openprot/.github/workflows/ci.yml at b0fa24d4306116c446e83778daab144a8f2b801a · rusty1968/openprot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# Licensed under the Apache-2.0 license

name: CI

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1

jobs:
  test:
    name: Test
    runs-on: ubuntu-latest
    strategy:
      matrix:
        rust:
          - stable
          - beta
          - nightly
    steps:
    - uses: actions/checkout@v5

    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@master
      with:
        toolchain: ${{ matrix.rust }}
        components: clippy, rustfmt

    - name: Cache cargo registry
      uses: actions/cache@v4
      with:
        path: |
          ~/.cargo/registry
          ~/.cargo/git
          target
        key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}

    - name: Check formatting
      run: cargo xtask fmt --check

    - name: Run clippy
      run: cargo xtask clippy

    - name: Run tests
      run: cargo xtask test

    - name: Build
      run: cargo xtask build

  build-targets:
    name: Build Targets
    runs-on: ubuntu-latest
    strategy:
      matrix:
        target:
          - x86_64-unknown-linux-gnu
    steps:
    - uses: actions/checkout@v5

    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@master
      with:
        toolchain: nightly-2025-02-15
        targets: ${{ matrix.target }}
        components: clippy, rust-src, llvm-tools, rustfmt, rustc-dev

    - name: Cache cargo registry
      uses: actions/cache@v4
      with:
        path: |
          ~/.cargo/registry
          ~/.cargo/git
          target
        key: ${{ runner.os }}-${{ matrix.target }}-cargo-${{ hashFiles('**/Cargo.lock') }}

    - name: Build for target
      run: cargo build --target ${{ matrix.target }}

  security-audit:
    name: Security Audit
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v5

    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@stable
      with:
        components: clippy

    - name: Cache cargo registry
      uses: actions/cache@v4
      with:
        path: |
          ~/.cargo/registry
          ~/.cargo/git
          target
        key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}

    - name: Install cargo-audit
      run: cargo install cargo-audit --locked

    - name: Install cargo-deny
      run: cargo install cargo-deny --version 0.18.3 --locked

    - name: Run security audit
      run: cargo audit

    - name: Run cargo deny checks
      run: cargo xtask deny

    - name: Run security-focused clippy lints
      run: |
        cargo clippy --all-targets --all-features -- \
          -D warnings \
          -W clippy::arithmetic_side_effects \
          -W clippy::float_arithmetic \
          -W clippy::indexing_slicing \
          -W clippy::unwrap_used \
          -W clippy::expect_used \
          -W clippy::panic \
          -W clippy::mem_forget \
          -W clippy::multiple_unsafe_ops_per_block \
          -W clippy::undocumented_unsafe_blocks

    - name: Run semgrep security scan
      uses: returntocorp/semgrep-action@v1
      with:
        config: p/rust