Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 107 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
# Continuous integration for the Frameshift workspace.
#
# Gates every pull request (and pushes to the default branch) on formatting,
# lints, the unit/integration test suite, the Docker-gated Postgres tests, and
# a supply-chain advisory scan. Jobs run on the stable toolchain to match the
# local development environment; the workspace declares rust-version 1.75 but is
# built on current stable, so a dedicated 1.75 MSRV-verification job is deferred
# to the later tier rather than risking a spurious MSRV failure.
name: CI

on:
push:
branches: ["main", "master"]
pull_request:

env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1

# Only keep the latest run per ref alive; cancel superseded runs to save minutes.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
# Formatting check. Does not compile anything, so it needs no system libs and
# fails fast on style drift.
fmt:
name: Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt
- run: cargo fmt --all -- --check

# Lints. clippy compiles the whole workspace (all targets), so it needs
# libpq-dev for the diesel/pq-sys-backed catalog crate. -D warnings makes any
# lint a hard failure.
clippy:
name: Clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- name: Install libpq
run: sudo apt-get update -q && sudo apt-get install -y libpq-dev
- uses: Swatinem/rust-cache@v2
- run: cargo clippy --workspace --all-targets -- -D warnings

# Unit and integration tests. The Postgres integration tests are gated behind
# #[ignore = "requires Docker"], so plain `cargo test --workspace` skips them
# and runs fast without a database.
test:
name: Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: Install libpq
run: sudo apt-get update -q && sudo apt-get install -y libpq-dev
- uses: Swatinem/rust-cache@v2
- run: cargo test --workspace

# The Docker-gated Postgres integration tests. testcontainers starts its own
# postgres container against the runner's Docker daemon (no service block or
# DATABASE_URL needed); migrations run inside PostgresCatalog::new(). Scoped to
# the one crate that owns these tests so --include-ignored stays narrow.
test-postgres:
name: Test (Postgres integration)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: Install libpq
run: sudo apt-get update -q && sudo apt-get install -y libpq-dev
- uses: Swatinem/rust-cache@v2
- run: cargo test -p frameshift-catalog-postgres -- --include-ignored

# Supply-chain advisory scan against the RustSec database. Now blocking: the
# advisory backlog has been triaged and the vulnerable dependencies bumped, so
# a new advisory should fail the pipeline rather than slip in silently.
#
# The single ignore is RUSTSEC-2024-0370 (proc-macro-error unmaintained). It is
# a build-time-only proc-macro pulled transitively by age -> i18n-embed-fl; it
# never ships in any runtime artifact, and the only way to drop it is to bump
# age from 0.10 to the 0.11 BETA, which is unacceptable for the crate that
# backs local vault encryption. Re-evaluate when age ships a stable 0.11.
audit:
name: Security audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: rustsec/audit-check@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
ignore: RUSTSEC-2024-0370

# Later tier (intentionally not yet wired, tracked in the roadmap):
# - cargo-deny (needs a deny.toml: license allowlist, ban list, advisory policy)
# - cargo doc --no-deps --workspace to catch broken intra-doc links
# - an MSRV verification job pinned to 1.75 (or reconcile the declared rust-version)
# - coverage (cargo-llvm-cov) once the currently-untested crates gain tests
# - .github/dependabot.yml for weekly Cargo updates
12 changes: 10 additions & 2 deletions .github/workflows/mirror.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,13 @@ jobs:
env:
MIRROR_TOKEN: ${{ secrets.MIRROR_TOKEN }}
run: |
git remote add mirror https://x-access-token:${MIRROR_TOKEN}@github.com/Syntheos-Systems/FrameShift.git
git push mirror --mirror
git remote add mirror "https://x-access-token:${MIRROR_TOKEN}@github.com/Syntheos-Systems/FrameShift.git"
# actions/checkout only fetches the triggering ref, so pull every source
# branch into remote-tracking refs before mirroring.
git fetch --prune origin '+refs/heads/*:refs/remotes/origin/*'
# Mirror all branches and tags. We deliberately avoid `git push --mirror`:
# it deletes refs absent from the local checkout, which fails because the
# remote refuses to delete its default branch `main`. Force-push so the
# mirror still follows rebases and force-updates on the source.
git push --force mirror 'refs/remotes/origin/*:refs/heads/*'
git push --force mirror 'refs/tags/*:refs/tags/*'
4 changes: 4 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,7 @@ data/

# Secrets
bin/leak-patterns.txt

# Local audit working directories (raw findings, local paths, tool identifiers)
.audit-fleet/
.audit-fleet-web/
Loading
Loading