chore: refactor pre-commit config and build workflow (#563)

xeniape · web-flow · commit 26d779fc3125 · 2025-11-24T14:34:33.000Z
diff --git a/template/.github/workflows/build.yml.j2 b/template/.github/workflows/build.yml.j2
@@ -97,223 +97,12 @@ jobs:
             echo "skip_helm=true" >> "$GITHUB_OUTPUT"
           fi
 
-  run_cargodeny:
-    name: Run Cargo Deny
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        checks:
-          - advisories
-          - bans licenses sources
-
-    # Prevent sudden announcement of a new advisory from failing ci:
-    continue-on-error: ${{ matrix.checks == 'advisories' }}
-
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-          submodules: recursive
-      - uses: EmbarkStudios/cargo-deny-action@f2ba7abc2abebaf185c833c3961145a3c275caad # v2.0.13
-        with:
-          command: check ${{ matrix.checks }}
-
-  run_rustfmt:
-    name: Run Rustfmt
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-          submodules: recursive
-      - uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921
-        with:
-          toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN_VERSION }}
-          components: rustfmt
-      - env:
-          RUST_TOOLCHAIN_VERSION: ${{ env.RUST_NIGHTLY_TOOLCHAIN_VERSION }}
-        run: cargo "+$RUST_TOOLCHAIN_VERSION" fmt --all -- --check
-
-  run_clippy:
-    name: Run Clippy
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install host dependencies
-        uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0
-        with:
-          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
-          version: ubuntu-latest
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-          submodules: recursive
-      - uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921
-        with:
-          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
-          components: clippy
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
-        with:
-          key: clippy
-          cache-all-crates: "true"
-      # TODO (@Techassi): Remove this step (unmaintained action, kinda useless step anyway)
-      - name: Run clippy action to produce annotations
-        uses: giraffate/clippy-action@13b9d32482f25d29ead141b79e7e04e7900281e0 # v1.0.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        if: env.GITHUB_TOKEN != null
-        with:
-          clippy_flags: --all-targets -- -D warnings
-          reporter: 'github-pr-review'
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-      # TODO (@Techassi): Remove, done by pre-commit
-      - name: Run clippy manually without annotations
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        if: env.GITHUB_TOKEN == null
-        run: cargo clippy --color never -q --all-targets -- -D warnings
-
-  # TODO (@Techassi): Can be done by pre-commit
-  run_rustdoc:
-    name: Run RustDoc
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install host dependencies
-        uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0
-        with:
-          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
-          version: ubuntu-latest
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          submodules: recursive
-      - uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921
-        with:
-          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
-          components: rustfmt
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
-        with:
-          key: doc
-          cache-all-crates: "true"
-      - run: cargo doc --document-private-items
-
-  # TODO (@Techassi): Remove, done by pre-commit
-  run_tests:
-    name: Run Cargo Tests
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install host dependencies
-        uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0
-        with:
-          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
-          version: ubuntu-latest
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-          submodules: recursive
-      - uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921
-        with:
-          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
-        with:
-          key: test
-          cache-all-crates: "true"
-      - run: cargo test
-
-
-  # Similar to check_charts, this tries to render the README, and see if there are unintended changes.
-  # This will save us from merging changes to the wrong file (instead of the templated source), and from
-  # forgetting to render out modifications to the README.
-  check_readme:
-    name: Check if committed README is the one we would render from the available parts
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-          submodules: recursive
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-      - name: Install jinja2-cli
-        run: pip install jinja2-cli==0.8.2
-      - name: Regenerate charts
-        run: make render-readme
-      - name: Check if committed README were up to date
-        run: git diff --exit-code
-      - name: Git Diff showed uncommitted changes
-        if: ${{ failure() }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        with:
-          script: |
-            core.setFailed('Committed README are not up to date, please make sure to apply them to the templated partials, and re-commit!')
-
-  # This job cleans up the CRDs and Helm charts, followed by rebuilding them
-  # It then runs a `git diff` and fails the entire workflow, if any difference is encountered.
-  #
-  # Since CRD files are generated during the 'cargo build' process we need to run this once after
-  # removing the CRD files to ensure that the checked in versions match what the code expects.
-  #
-  # The reason for this step is, that developers are expected to check in up-to-date versions of charts
-  # as we'd otherwise have to build these in CI and commit them back to the PR, which
-  # creates all kinds of problems.
-  # This failsafe simply aborts anything that has not had charts rebuilt before pushing.
-  check_charts:
-    name: Check if committed Helm charts are up to date
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install host dependencies
-        uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0
-        with:
-          packages: protobuf-compiler krb5-user libkrb5-dev libclang-dev liblzma-dev libssl-dev pkg-config apt-transport-https
-          version: ubuntu-latest
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-          submodules: recursive
-      - name: Set up Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
-        with:
-          version: v3.16.1
-      - name: Set up cargo
-        uses: dtolnay/rust-toolchain@6d653acede28d24f02e3cd41383119e8b1b35921
-        with:
-          toolchain: ${{ env.RUST_TOOLCHAIN_VERSION }}
-      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
-        with:
-          key: charts
-          cache-all-crates: "true"
-      - name: Regenerate charts
-        run: make regenerate-charts
-      - name: Check if committed charts were up to date
-        run: git diff --exit-code
-      - name: Git Diff showed uncommitted changes
-        if: ${{ failure() }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        with:
-          script: |
-            core.setFailed('Committed charts were not up to date, please regenerate and re-commit!')
-
-  tests_passed:
-    name: All tests passed
-    needs:
-      - run_udeps
-      - run_cargodeny
-      - run_clippy
-      - run_rustfmt
-      - run_rustdoc
-      - run_tests
-      - check_charts
-      - check_readme
-    runs-on: ubuntu-latest
-    steps:
-      - name: log
-        run: echo All tests have passed!
-
   # TODO (@Techassi): Most of these publishing and signing tasks can be done by our own actions.
   # Make use of them just like we do in docker-images.
   package_and_publish:
     name: Package Charts, Build Docker Image and publish them - ${{ matrix.runner }}
     needs:
-      - tests_passed
+      - run_udeps
       - check_helm_publish
     strategy:
       matrix:
diff --git a/template/.pre-commit-config.yaml.j2 b/template/.pre-commit-config.yaml.j2
@@ -14,6 +14,13 @@ repos:
         args: ["--allow-missing-credentials"]
       - id: detect-private-key
 
+  - repo: https://github.com/EmbarkStudios/cargo-deny
+    # Failing to compile cargo-deny with version >0.18.3, needs rust 1.88.0
+    rev: baa02b0a0c54e0578aae6bb7c7181ad00dc290af # 0.18.3
+    hooks:
+      - id: cargo-deny
+        args: ["--all-features", "check", "advisories", "bans", "licenses", "sources"]
+
   - repo: https://github.com/adrienverge/yamllint
     rev: 79a6b2b1392eaf49cdd32ac4f14be1a809bbd8f7 # 1.37.1
     hooks:
@@ -72,6 +79,22 @@ repos:
         pass_filenames: false
         files: Cargo\.lock
 
+      - id: check-readme
+        name: check-readme
+        language: system
+        entry: make render-readme
+        stages: [pre-commit, pre-merge-commit]
+        pass_filenames: false
+        files: .readme
+
+      - id: cargo-doc
+        name: cargo-doc
+        language: system
+        entry: cargo doc --document-private-items
+        stages: [pre-commit, pre-merge-commit]
+        pass_filenames: false
+        files: \.rs$|Cargo\.(toml|lock)
+
       - id: cargo-test
         name: cargo-test
         language: system
