Re-write CI to use cargo-rbmt

Re-write CI to use the `cargo-rbmt` tool [0]

This is quite an overhaul, some notes:

- Adds action to install `cargo-rbmt` directly from the repo
- Upgrades to checkout v5 (and uses explicit commit hash)
- Uses ubuntu-24.04 instead of latest (I can't remember why we did this)
- Defaults jobs to no permissions and uses read in each job
- Gets the MSRV from manifest instead of explicitly
- Removes the `Beta` toolchain test

[0] https://github.com/rust-bitcoin/rust-bitcoin-maintainer-tools/tree/master/cargo-rbmt

According to this AI agent (duckduckgo):

> permissions: {} in a GitHub Actions workflow disables all
> permissions for the GITHUB_TOKEN by default, meaning no access to
> any repository resources unless explicitly granted.

Copied from `rust-bitcoin`.

Default to no permissions then give each job read perms.

Author: tcharding

.github/actions/prepare/action.yml

@@ -0,0 +1,36 @@
+name: 'Prepare Rust Environment'
+description: 'Setup Rust toolchain and install RBMT'
+inputs:
+  toolchain:
+    description: 'Rust toolchain to use (nightly reads from nightly-version file)'
+    required: false
+    default: 'stable'
+  components:
+    description: 'Rust components to install (e.g., clippy, rustfmt)'
+    required: false
+    default: ''
+runs:
+  using: "composite"
+  steps:
+    - name: "Determine toolchain"
+      id: toolchain
+      shell: bash
+      run: |
+        if [ "${INPUTS_TOOLCHAIN}" = "nightly" ]; then
+          TOOLCHAIN="$(cat nightly-version)"
+        else
+          TOOLCHAIN="${INPUTS_TOOLCHAIN}"
+        fi
+        echo "version=$TOOLCHAIN" >> $GITHUB_OUTPUT
+      env:
+        INPUTS_TOOLCHAIN: ${{ inputs.toolchain }}
+
+    - name: "Setup requested toolchain"
+      uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
+      with:
+        toolchain: ${{ steps.toolchain.outputs.version }}
+        components: ${{ inputs.components }}
+
+    - name: "Install RBMT"
+      shell: bash
+      run: cargo install --git https://github.com/rust-bitcoin/rust-bitcoin-maintainer-tools.git --rev "$(cat rbmt-version)" cargo-rbmt --locked

.github/workflows/rust.yml

@@ -2,90 +2,167 @@ on: [push, pull_request]
 
 name: Continuous Integration
 
+permissions: {}
+
 jobs:
   Prepare:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     outputs:
       nightly_version: ${{ steps.read_toolchain.outputs.nightly_version }}
+      maintainer_tools_version: ${{ steps.read_toolchain.outputs.maintainer_tools_version }}
     steps:
       - name: "Checkout repo"
-        uses: actions/checkout@v4
-      - name: "Read nightly version"
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - name: "Read workspace versions"
         id: read_toolchain
-        run: echo "nightly_version=$(cat nightly-version)" >> $GITHUB_OUTPUT
+        run: |
+          echo "nightly_version=$(cat nightly-version)" >> $GITHUB_OUTPUT
+          echo "maintainer_tools_version=$(cat maintainer-tools-version)" >> $GITHUB_OUTPUT
 
-  Stable:
+  Stable:                       # 2 jobs, one per manifest.
     name: Test - stable toolchain
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
+      matrix:
+        dep: [minimal, recent]
     steps:
-      - name: Checkout Crate
-        uses: actions/checkout@v4
-      - name: Checkout Toolchain
-        # https://github.com/dtolnay/rust-toolchain
-        uses: dtolnay/rust-toolchain@stable
-      - name: Running test script
-        env:
-          DO_LINT: true
-          DO_DOCS: true
-          DO_FEATURE_MATRIX: true
-        run: ./contrib/test.sh
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/prepare
+        with:
+          toolchain: stable
+      - name: "Run tests"
+        run: cargo rbmt test stable --lock-file ${{ matrix.dep }}
 
-  Beta:
-    name: Test - beta toolchain
-    runs-on: ubuntu-latest
+  Nightly:                      # 2 jobs, one per manifest.
+    name: Test - nightly toolchain
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
+      matrix:
+        dep: [minimal, recent]
     steps:
-      - name: Checkout Crate
-        uses: actions/checkout@v4
-      - name: Checkout Toolchain
-        uses: dtolnay/rust-toolchain@beta
-      - name: Running test script
-        env:
-          DO_FEATURE_MATRIX: true
-        run: ./contrib/test.sh
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/prepare
+        with:
+          toolchain: nightly
+      - name: "Run tests"
+        run: cargo rbmt test nightly --lock-file ${{ matrix.dep }}
 
-  Nightly:
-    name: Test - nightly toolchain
-    needs: Prepare
-    runs-on: ubuntu-latest
+  MSRV:                         # 2 jobs, one per manifest.
+    name: Test - MSRV toolchain
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
+      matrix:
+        dep: [minimal, recent]
     steps:
-      - name: Checkout Crate
-        uses: actions/checkout@v4
-      - name: Checkout Toolchain
-        uses: dtolnay/rust-toolchain@v1
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          toolchain: ${{ needs.Prepare.outputs.nightly_version }}
-      - name: Running test script
-        env:
-          DO_DOCSRS: true
-          DO_FMT: true
-          DO_BENCH: true
-        run: ./contrib/test.sh
+          persist-credentials: false
+      - uses: ./.github/actions/prepare
+        with:
+          toolchain: "1.56.1"
+      - name: "Run tests"
+        run: cargo rbmt test msrv --lock-file ${{ matrix.dep }}
 
-  MSRV:
-    name: Test - 1.56.1 toolchain
-    runs-on: ubuntu-latest
+  Lint:
+    name: Lint - nightly toolchain
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
+      matrix:
+        dep: [recent]
     steps:
-      - name: Checkout Crate
-        uses: actions/checkout@v4
-      - name: Checkout Toolchain
-        uses: dtolnay/rust-toolchain@1.56.1
-      - name: Running test script
-        env:
-          DO_FEATURE_MATRIX: true
-        run: ./contrib/test.sh
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/prepare
+        with:
+          toolchain: nightly
+          components: clippy
+      - name: "Run lint"
+        run: cargo rbmt lint
+
+  Docs:
+    name: Docs - stable toolchain
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        dep: [recent]
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/prepare
+        with:
+          toolchain: stable
+      - name: "Build docs"
+        run: cargo rbmt docs
+
+  Docsrs:
+    name: Docs - nightly toolchain
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        dep: [recent]
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/prepare
+        with:
+          toolchain: nightly
+      - name: "Build docs.rs docs"
+        run: cargo rbmt docsrs
+
+  Bench:
+    name: Bench - nightly toolchain
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        dep: [recent]
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - uses: ./.github/actions/prepare
+        with:
+          toolchain: nightly
+      - name: "Run benches"
+        run: cargo rbmt test nightly --lock-file ${{ matrix.dep }}
 
   EmbeddedWithAlloc:
     name: no_std with alloc
     needs: Prepare
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
     steps:
@@ -108,6 +185,8 @@ jobs:
     name: no_std no alloc
     needs: Prepare
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
     steps:
@@ -129,6 +208,8 @@ jobs:
   Arch32bit:
     name: Test 32-bit version
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout Crate
         uses: actions/checkout@v4
@@ -147,6 +228,8 @@ jobs:
     name: Cross test
     if: ${{ !github.event.act }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout Crate
         uses: actions/checkout@v4

contrib/test.sh

@@ -0,0 +1,2 @@
+c37a8536c65560ae34e8c719750e26563ba65bd2
+

rbmt-version

@@ -0,0 +1,19 @@
+# Configuration for rbmt (Rust Bitcoin Maintainer Tools)
+
+[test]
+# Examples to run with specific features enabled.
+# Format: "example_name:feature1 feature2"
+examples = []
+
+# Features to test with the conventional `std` feature enabled.
+# Tests each feature alone with std, all pairs, and all together.
+features_with_std = ["serde", "arbitrary"]
+
+# Features to test without the `std` feature.
+# Tests each feature alone, all pairs, and all together.
+features_without_std = ["alloc", "serde", "arbitrary"]
+
+[lint]
+allowed_duplicates = [
+    "hex-conservative",
+]