infra: add basic CI and security audit workflows #9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This introduces two workflows: one for basic CI (format and check) and
one for security audits. The security audit workflow probably isn't
going to catch anything, but it only runs when the cargo manifest
changes, so hopefully it doesn't slow things down too much. The CI
workflow is designed to run `cargo fmt` against the code and to run
`cargo check` with every combination of options. Right now, the
`unproven` feature must be enabled, which ends up requiring a nightly
compiler. As a result, the build matrix only runs two variants (one for
each of the two supported devices). Once builds can be done without the
`unproven` feature, `~` can be added to the `proven` dimension of the
matrix, which will then allow builds to run against both nightly and
stable.
Regarding the actual implementation, there are a few quirks in this
config.
The verbose `on` object is the result of pushes to pull requests
triggering the workflow twice - the workflow is triggerd by both the
`push` and `pull_request` events. By restricting these to the master
branch, it ensures that only pushes to the master branch or pull
requests to the master branch (but not pushes to pull request branches)
trigger.
The bizarre construction of the `run` step in the `check` job is needed
because GitHub isn't parsing the declaration correctly [1]. The
preferred syntax would be to make use of the folded chomping block
operator and to drop the shell linewraps. Something closer to this:
```yaml
steps:
- run: >-
cargo check
--verbose
--no-default-features
```
[1]: actions/runner#418
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This introduces two workflows: one for basic CI (format and check) and
one for security audits. The security audit workflow probably isn't
going to catch anything, but it only runs when the cargo manifest
changes, so hopefully it doesn't slow things down too much. The CI
workflow is designed to run
cargo fmtagainst the code and to runcargo checkwith every combination of options. Right now, theunprovenfeature must be enabled, which ends up requiring a nightlycompiler. As a result, the build matrix only runs two variants (one for
each of the two supported devices). Once builds can be done without the
unprovenfeature,~can be added to theprovendimension of thematrix, which will then allow builds to run against both nightly and
stable.
Regarding the actual implementation, there are a few quirks in this
config.
The verbose
onobject is the result of pushes to pull requeststriggering the workflow twice - the workflow is triggerd by both the
pushandpull_requestevents. By restricting these to the masterbranch, it ensures that only pushes to the master branch or pull
requests to the master branch (but not pushes to pull request branches)
trigger.
The bizarre construction of the
runstep in thecheckjob is neededbecause GitHub isn't parsing the declaration correctly. The
preferred syntax would be to make use of the folded chomping block
operator and to drop the shell linewraps. Something closer to this: