Add security best practices (#107) #164
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: [ master ] | |
pull_request: | |
branches: [ master ] | |
env: | |
CARGO_TERM_COLOR: always | |
permissions: | |
contents: read | |
jobs: | |
c_build: | |
name: Check upstream C library | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
steps: | |
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 | |
with: | |
submodules: recursive | |
- name: Build C library | |
# TODO: Ubuntu is phasing out support for 32-bit packages (e.g., `apt install gcc-multilib` | |
# fails on GitHub's runner); only build the 64-bit version for now. | |
run: python buildall.py --force_bits 64 | |
rust_format: | |
name: Check Rust formatting | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
working-directory: rust | |
steps: | |
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 | |
- run: rustup component add rustfmt clippy | |
- run: cargo fmt --all -- --check | |
- run: cargo clippy | |
rust_dependencies: | |
name: Check Rust dependencies | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 | |
- uses: EmbarkStudios/cargo-deny-action@1e59595bed8fc55c969333d08d7817b36888f0c5 # v1.5.5 | |
with: | |
arguments: --manifest-path rust/Cargo.toml | |
rust_build: | |
name: Check Rust crate | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: ubuntu-latest | |
- os: macos-latest | |
- os: windows-latest | |
- os: windows-latest | |
target: x86_64-pc-windows-gnu | |
defaults: | |
run: | |
working-directory: rust | |
shell: bash | |
steps: | |
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 | |
with: | |
submodules: recursive | |
- run: rustup target add ${{ matrix.target }} | |
if: matrix.target != '' | |
- run: echo CARGO_BUILD_TARGET=${{ matrix.target }} >> $GITHUB_ENV | |
if: matrix.target != '' | |
- name: Build Rust crate | |
run: cargo build | |
- name: Test Rust crate | |
run: cargo test | |
- name: Check crates are publishable | |
# The Windows CI transforms the `c-library` symlink into a real directory, modifying the Git | |
# state, so we ignore these changes with `--allow-dirty` here. | |
run: scripts/verify-publish.sh --allow-dirty |