Initial commit

4 files changed, 389 insertions, 0 deletions

diff --git a/.github/workflows/cargo-vet-pr-comment.yml b/.github/workflows/cargo-vet-pr-comment.yml
new file mode 100644
index 000000000..dd8ef37a6
--- /dev/null
+++ b/.github/workflows/cargo-vet-pr-comment.yml
@@ -0,0 +1,137 @@
+# This workflow triggers after cargo-vet workflow has run.
+# It adds a comment to the PR with the results of the cargo vet run.
+# It first adds a comment if the cargo vet run fails,
+# and updates the comment if the cargo vet run succeeds after having failed at least once.
+
+name: Cargo vet PR comment
+
+on:
+  workflow_run:
+    workflows: [cargo-vet]
+    types:
+      - completed
+
+permissions:
+  contents: read
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+
+  find-pr-comment:
+    # This job runs when the cargo-vet job fails or succeeds
+    # It will download the artifact from the failed job and post a comment on the PR
+    runs-on: ubuntu-latest
+    outputs:
+      comment-id: ${{ steps.get-comment-id.outputs.comment-id }}
+      pr-number: ${{ steps.get-pr-number.outputs.pr_number }}
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: 'Download artifact'
+        uses: actions/download-artifact@v4
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          name: pr
+          path: pr/
+          run-id: ${{ github.event.workflow_run.id }}
+      
+      - name: 'Get PR number'
+        id: get-pr-number
+        run: echo "pr_number=$(cat ./pr/NR)" >> $GITHUB_OUTPUT
+      
+      - name: 'Find existing comment'
+        id: find-comment
+        uses: peter-evans/find-comment@v3
+        with:
+          issue-number: ${{ steps.get-pr-number.outputs.pr_number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: 'comment-tag: [cargo-vet]'
+
+      - name: 'Get comment ID'
+        id: get-comment-id
+        if: ${{ steps.find-comment.outputs.comment-id != '' }}
+        run: echo "comment-id=${{ steps.find-comment.outputs.comment-id }}" >> $GITHUB_OUTPUT
+
+  post-comment-failure:
+    # This job runs when the cargo-vet job fails
+    # It will download the artifact from the failed job and post a comment on the PR
+    runs-on: ubuntu-latest
+    needs: find-pr-comment
+    if: github.event.workflow_run.conclusion == 'failure'
+    steps:
+      - name: 'Comment on PR - Failure'
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          comment-id: ${{ needs.find-pr-comment.outputs.comment-id }}
+          issue-number: ${{ needs.find-pr-comment.outputs.pr-number }}
+          body: |
+            # Cargo Vet Audit Failed
+
+            `cargo vet` has failed in this PR. Please run `cargo vet --locked` locally to check for new or updated unvetted dependencies.
+            Details about the vetting process can be found in [supply-chain/README.md](../blob/main/supply-chain/README.md)
+                      
+            ## If the unvetted dependencies are not needed
+            Please modify Cargo.toml file to avoid including the dependencies.
+                      
+            ## If the unvetted dependencies are needed
+            Post a new comment with the questionnaire below to the PR to help the auditors vet the dependencies.
+            After the auditors have vetted the dependencies, the PR will need to be rebased to pick up the new audits and pass this check.
+                      
+            ### Copy and paste the questionnaire as a new comment and provide your answers:
+                
+            **1. What crates (with version) need to be audited?**
+                
+            **2. How many of the crates are version updates vs new dependencies?**
+                
+            **3. To confirm none of the already included crates serve your needs, please provide a brief description of the purpose of the new crates.**
+                
+            **4. Any extra notes to the auditors to help with their audits.**
+            
+            <!--
+            This comment is auto-generated by the cargo-vet workflow.
+            Please do not edit it directly.
+            
+            comment-tag: [cargo-vet]
+            -->
+          edit-mode: replace
+
+      - name: 'Label PR'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.addLabels({
+              issue_number: ${{ needs.find-pr-comment.outputs.pr-number }},
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              labels: ['cargo vet']
+            })
+  
+  post-comment-success:
+    # This job runs when the cargo-vet job succeeds
+    # It will update the comment on the PR with a success message
+    runs-on: ubuntu-latest
+    needs: find-pr-comment
+    if: github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: 'Comment on PR - Success'
+        # Only update the comment if it exists
+        # This is to avoid creating a new comment if the cargo-vet job has never failed before
+        if: ${{ needs.find-pr-comment.outputs.comment-id }}
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          comment-id: ${{ needs.find-pr-comment.outputs.comment-id }}
+          issue-number: ${{ needs.find-pr-comment.outputs.pr-number }}
+          body: |
+            # Cargo Vet Audit Passed
+            `cargo vet` has passed in this PR. No new unvetted dependencies were found.
+
+            <!--
+            This comment is auto-generated by the cargo-vet workflow.
+            Please do not edit it directly.
+            
+            comment-tag: [cargo-vet]
+            -->
+          edit-mode: replace
\ No newline at end of file
diff --git a/.github/workflows/cargo-vet.yml b/.github/workflows/cargo-vet.yml
new file mode 100644
index 000000000..864c138e9
--- /dev/null
+++ b/.github/workflows/cargo-vet.yml
@@ -0,0 +1,53 @@
+# This workflow runs whenever a PR is opened or updated. It runs cargo vet to check for unvetted dependencies in the Cargo.lock file.
+permissions:
+  contents: read
+on:
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+name: cargo-vet
+jobs:
+  vet:
+    # cargo-vet checks for unvetted dependencies in the Cargo.lock file
+    # This is to ensure that new dependencies are vetted before they are added to the project
+    name: vet-dependencies
+    runs-on: ubuntu-latest
+    env:
+      CARGO_VET_VERSION: 0.10.1
+    
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        submodules: true
+  
+    - uses: actions/cache@v4
+      with:
+        path: ${{ runner.tool_cache }}/cargo-vet
+        key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }}
+  
+    - name: Add the tool cache directory to the search path
+      run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
+  
+    - name: Ensure that the tool cache is populated with the cargo-vet binary
+      run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet
+  
+    - name: Invoke cargo-vet
+      run: cargo vet --locked
+    
+    - name: Save PR number
+    # PR number is saved as an artifact so it can be used to determine the PR to comment on by the vet-pr-comment workflow
+    # vet-pr-comment workflow is triggered by the workflow_run event so it runs in the context of the base branch and not the PR branch
+      if: ${{ failure() }} || ${{ success() }}
+      run: |
+        mkdir -p ./pr
+        echo ${{ github.event.number }} > ./pr/NR
+    - uses: actions/upload-artifact@v4
+    # Need to upload the artifact in both success and failure cases so comment can be updated in either case
+      if: ${{ failure() }} || ${{ success() }}
+      with:
+        name: pr
+        path: pr/
+        overwrite: true
\ No newline at end of file
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
new file mode 100644
index 000000000..9bf402d61
--- /dev/null
+++ b/.github/workflows/check.yml
@@ -0,0 +1,169 @@
+# This workflow runs whenever a PR is opened or updated, or a commit is pushed to main. It runs
+# several checks:
+# - commit_list: produces a list of commits to be checked
+# - fmt: checks that the code is formatted according to rustfmt
+# - clippy: checks that the code does not contain any clippy warnings
+# - doc: checks that the code can be documented without errors
+# - hack: check combinations of feature flags
+# - msrv: check that the msrv specified in the crate is correct
+permissions:
+  contents: read
+# This configuration allows maintainers of this repo to create a branch and pull request based on
+# the new branch. Restricting the push trigger to the main branch ensures that the PR only gets
+# built once.
+on:
+  push:
+    branches: [main]
+  pull_request:
+# If new code is pushed to a PR branch, then cancel in progress workflows for that PR. Ensures that
+# we don't waste CI time, and returns results quicker https://github.com/jonhoo/rust-ci-conf/pull/5
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+name: check
+jobs:
+  fmt:
+    runs-on: ubuntu-latest
+    name: stable / fmt
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+      - name: Install stable
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt
+      - name: cargo fmt --check
+        run: cargo fmt --check
+
+  clippy:
+    runs-on: ubuntu-latest
+    name: ${{ matrix.toolchain }} / clippy
+    permissions:
+      contents: read
+      checks: write
+    strategy:
+      fail-fast: false
+      matrix:
+        # Get early warning of new lints which are regularly introduced in beta channels.
+        toolchain: [stable, beta]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+      - name: Install ${{ matrix.toolchain }}
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ matrix.toolchain }}
+          components: clippy
+      - name: cargo clippy
+        uses: giraffate/clippy-action@v1
+        with:
+          reporter: 'github-pr-check'
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  # Enable once we have a released crate
+  # semver:
+  #   runs-on: ubuntu-latest
+  #   name: semver
+  #   strategy:
+  #     fail-fast: false
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #       with:
+  #         submodules: true
+  #     - name: Install stable
+  #       uses: dtolnay/rust-toolchain@stable
+  #       with:
+  #         components: rustfmt
+  #     - name: cargo-semver-checks
+  #       uses: obi1kenobi/cargo-semver-checks-action@v2
+
+  doc:
+    # run docs generation on nightly rather than stable. This enables features like
+    # https://doc.rust-lang.org/beta/unstable-book/language-features/doc-cfg.html which allows an
+    # API be documented as only available in some specific platforms.
+    runs-on: ubuntu-latest
+    name: nightly / doc
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+      - name: Install nightly
+        uses: dtolnay/rust-toolchain@nightly
+      - name: cargo doc
+        run: cargo doc --no-deps --all-features
+        env:
+          RUSTDOCFLAGS: --cfg docsrs
+
+  hack:
+    # cargo-hack checks combinations of feature flags to ensure that features are all additive
+    # which is required for feature unification
+    runs-on: ubuntu-latest
+    name: ubuntu / stable / features
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+      - name: Install stable
+        uses: dtolnay/rust-toolchain@stable
+      - name: cargo install cargo-hack
+        uses: taiki-e/install-action@cargo-hack
+      # intentionally no target specifier; see https://github.com/jonhoo/rust-ci-conf/pull/4
+      # --feature-powerset runs for every combination of features
+      - name: cargo hack
+        run: cargo hack --feature-powerset check
+
+  deny:
+    # cargo-deny checks licenses, advisories, sources, and bans for
+    # our dependencies.
+    runs-on: ubuntu-latest
+    name: ubuntu / stable / deny
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+      - name: Install stable
+        uses: dtolnay/rust-toolchain@stable
+      - name: cargo install cargo-deny
+        uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          log-level: warn
+          manifest-path: ./Cargo.toml
+          command: check
+          arguments: --all-features
+
+  test:
+    runs-on: ubuntu-latest
+    name: ubuntu / stable / test
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+      - name: Install stable
+        uses: dtolnay/rust-toolchain@stable
+      - name: cargo install cargo-hack
+        uses: taiki-e/install-action@cargo-hack
+      - name: cargo test
+        run: cargo hack --feature-powerset test
+
+  msrv:
+    # check that we can build using the minimal rust version that is specified by this crate
+    runs-on: ubuntu-latest
+    # we use a matrix here just because env can't be used in job names
+    # https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability
+    strategy:
+      fail-fast: false
+      matrix:
+        msrv: ["1.85"]
+    name: ubuntu / ${{ matrix.msrv }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+      - name: Install ${{ matrix.msrv }}
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: ${{ matrix.msrv }}
+      - name: cargo +${{ matrix.msrv }} check
+        run: cargo check
diff --git a/.github/workflows/nostd.yml b/.github/workflows/nostd.yml
new file mode 100644
index 000000000..532235851
--- /dev/null
+++ b/.github/workflows/nostd.yml
@@ -0,0 +1,30 @@
+# This workflow checks whether the library is able to run without the std library (e.g., embedded).
+# This entire file should be removed if this crate does not support no-std. See check.yml for
+# information about how the concurrency cancellation and workflow triggering works
+permissions:
+  contents: read
+on:
+  push:
+    branches: [main]
+  pull_request:
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+name: no-std
+jobs:
+  nostd:
+    runs-on: ubuntu-latest
+    name: ${{ matrix.target }}
+    strategy:
+      matrix:
+        target: [thumbv8m.main-none-eabihf]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+      - name: Install stable
+        uses: dtolnay/rust-toolchain@stable
+      - name: rustup target add ${{ matrix.target }}
+        run: rustup target add ${{ matrix.target }}
+      - name: cargo check
+        run: cargo check --target ${{ matrix.target }}