::Algorithm::ML_DSA_65));
+                let header = coset::Header {
+                    alg: Some(coset::Algorithm::Assigned(iana::Algorithm::ML_DSA_65)),
+                    ..Default::default()
+                };
 
                 let cose_sign1 = CoseSign1 {
                     protected: coset::ProtectedHeader {