Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .env.example
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,13 @@ ADMIN_PASSWORD=replace-me-with-at-least-16-random-bytes

# Optional: set to "https" to terminate TLS with the certs under ./cert.
# DYNA_MODE=https

# Optional tuning (defaults shown):
# Replicas per key, clamped to the cluster size.
# REPLICATION_FACTOR=3
# Max /auth attempts per client IP per minute.
# AUTH_RATE_LIMIT=30
# Hourly snapshots to retain.
# SNAP_LIMIT=100
# Log verbosity: error | warn | info | debug | trace
# RUST_LOG=info
146 changes: 78 additions & 68 deletions .github/workflows/rust.yml
Original file line number Diff line number Diff line change
@@ -1,101 +1,111 @@
name: Create Release on Every Commit
name: CI

on:
push:
# This will trigger on every commit push on any branch.
branches:
- 'main'
- '**'
tags:
- 'v*'
pull_request:

# Cancel superseded runs on the same ref.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

env:
CARGO_TERM_COLOR: always

jobs:
release:
test:
name: Build, lint & test
runs-on: ubuntu-latest
permissions:
contents: write

steps:
# 1. Checkout the repository code.
- name: Checkout Code
uses: actions/checkout@v4

# 2. Cache Cargo Registry.
- name: Cache Cargo Registry
uses: actions/cache@v3
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
path: ~/.cargo/registry
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-registry-
components: clippy, rustfmt

# 3. Cache Cargo Git Repositories.
- name: Cache Cargo Git Repositories
uses: actions/cache@v3
- name: Cache cargo
uses: actions/cache@v4
with:
path: ~/.cargo/git
key: ${{ runner.os }}-cargo-git-${{ hashFiles('**/Cargo.lock') }}
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-git-
${{ runner.os }}-cargo-

# The AES-256 key is embedded at compile time via include_bytes!, so it
# must exist before any cargo invocation. It is intentionally gitignored;
# generate an ephemeral one for CI.
- name: Generate build-time encryption key
run: bash encryption.sh

# 4. Cache Build Artifacts (the target directory).
- name: Cache Build Output
uses: actions/cache@v3
- name: Format check
run: cargo fmt --all --check
continue-on-error: true

- name: Clippy
run: cargo clippy --all-targets -- -D warnings

- name: Test
run: cargo test --locked

- name: Build (release)
run: cargo build --release --locked

release:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
Comment on lines +21 to +62
name: Release binary
needs: test
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout Code
uses: actions/checkout@v4

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable

- name: Cache cargo
uses: actions/cache@v4
with:
path: target
key: ${{ runner.os }}-cargo-target-${{ hashFiles('**/Cargo.lock') }}
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-target-
# 5. Build your project with Cargo in release mode.
- name: Build with Cargo
run: cargo build --release
${{ runner.os }}-cargo-

# 6. Locate the compiled binary.
- name: Locate Binary File
id: locate_binary
run: |
# Adjust the binary name as needed. Here we assume the built binary is named "DynaRust"
binary_path=$(find target/release -maxdepth 1 -type f -executable -name 'DynaRust*')
if [ -z "$binary_path" ]; then
echo "Binary file not found!"
exit 1
else
echo "Binary file found: ${binary_path}"
echo "BINARY_PATH=${binary_path}" >> $GITHUB_ENV
fi
- name: Generate build-time encryption key
run: bash encryption.sh

- name: Build with Cargo
run: cargo build --release --locked

# 7. Determine the tag name.
# If the push already is a tag push, respect that tag.
# Otherwise, use the first 7 characters of the commit SHA prefixed with 'v'.
- id: determine_tag
name: Determine Tag Name
- name: Determine tag name
id: determine_tag
shell: bash
run: |
if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
TAG="${GITHUB_REF##*/}"
echo "Running on tag push. Using tag: ${TAG}"
else
TAG="v${GITHUB_SHA:0:7}"
echo "Not a tag push. Using commit SHA as tag: ${TAG}"
fi
echo "tag=${TAG}" >> "$GITHUB_OUTPUT"

# 8. Create a GitHub Release using the determined tag.
- name: Create GitHub Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Publish release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ steps.determine_tag.outputs.tag }}
release_name: "Release ${{ steps.determine_tag.outputs.tag }}"
draft: false
prerelease: false

# 9. Upload the built binary as a release asset.
- name: Upload Release Asset
uses: actions/upload-release-asset@v1
name: "Release ${{ steps.determine_tag.outputs.tag }}"
files: target/release/DynaRust
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ${{ env.BINARY_PATH }}
asset_name: DynaRust
asset_content_type: application/octet-stream
Loading
Loading