Skip to content
Rust (Library & CLI)

ci: add zizmor as a prek hook (for github actions security), and address warnings #161

Sign in to view logs

ci: add zizmor as a prek hook (for github actions security), and address warnings

ci: add zizmor as a prek hook (for github actions security), and address warnings #161

Workflow file for this run

.github/workflows/rust.yml at 827a1a3
name: Rust (Library & CLI)
on:
push:
branches: [main]
tags: ["*"]
pull_request:
branches: [main]
workflow_dispatch:
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
defaults:
run:
shell: bash
env:
RUST_BACKTRACE: 1
CARGO_TERM_COLOR: always
CARGO_NET_RETRY: 10
RUSTUP_MAX_RETRIES: 10
UV_HTTP_RETRIES: 5
UV_HTTP_TIMEOUT: 60
jobs:
plan:
runs-on: ubuntu-slim
outputs:
test: ${{ steps.decisions.outputs.test }}
gate: ${{ steps.decisions.outputs.gate }}
lint_and_format: ${{ steps.decisions.outputs.lint_and_format }}
steps:
- uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
if: github.event_name == 'pull_request'
id: filter
with:
filters: |
src:
- 'core/**'
- 'macros/**'
- 'sysand/**'
- 'Cargo.*'
- '.github/workflows/rust.yml'
rs_src:
- '**/Cargo.*'
- '**/*.rs'
- id: decisions
run: |
test=${{ steps.filter.outputs.src == 'true' || github.event_name == 'workflow_dispatch' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
gate=${{ github.event_name == 'pull_request' }}
echo "test=$test" >> "$GITHUB_OUTPUT"
echo "gate=$gate" >> "$GITHUB_OUTPUT"
lint_and_format=${{ steps.filter.outputs.rs_src == 'true' || github.event_name == 'workflow_dispatch' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
echo "lint_and_format=$lint_and_format" >> "$GITHUB_OUTPUT"
lint-and-format:
needs: [plan]
if: needs.plan.outputs.lint_and_format == 'true'
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- uses: taiki-e/install-action@6eec77b572d917fad00b2d3429df5ca9b6a0512c # cargo-hack
# cargo clippy is run with variants of features enabled, where
# --all-features is done by prek so we don't do it here
- name: cargo clippy ... (no features)
run: cargo clippy --workspace --locked --all-targets -- --deny warnings
- name: cargo clippy --features std,filesystem,alltests ... (specific feature set 1)
run: cargo clippy --workspace --locked --all-targets --no-default-features --features std,filesystem,alltests -- --deny warnings
- name: cargo clippy --features std,networking,alltests ... (specific feature set 2)
run: cargo clippy --workspace --locked --all-targets --no-default-features --features std,networking,alltests -- --deny warnings
# since we use --no-dev-deps below (as recommended), we don't do
# --all-targets to include tests with required development dependencies
- name: cargo hack clippy --each-feature ... (individual features)
run: cargo hack clippy --each-feature --no-dev-deps --features std --ignore-unknown-features -- --deny warnings
test:
needs: [plan]
if: needs.plan.outputs.test == 'true'
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
- ubuntu-24.04
- ubuntu-24.04-arm
- windows-latest
- windows-11-arm
- macos-15-intel # x86
- macos-latest # arm64
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- name: cargo test ... (Rust library & CLI)
run: >-
cargo test --locked
--package sysand-core
--package sysand
--features sysand-core/filesystem,sysand-core/networking,sysand-core/js,sysand-core/python,alltests,kpar-bzip2,kpar-zstd,kpar-xz,kpar-ppmd
build:
needs: [test]
runs-on: ${{ matrix.os }}
strategy:
matrix:
os:
- ubuntu-24.04
- ubuntu-24.04-arm
- windows-latest
- windows-11-arm
- macos-15-intel # x86
- macos-latest # arm64
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- name: cargo build ...
run: cargo build --locked --bin sysand --release
- name: Relocate binaries
run: |
mkdir -p dist
ext=${{ (matrix.os == 'windows-latest' || matrix.os == 'windows-11-arm') && '.exe' || '' }}
cp target/release/sysand${ext} dist/sysand-${{ matrix.os }}${ext}
- name: Upload binaries
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
with:
name: sysand-cli-${{ matrix.os }}
path: dist
if-no-files-found: error
ci-gate:
name: Rust CI Gate
needs: [plan, lint-and-format, test, build]
if: needs.plan.outputs.gate == 'true' && !cancelled()
runs-on: ubuntu-slim
steps:
- run: |
if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]]; then
exit 1
fi
nightly-release:
name: Nightly Release
needs: [test, build]
if: github.ref == 'refs/heads/main' && !startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-24.04
permissions:
id-token: write # for actions/attest
attestations: write # for actions/attest
artifact-metadata: write # for actions/attest
contents: write # for "gh release create"
steps:
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
path: artifacts
merge-multiple: true
- name: Generate artifact attestation
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4
with:
subject-path: "artifacts/*"
- name: Rename artifacts
run: |
mv artifacts/sysand-ubuntu-24.04 artifacts/sysand-linux-x86_64
mv artifacts/sysand-ubuntu-24.04-arm artifacts/sysand-linux-arm64
mv artifacts/sysand-windows-latest.exe artifacts/sysand-windows-x86_64.exe
mv artifacts/sysand-windows-11-arm.exe artifacts/sysand-windows-arm64.exe
mv artifacts/sysand-macos-15-intel artifacts/sysand-macos-x86_64
mv artifacts/sysand-macos-latest artifacts/sysand-macos-arm64
- name: Create release tag
run: echo "TAG_NAME=$(date +v-%Y-%m-%d-%H%M)" >> $GITHUB_ENV
- name: Create a nightly release
run: >-
gh release create "$TAG_NAME"
--prerelease
--title "Nightly Release $TAG_NAME"
--repo "$GITHUB_REPOSITORY"
artifacts/*
env:
GH_TOKEN: ${{ github.token }}
release:
name: Release
needs: [test, build]
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-24.04
permissions:
id-token: write # for actions/attest
attestations: write # for actions/attest
artifact-metadata: write # for actions/attest
contents: write # for "gh release create"
steps:
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
path: artifacts
merge-multiple: true
- name: Generate artifact attestation
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4
with:
subject-path: "artifacts/*"
- name: Rename artifacts
run: |
mv artifacts/sysand-ubuntu-24.04 artifacts/sysand-linux-x86_64
mv artifacts/sysand-ubuntu-24.04-arm artifacts/sysand-linux-arm64
mv artifacts/sysand-windows-latest.exe artifacts/sysand-windows-x86_64.exe
mv artifacts/sysand-windows-11-arm.exe artifacts/sysand-windows-arm64.exe
mv artifacts/sysand-macos-15-intel artifacts/sysand-macos-x86_64
mv artifacts/sysand-macos-latest artifacts/sysand-macos-arm64
- name: Create a release
run: >-
gh release create "$REF_NAME"
--verify-tag
--latest
--title "Release $REF_NAME"
--repo "$GITHUB_REPOSITORY"
artifacts/*
env:
GH_TOKEN: ${{ github.token }}
REF_NAME: ${{ github.ref_name }}