Skip to content

ci: align shared security and release tooling #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
acgetchell merged 2 commits into from
Jun 3, 2026
Merged

ci: align shared security and release tooling #121

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b303509
ci: align shared security and release tooling
acgetchell Jun 3, 2026
19b10d5
docs(exact): document feature requirement for exact APIs
acgetchell Jun 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ updates:
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
open-pull-requests-limit: 10
labels:
- "dependencies"
Expand All @@ -15,6 +17,8 @@ updates:
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
open-pull-requests-limit: 10
labels:
- "dependencies"
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,12 @@ permissions:
jobs:
audit:
runs-on: ubuntu-latest
env:
CARGO_AUDIT_VERSION: "0.22.1"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Install Rust toolchain
uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1
Expand All @@ -36,7 +40,9 @@ jobs:
restore-keys: advisory-db-

- name: Install cargo-audit
run: cargo install --locked cargo-audit
uses: taiki-e/cache-cargo-install-action@417450f3c33ee20393705369577571770643d4c7 # v3.0.7
with:
tool: cargo-audit@${{ env.CARGO_AUDIT_VERSION }}

- name: Run cargo audit
run: |
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/benchmarks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ jobs:

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Install Rust toolchain
uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1
Expand Down
235 changes: 65 additions & 170 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
name: CI

permissions:
contents: read

concurrency:
group: >
ci-${{ github.workflow }}-${{
Expand All @@ -17,21 +19,25 @@ on:
pull_request:
branches:
- main
workflow_dispatch:

env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
ACTIONLINT_VERSION: "1.7.10"
MARKDOWNLINT_VERSION: "0.47.0"
SHFMT_VERSION: "3.12.0"
TYPOS_VERSION: "1.43.4"
UV_VERSION: "0.9.28"
CARGO_NEXTEST_VERSION: "0.9.137"
DPRINT_VERSION: "0.54.0"
JUST_VERSION: "1.51.0"
RUMDL_VERSION: "0.2.4"
TAPLO_VERSION: "0.10.0"
TYPOS_VERSION: "1.47.0"
UV_VERSION: "0.11.16"
ZIZMOR_VERSION: "1.25.2"

jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false # Continue other jobs if one fails
fail-fast: false
matrix:
os:
- ubuntu-latest
Expand All @@ -46,190 +52,79 @@ jobs:
target: x86_64-pc-windows-msvc

steps:
- name: Disable Git autocrlf on Windows
if: matrix.os == 'windows-latest'
shell: pwsh
run: |
git config --global core.autocrlf false
git config --global core.eol lf

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Install Rust toolchain
uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1
with:
target: ${{ matrix.target }}
cache: true # Built-in caching
cache: true
# toolchain, components, etc. are specified in rust-toolchain.toml

- name: Install just
if: matrix.os != 'windows-latest'
uses: taiki-e/install-action@50b4a718b59c718df4ef27a3b445f86cd57b9f00 # v2.80.0
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
tool: just
python-version: "3.12"

- name: Install uv (for Python scripts and pytest)
if: matrix.os != 'windows-latest'
- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: ${{ env.UV_VERSION }}
enable-cache: true

- name: Sync Python tooling
run: uv sync --locked --group dev

- name: Install just
uses: taiki-e/cache-cargo-install-action@417450f3c33ee20393705369577571770643d4c7 # v3.0.7
with:
tool: just@${{ env.JUST_VERSION }}

- name: Install Node.js (for markdownlint)
if: matrix.os != 'windows-latest'
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
- name: Install dprint
uses: taiki-e/cache-cargo-install-action@417450f3c33ee20393705369577571770643d4c7 # v3.0.7
with:
node-version: "20"
tool: dprint@${{ env.DPRINT_VERSION }}

- name: Install Node.js packages
if: matrix.os != 'windows-latest'
run: |
npm install -g markdownlint-cli@${{ env.MARKDOWNLINT_VERSION }}
- name: Install rumdl
uses: taiki-e/cache-cargo-install-action@417450f3c33ee20393705369577571770643d4c7 # v3.0.7
with:
tool: rumdl@${{ env.RUMDL_VERSION }}

- name: Install taplo
id: install-taplo
continue-on-error: ${{ matrix.os == 'windows-latest' }}
uses: taiki-e/cache-cargo-install-action@417450f3c33ee20393705369577571770643d4c7 # v3.0.7
with:
tool: taplo-cli@${{ env.TAPLO_VERSION }}

- name: Install typos-cli
if: matrix.os != 'windows-latest'
uses: taiki-e/install-action@50b4a718b59c718df4ef27a3b445f86cd57b9f00 # v2.80.0
- name: Install taplo on Windows after cached install failure
if: matrix.os == 'windows-latest' && steps.install-taplo.outcome == 'failure'
shell: pwsh
run: cargo install --locked taplo-cli --version $env:TAPLO_VERSION

- name: Install typos
uses: taiki-e/cache-cargo-install-action@417450f3c33ee20393705369577571770643d4c7 # v3.0.7
with:
tool: typos-cli@${{ env.TYPOS_VERSION }}

- name: Install taplo (for TOML formatting and linting)
if: matrix.os != 'windows-latest'
uses: taiki-e/install-action@50b4a718b59c718df4ef27a3b445f86cd57b9f00 # v2.80.0
- name: Install zizmor
uses: taiki-e/cache-cargo-install-action@417450f3c33ee20393705369577571770643d4c7 # v3.0.7
with:
tool: taplo-cli
tool: zizmor@${{ env.ZIZMOR_VERSION }}

- name: Install actionlint (Linux/macOS)
if: matrix.os != 'windows-latest'
run: |
set -euo pipefail

# actionlint is published as prebuilt binaries (Go), not a Rust crate.
# Install directly from rhysd/actionlint releases to avoid cargo-binstall fallback failures.
# Verify SHA256 checksums from the upstream release for supply-chain hardening.
OS="$(uname -s)"
ARCH="$(uname -m)"

case "$OS" in
Linux) ACTIONLINT_OS="linux" ;;
Darwin) ACTIONLINT_OS="darwin" ;;
*)
echo "Unsupported OS for actionlint: $OS" >&2
exit 1
;;
esac

case "$ARCH" in
x86_64|amd64) ACTIONLINT_ARCH="amd64" ;;
arm64|aarch64) ACTIONLINT_ARCH="arm64" ;;
*)
echo "Unsupported architecture for actionlint: $ARCH" >&2
exit 1
;;
esac

verify_sha256() {
local checksum_file="$1"
if command -v sha256sum >/dev/null 2>&1; then
sha256sum -c "$checksum_file"
else
shasum -a 256 -c "$checksum_file"
fi
}

VERSION="${ACTIONLINT_VERSION}"
TARBALL="actionlint_${VERSION}_${ACTIONLINT_OS}_${ACTIONLINT_ARCH}.tar.gz"
CHECKSUMS_FILE="actionlint_${VERSION}_checksums.txt"
BASE_URL="https://github.com/rhysd/actionlint/releases/download/v${VERSION}"

tmpdir="$(mktemp -d)"
trap 'rm -rf "$tmpdir"' EXIT

curl -fsSL "${BASE_URL}/${TARBALL}" -o "$tmpdir/$TARBALL"
curl -fsSL "${BASE_URL}/${CHECKSUMS_FILE}" -o "$tmpdir/$CHECKSUMS_FILE"

orig_dir="$PWD"
cd "$tmpdir"
awk -v f="$TARBALL" '$NF==f {print; found=1} END {exit found?0:1}' "$CHECKSUMS_FILE" > checksum.txt
verify_sha256 checksum.txt
cd "$orig_dir"

tar -xzf "$tmpdir/$TARBALL" -C "$tmpdir"

actionlint_path="$(find "$tmpdir" -type f -name actionlint | head -n 1)"
if [[ -z "$actionlint_path" ]]; then
echo "actionlint binary not found in $TARBALL" >&2
exit 1
fi

sudo install -m 0755 "$actionlint_path" /usr/local/bin/actionlint

- name: actionlint -version
if: matrix.os != 'windows-latest'
run: actionlint -version

- name: Install additional tools (Linux)
if: matrix.os == 'ubuntu-latest'
run: |
# Install shellcheck, jq, and yamllint
sudo apt-get update
sudo apt-get install -y shellcheck jq yamllint

# Install shfmt (pinned for CI consistency)
SHFMT_ASSET="shfmt_v${SHFMT_VERSION}_linux_amd64"
SHFMT_BASE_URL="https://github.com/mvdan/sh/releases/download/v${SHFMT_VERSION}"

tmpdir="$(mktemp -d)"
trap 'rm -rf "$tmpdir"' EXIT

curl -fsSL \
"${SHFMT_BASE_URL}/${SHFMT_ASSET}" \
-o "$tmpdir/${SHFMT_ASSET}"
curl -fsSL \
"${SHFMT_BASE_URL}/sha256sums.txt" \
-o "$tmpdir/sha256sums.txt"

(
cd "$tmpdir"
awk -v f="${SHFMT_ASSET}" '$NF==f {print; found=1} END {exit found?0:1}' sha256sums.txt > checksum.txt
sha256sum -c checksum.txt
)

sudo install -m 0755 "$tmpdir/${SHFMT_ASSET}" /usr/local/bin/shfmt

- name: Install additional tools (macOS)
if: matrix.os == 'macos-latest'
run: |
# Install shellcheck, jq, and yamllint via Homebrew
brew install shellcheck jq yamllint

# Install shfmt (pinned for CI consistency with Linux)
SHFMT_ARCH="amd64"
if [[ "$(uname -m)" == "arm64" ]]; then
SHFMT_ARCH="arm64"
fi

SHFMT_ASSET="shfmt_v${SHFMT_VERSION}_darwin_${SHFMT_ARCH}"
SHFMT_BASE_URL="https://github.com/mvdan/sh/releases/download/v${SHFMT_VERSION}"

tmpdir="$(mktemp -d)"
trap 'rm -rf "$tmpdir"' EXIT

curl -fsSL \
"${SHFMT_BASE_URL}/${SHFMT_ASSET}" \
-o "$tmpdir/${SHFMT_ASSET}"
curl -fsSL \
"${SHFMT_BASE_URL}/sha256sums.txt" \
-o "$tmpdir/sha256sums.txt"

(
cd "$tmpdir"
awk -v f="${SHFMT_ASSET}" '$NF==f {print; found=1} END {exit found?0:1}' sha256sums.txt > checksum.txt
shasum -a 256 -c checksum.txt
)

sudo install -m 0755 "$tmpdir/${SHFMT_ASSET}" /usr/local/bin/shfmt

- name: Run CI checks (Linux/macOS)
if: matrix.os != 'windows-latest'
run: just ci
- name: Install cargo-nextest
uses: taiki-e/cache-cargo-install-action@417450f3c33ee20393705369577571770643d4c7 # v3.0.7
with:
tool: cargo-nextest@${{ env.CARGO_NEXTEST_VERSION }}

- name: Build and test (Windows)
if: matrix.os == 'windows-latest'
run: |
cargo build --verbose --all-targets
cargo test --lib --verbose
cargo test --doc --verbose
cargo test --tests --verbose
cargo test --features exact --verbose
- name: Run CI checks
run: just ci
6 changes: 4 additions & 2 deletions .github/workflows/codacy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ jobs:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Set Codacy paths
run: |
Expand Down Expand Up @@ -81,7 +83,7 @@ jobs:
- name: Run Codacy Analysis CLI
if: ${{ env.CODACY_PROJECT_TOKEN != '' }}
id: codacy_analysis
uses: codacy/codacy-analysis-cli-action@562ee3e92b8e92df8b67e0a5ff8aa8e261919c08
uses: codacy/codacy-analysis-cli-action@562ee3e92b8e92df8b67e0a5ff8aa8e261919c08 # pinned
with:
# Check https://github.com/codacy/codacy-analysis-cli#project-token
# to get your project token from your Codacy repository.
Expand Down Expand Up @@ -162,7 +164,7 @@ jobs:
# Upload the identified SARIF file
- name: Upload identified SARIF file
if: always() && env.SARIF_FILE != ''
uses: github/codeql-action/upload-sarif@b36bf259c813715f76eafece573914b94412cd13 # v3
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
with:
sarif_file: ${{ env.SARIF_FILE }}
continue-on-error: true
Loading
Loading