fix(ci): bump to 0.3.2, add environment for secrets, fix yamllint

zircote · zircote · commit 0d88e6562a54 · 2026-02-08T00:45:07.000-05:00
- Bump Cargo.toml version to 0.3.2 (was still 0.3.1)
- Add environment: copilot to jobs using CARGO_REGISTRY_TOKEN,
  HOMEBREW_TAP_TOKEN, and CODECOV_TOKEN secrets
- Fix all yamllint warnings in ci.yml and coverage.yml:
  add document start, quote truthy on, yamllint disable-line
  for SHA-pinned uses, remove trailing spaces, wrap long lines
- Move expression interpolations to env vars in coverage.yml
  to prevent command injection
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,6 +1,7 @@
+---
 name: CI
 
-on:
+"on":
   push:
     branches: [main, master]
   pull_request:
@@ -25,9 +26,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Install Rust toolchain
+        # yamllint disable-line rule:line-length
         uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561  # master
         with:
           toolchain: stable
@@ -41,16 +44,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Install Rust toolchain
+        # yamllint disable-line rule:line-length
         uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561  # master
         with:
           toolchain: stable
           components: clippy
 
       - name: Cache cargo registry
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        # yamllint disable-line rule:line-length
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: |
             ~/.cargo/registry
@@ -61,7 +67,9 @@ jobs:
             ${{ runner.os }}-cargo-clippy-
 
       - name: Run clippy
-        run: cargo clippy --all-targets --all-features -- -D warnings
+        run: >-
+          cargo clippy --all-targets --all-features
+          -- -D warnings
 
   test:
     name: Test (${{ matrix.os }})
@@ -72,15 +80,18 @@ jobs:
         os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Install Rust toolchain
+        # yamllint disable-line rule:line-length
         uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561  # master
         with:
           toolchain: stable
 
       - name: Cache cargo registry
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        # yamllint disable-line rule:line-length
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: |
             ~/.cargo/registry
@@ -100,15 +111,18 @@ jobs:
       RUSTDOCFLAGS: "-D warnings"
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Install Rust toolchain
+        # yamllint disable-line rule:line-length
         uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561  # master
         with:
           toolchain: stable
 
       - name: Cache cargo registry
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        # yamllint disable-line rule:line-length
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: |
             ~/.cargo/registry
@@ -126,10 +140,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Install cargo-deny
-        uses: taiki-e/install-action@f176c07a0a40cbfdd08ee9aa8bf1655701d11e69 # v2.67.25
+        # yamllint disable-line rule:line-length
+        uses: taiki-e/install-action@f176c07a0a40cbfdd08ee9aa8bf1655701d11e69  # v2.67.25
         with:
           tool: cargo-deny
 
@@ -141,15 +157,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Install Rust toolchain
+        # yamllint disable-line rule:line-length
         uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561  # master
         with:
           toolchain: "1.92"
 
       - name: Cache cargo registry
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        # yamllint disable-line rule:line-length
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: |
             ~/.cargo/registry
@@ -165,23 +184,28 @@ jobs:
   coverage:
     name: Coverage
     runs-on: ubuntu-latest
+    environment: copilot
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Install Rust toolchain
+        # yamllint disable-line rule:line-length
         uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561  # master
         with:
           toolchain: stable
           components: llvm-tools-preview
 
       - name: Install cargo-llvm-cov
-        uses: taiki-e/install-action@f176c07a0a40cbfdd08ee9aa8bf1655701d11e69 # v2.67.25
+        # yamllint disable-line rule:line-length
+        uses: taiki-e/install-action@f176c07a0a40cbfdd08ee9aa8bf1655701d11e69  # v2.67.25
         with:
           tool: cargo-llvm-cov
 
       - name: Cache cargo registry
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        # yamllint disable-line rule:line-length
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: |
             ~/.cargo/registry
@@ -192,13 +216,18 @@ jobs:
             ${{ runner.os }}-cargo-cov-
 
       - name: Generate coverage report
-        run: cargo llvm-cov --all-features --lcov --output-path lcov.info
+        run: >-
+          cargo llvm-cov --all-features
+          --lcov --output-path lcov.info
 
       - name: Enforce 90% line coverage
-        run: cargo llvm-cov --all-features --fail-under-lines 90
+        run: >-
+          cargo llvm-cov --all-features
+          --fail-under-lines 90
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        # yamllint disable-line rule:line-length
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de  # v5.5.2
         with:
           files: lcov.info
           fail_ci_if_error: false
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -1,6 +1,7 @@
+---
 name: Code Coverage
 
-on:
+"on":
   pull_request:
   # schedule:
   #   - cron: '0 0 * * 1'  # Weekly on Monday
@@ -14,68 +15,87 @@ jobs:
   coverage:
     name: Generate Coverage Report
     runs-on: ubuntu-latest
+    environment: copilot
     timeout-minutes: 30
-    
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
       - name: Setup Rust
-        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # master
+        # yamllint disable-line rule:line-length
+        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a  # master
         with:
           toolchain: stable
           components: llvm-tools-preview
 
       - name: Cache dependencies
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        # yamllint disable-line rule:line-length
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
             target
+          # yamllint disable-line rule:line-length
           key: ${{ runner.os }}-cargo-coverage-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Install cargo-llvm-cov
-        uses: taiki-e/install-action@f176c07a0a40cbfdd08ee9aa8bf1655701d11e69 # v2.67.25
+        # yamllint disable-line rule:line-length
+        uses: taiki-e/install-action@f176c07a0a40cbfdd08ee9aa8bf1655701d11e69  # v2.67.25
         with:
           tool: cargo-llvm-cov@0.6.14
 
       - name: Generate coverage
         run: |
-          cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info
-          cargo llvm-cov --all-features --workspace --html --output-dir coverage-html
-          cargo llvm-cov --all-features --workspace --json --output-path coverage.json
+          cargo llvm-cov --all-features --workspace \
+            --lcov --output-path lcov.info
+          cargo llvm-cov --all-features --workspace \
+            --html --output-dir coverage-html
+          cargo llvm-cov --all-features --workspace \
+            --json --output-path coverage.json
 
       - name: Parse coverage percentage
         id: coverage
         run: |
-          COVERAGE=$(cargo llvm-cov --all-features --workspace --summary-only | grep -oP 'TOTAL\s+\d+\.\d+%' | grep -oP '\d+\.\d+' || echo "0")
-          echo "percentage=$COVERAGE" >> $GITHUB_OUTPUT
+          COVERAGE=$(cargo llvm-cov \
+            --all-features --workspace --summary-only \
+            | grep -oP 'TOTAL\s+\d+\.\d+%' \
+            | grep -oP '\d+\.\d+' || echo "0")
+          echo "percentage=$COVERAGE" >> "$GITHUB_OUTPUT"
           echo "Coverage: ${COVERAGE}%"
 
       - name: Generate coverage report
+        env:
+          PERCENTAGE: ${{ steps.coverage.outputs.percentage }}
         run: |
           echo "# Code Coverage Report" > coverage-report.md
           echo "" >> coverage-report.md
-          echo "**Overall Coverage:** ${{ steps.coverage.outputs.percentage }}%" >> coverage-report.md
+          echo "**Overall Coverage:** ${PERCENTAGE}%" \
+            >> coverage-report.md
           echo "" >> coverage-report.md
           echo "## Summary" >> coverage-report.md
           echo "" >> coverage-report.md
           echo "\`\`\`" >> coverage-report.md
-          cargo llvm-cov --all-features --workspace --summary-only >> coverage-report.md
+          cargo llvm-cov --all-features --workspace \
+            --summary-only >> coverage-report.md
           echo "\`\`\`" >> coverage-report.md
           echo "" >> coverage-report.md
-          echo "Full HTML report available in CI artifacts." >> coverage-report.md
+          echo "Full HTML report available in CI artifacts." \
+            >> coverage-report.md
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.1.2
+        # yamllint disable-line rule:line-length
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de  # v5.1.2
         with:
           files: lcov.info
           fail_ci_if_error: false
           token: ${{ secrets.CODECOV_TOKEN }}
 
       - name: Upload coverage artifacts
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        # yamllint disable-line rule:line-length
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882  # v4.4.3
         with:
           name: coverage-report
           path: |
@@ -87,12 +107,14 @@ jobs:
 
       - name: Comment PR with coverage
         if: github.event_name == 'pull_request'
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        # yamllint disable-line rule:line-length
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
         with:
           script: |
             const fs = require('fs');
-            const report = fs.readFileSync('coverage-report.md', 'utf8');
-            
+            const report = fs.readFileSync(
+              'coverage-report.md', 'utf8'
+            );
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
@@ -101,13 +123,14 @@ jobs:
             });
 
       - name: Check coverage threshold
+        env:
+          COVERAGE: ${{ steps.coverage.outputs.percentage }}
         run: |
-          COVERAGE=${{ steps.coverage.outputs.percentage }}
           THRESHOLD=80
-          
-          if (( $(echo "$COVERAGE < $THRESHOLD" | bc -l) )); then
-            echo "⚠️ Coverage ${COVERAGE}% is below threshold ${THRESHOLD}%"
-            echo "Consider adding more tests to improve coverage."
+          if (( $(echo "$COVERAGE < $THRESHOLD" \
+                  | bc -l) )); then
+            echo "Coverage ${COVERAGE}% is below ${THRESHOLD}%"
+            echo "Consider adding more tests."
           else
-            echo "✅ Coverage ${COVERAGE}% meets threshold ${THRESHOLD}%"
+            echo "Coverage ${COVERAGE}% meets ${THRESHOLD}%"
           fi
diff --git a/.github/workflows/package-homebrew.yml b/.github/workflows/package-homebrew.yml
@@ -21,6 +21,7 @@ jobs:
   homebrew:
     name: Update Homebrew Formula
     runs-on: macos-latest
+    environment: copilot
 
     steps:
       - name: Checkout homebrew tap
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -17,6 +17,7 @@ jobs:
   publish:
     name: Publish to crates.io
     runs-on: ubuntu-latest
+    environment: copilot
     steps:
       - name: Checkout repository
         # yamllint disable-line rule:line-length
