diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml deleted file mode 100644 index ced6425..0000000 --- a/.github/workflows/check.yml +++ /dev/null @@ -1,66 +0,0 @@ -name: Check - -on: - push: - branches: ['main'] - pull_request: - -jobs: - rustfmt: - name: Run rustfmt - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - name: Install Rust - uses: dtolnay/rust-toolchain@stable - with: - toolchain: stable - components: rustfmt - - - name: Setup Rust cache - uses: Swatinem/rust-cache@v2 - - - name: Run rustfmt - run: cargo fmt --all -- --check - - clippy: - name: Run Clippy scan - runs-on: ubuntu-latest - - permissions: - security-events: write - - steps: - - uses: actions/checkout@v4 - - - name: Install Rust - uses: dtolnay/rust-toolchain@stable - with: - toolchain: stable - components: clippy - - - name: Setup Rust cache - uses: Swatinem/rust-cache@v2 - - - name: Install SARIF tools - run: cargo install clippy-sarif sarif-fmt - - - name: Fetch Cargo deps - run: cargo fetch --locked - - - name: Run Clippy - continue-on-error: true - run: | - cargo clippy \ - --all-features \ - --all-targets \ - --message-format=json \ - | clippy-sarif | tee /tmp/clippy.sarif | sarif-fmt - - - name: Upload results - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: /tmp/clippy.sarif - wait-for-processing: true diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..f54bdf2 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,79 @@ +name: CI + +on: + push: + branches: [main] + pull_request: + workflow_dispatch: + +jobs: + build: + name: Build (${{ matrix.os }}) + + strategy: + fail-fast: false + matrix: + include: + - os: ubuntu-latest + use-nix: true + - os: windows-latest + use-nix: false + + runs-on: ${{ matrix.os }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Rust + if: ${{ !matrix.use-nix }} + uses: actions-rust-lang/setup-rust-toolchain@v1 + + - name: Install Nix + if: ${{ matrix.use-nix }} + uses: DeterminateSystems/nix-installer-action@v15 + + - name: Setup Nix cache + if: ${{ matrix.use-nix }} + uses: DeterminateSystems/magic-nix-cache-action@v8 + + - name: Build + if: ${{ !matrix.use-nix }} + run: cargo build --locked + + - name: Build + if: ${{ matrix.use-nix }} + run: nix build --print-build-logs .#refraction-debug + + flake: + name: Flake checks + + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v15 + + - name: Setup Nix cache + uses: DeterminateSystems/magic-nix-cache-action@v8 + + - name: Run checks + run: | + nix flake check --print-build-logs --show-trace + + # Make sure all above jobs finished successfully + release-gate: + name: CI Release gate + needs: [build, flake] + + if: ${{ always() }} + + runs-on: ubuntu-latest + + steps: + - name: Exit with error + if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }} + run: exit 1 diff --git a/.github/workflows/clippy.yml b/.github/workflows/clippy.yml new file mode 100644 index 0000000..8834daa --- /dev/null +++ b/.github/workflows/clippy.yml @@ -0,0 +1,47 @@ +name: Clippy + +on: + push: + branches: [main] + paths: + - 'Cargo.toml' + - 'Cargo.lock' + - '**.rs' + pull_request: + paths: + - 'Cargo.toml' + - 'Cargo.lock' + - '**.rs' + workflow_dispatch: + +jobs: + clippy: + name: Run scan + + runs-on: ubuntu-latest + + permissions: + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v13 + + - name: Setup Nix cache + uses: DeterminateSystems/magic-nix-cache-action@v7 + + - name: Generate sarif report + id: clippy-run + run: | + nix build --print-build-logs .#clippy-report + [ -L result ] || exit 1 + echo "sarif-file=$(readlink -f result)" >> "$GITHUB_OUTPUT" + + - name: Upload results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.clippy-run.outputs.sarif-file }} + wait-for-processing: true diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index a3ce720..413b306 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -2,7 +2,7 @@ name: Docker on: push: - branches: [ main ] + branches: [main] pull_request: workflow_dispatch: @@ -13,7 +13,7 @@ jobs: strategy: fail-fast: false matrix: - arch: [ amd64, arm64 ] + arch: [amd64, arm64] runs-on: ubuntu-latest @@ -44,11 +44,25 @@ jobs: if-no-files-found: error retention-days: 3 + # Make sure all above jobs finished successfully + release-gate: + name: Docker Release gate + needs: [build] + + if: ${{ always() }} + + runs-on: ubuntu-latest + + steps: + - name: Exit with error + if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }} + run: exit 1 + push: name: Push image needs: build - if: github.event_name == 'push' + if: ${{ github.event_name == 'push' }} runs-on: ubuntu-latest diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml deleted file mode 100644 index ec472fa..0000000 --- a/.github/workflows/nix.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: Nix - -on: - push: - branches: ['main'] - pull_request: - workflow_dispatch: - -jobs: - build: - name: Build - strategy: - matrix: - os: [ubuntu-latest, macos-latest] - - runs-on: ${{ matrix.os }} - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Install Nix - uses: DeterminateSystems/nix-installer-action@v15 - - - name: Setup Nix cache - uses: DeterminateSystems/magic-nix-cache-action@v8 - - - name: Build refraction - run: nix build --fallback --print-build-logs - - check: - name: Check flake - - strategy: - matrix: - os: [ubuntu-latest, macos-latest] - - runs-on: ${{ matrix.os }} - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Install Nix - uses: DeterminateSystems/nix-installer-action@v15 - - - name: Setup Nix cache - uses: DeterminateSystems/magic-nix-cache-action@v8 - - - name: Run checks - run: | - nix flake check --print-build-logs --show-trace diff --git a/.github/workflows/update-flake.yml b/.github/workflows/update-flake.yml index 6e04cad..6d17418 100644 --- a/.github/workflows/update-flake.yml +++ b/.github/workflows/update-flake.yml @@ -24,9 +24,9 @@ jobs: - name: Update flake.lock id: update - uses: DeterminateSystems/update-flake-lock@main + uses: DeterminateSystems/update-flake-lock@v23 with: - pr-title: "nix: update flake.lock" + pr-title: 'nix: update flake.lock' - name: Enable Pull Request Automerge uses: peter-evans/enable-pull-request-automerge@v3 diff --git a/flake.nix b/flake.nix index c605a60..f42f4eb 100644 --- a/flake.nix +++ b/flake.nix @@ -58,6 +58,24 @@ nixosModules.default = import ./nix/module.nix self; + # For CI + legacyPackages = forAllSystems ( + system: + let + pkgs = nixpkgsFor.${system}; + in + { + clippy-report = pkgs.callPackage ./nix/clippy.nix { inherit (self.packages.${system}) refraction; }; + + refraction-debug = (self.packages.${system}.refraction.override { lto = false; }).overrideAttrs ( + finalAttrs: _: { + cargoBuildType = "debug"; + cargoCheckType = finalAttrs.cargoBuildType; + } + ); + } + ); + packages = forAllSystems ( system: let diff --git a/nix/clippy.nix b/nix/clippy.nix new file mode 100644 index 0000000..9c360a9 --- /dev/null +++ b/nix/clippy.nix @@ -0,0 +1,39 @@ +{ + cargo, + clippy, + clippy-sarif, + refraction, + rustPlatform, + sarif-fmt, + stdenv, +}: + +stdenv.mkDerivation { + pname = "${refraction.pname}-sarif-report"; + inherit (refraction) + version + src + cargoDeps + buildInputs + ; + + nativeBuildInputs = [ + cargo + clippy + clippy-sarif + rustPlatform.cargoSetupHook + sarif-fmt + ]; + + buildPhase = '' + cargo clippy \ + --all-features \ + --all-targets \ + --tests \ + --message-format=json \ + | clippy-sarif | tee $out | sarif-fmt + ''; + + dontInstall = true; + dontFixup = true; +}