From 47e383545f4aac3bfaec0563429cc721540e665a Mon Sep 17 00:00:00 2001 From: Jeff Glaum Date: Mon, 8 Sep 2025 15:15:38 -0700 Subject: Initial commit --- .github/workflows/cargo-vet-pr-comment.yml | 137 +++++++++++++++++++++++ .github/workflows/cargo-vet.yml | 53 +++++++++ .github/workflows/check.yml | 169 +++++++++++++++++++++++++++++ .github/workflows/nostd.yml | 30 +++++ 4 files changed, 389 insertions(+) create mode 100644 .github/workflows/cargo-vet-pr-comment.yml create mode 100644 .github/workflows/cargo-vet.yml create mode 100644 .github/workflows/check.yml create mode 100644 .github/workflows/nostd.yml (limited to '.github/workflows') diff --git a/.github/workflows/cargo-vet-pr-comment.yml b/.github/workflows/cargo-vet-pr-comment.yml new file mode 100644 index 000000000..dd8ef37a6 --- /dev/null +++ b/.github/workflows/cargo-vet-pr-comment.yml @@ -0,0 +1,137 @@ +# This workflow triggers after cargo-vet workflow has run. +# It adds a comment to the PR with the results of the cargo vet run. +# It first adds a comment if the cargo vet run fails, +# and updates the comment if the cargo vet run succeeds after having failed at least once. + +name: Cargo vet PR comment + +on: + workflow_run: + workflows: [cargo-vet] + types: + - completed + +permissions: + contents: read + pull-requests: write + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + + find-pr-comment: + # This job runs when the cargo-vet job fails or succeeds + # It will download the artifact from the failed job and post a comment on the PR + runs-on: ubuntu-latest + outputs: + comment-id: ${{ steps.get-comment-id.outputs.comment-id }} + pr-number: ${{ steps.get-pr-number.outputs.pr_number }} + if: github.event.workflow_run.event == 'pull_request' + steps: + - name: 'Download artifact' + uses: actions/download-artifact@v4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + name: pr + path: pr/ + run-id: ${{ github.event.workflow_run.id }} + + - name: 'Get PR number' + id: get-pr-number + run: echo "pr_number=$(cat ./pr/NR)" >> $GITHUB_OUTPUT + + - name: 'Find existing comment' + id: find-comment + uses: peter-evans/find-comment@v3 + with: + issue-number: ${{ steps.get-pr-number.outputs.pr_number }} + comment-author: 'github-actions[bot]' + body-includes: 'comment-tag: [cargo-vet]' + + - name: 'Get comment ID' + id: get-comment-id + if: ${{ steps.find-comment.outputs.comment-id != '' }} + run: echo "comment-id=${{ steps.find-comment.outputs.comment-id }}" >> $GITHUB_OUTPUT + + post-comment-failure: + # This job runs when the cargo-vet job fails + # It will download the artifact from the failed job and post a comment on the PR + runs-on: ubuntu-latest + needs: find-pr-comment + if: github.event.workflow_run.conclusion == 'failure' + steps: + - name: 'Comment on PR - Failure' + uses: peter-evans/create-or-update-comment@v4 + with: + comment-id: ${{ needs.find-pr-comment.outputs.comment-id }} + issue-number: ${{ needs.find-pr-comment.outputs.pr-number }} + body: | + # Cargo Vet Audit Failed + + `cargo vet` has failed in this PR. Please run `cargo vet --locked` locally to check for new or updated unvetted dependencies. + Details about the vetting process can be found in [supply-chain/README.md](../blob/main/supply-chain/README.md) + + ## If the unvetted dependencies are not needed + Please modify Cargo.toml file to avoid including the dependencies. + + ## If the unvetted dependencies are needed + Post a new comment with the questionnaire below to the PR to help the auditors vet the dependencies. + After the auditors have vetted the dependencies, the PR will need to be rebased to pick up the new audits and pass this check. + + ### Copy and paste the questionnaire as a new comment and provide your answers: + + **1. What crates (with version) need to be audited?** + + **2. How many of the crates are version updates vs new dependencies?** + + **3. To confirm none of the already included crates serve your needs, please provide a brief description of the purpose of the new crates.** + + **4. Any extra notes to the auditors to help with their audits.** + + + edit-mode: replace + + - name: 'Label PR' + uses: actions/github-script@v7 + with: + script: | + github.rest.issues.addLabels({ + issue_number: ${{ needs.find-pr-comment.outputs.pr-number }}, + owner: context.repo.owner, + repo: context.repo.repo, + labels: ['cargo vet'] + }) + + post-comment-success: + # This job runs when the cargo-vet job succeeds + # It will update the comment on the PR with a success message + runs-on: ubuntu-latest + needs: find-pr-comment + if: github.event.workflow_run.conclusion == 'success' + steps: + - name: 'Comment on PR - Success' + # Only update the comment if it exists + # This is to avoid creating a new comment if the cargo-vet job has never failed before + if: ${{ needs.find-pr-comment.outputs.comment-id }} + uses: peter-evans/create-or-update-comment@v4 + with: + comment-id: ${{ needs.find-pr-comment.outputs.comment-id }} + issue-number: ${{ needs.find-pr-comment.outputs.pr-number }} + body: | + # Cargo Vet Audit Passed + `cargo vet` has passed in this PR. No new unvetted dependencies were found. + + + edit-mode: replace \ No newline at end of file diff --git a/.github/workflows/cargo-vet.yml b/.github/workflows/cargo-vet.yml new file mode 100644 index 000000000..864c138e9 --- /dev/null +++ b/.github/workflows/cargo-vet.yml @@ -0,0 +1,53 @@ +# This workflow runs whenever a PR is opened or updated. It runs cargo vet to check for unvetted dependencies in the Cargo.lock file. +permissions: + contents: read +on: + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +name: cargo-vet +jobs: + vet: + # cargo-vet checks for unvetted dependencies in the Cargo.lock file + # This is to ensure that new dependencies are vetted before they are added to the project + name: vet-dependencies + runs-on: ubuntu-latest + env: + CARGO_VET_VERSION: 0.10.1 + + steps: + - uses: actions/checkout@v4 + with: + submodules: true + + - uses: actions/cache@v4 + with: + path: ${{ runner.tool_cache }}/cargo-vet + key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }} + + - name: Add the tool cache directory to the search path + run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH + + - name: Ensure that the tool cache is populated with the cargo-vet binary + run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet + + - name: Invoke cargo-vet + run: cargo vet --locked + + - name: Save PR number + # PR number is saved as an artifact so it can be used to determine the PR to comment on by the vet-pr-comment workflow + # vet-pr-comment workflow is triggered by the workflow_run event so it runs in the context of the base branch and not the PR branch + if: ${{ failure() }} || ${{ success() }} + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + - uses: actions/upload-artifact@v4 + # Need to upload the artifact in both success and failure cases so comment can be updated in either case + if: ${{ failure() }} || ${{ success() }} + with: + name: pr + path: pr/ + overwrite: true \ No newline at end of file diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml new file mode 100644 index 000000000..9bf402d61 --- /dev/null +++ b/.github/workflows/check.yml @@ -0,0 +1,169 @@ +# This workflow runs whenever a PR is opened or updated, or a commit is pushed to main. It runs +# several checks: +# - commit_list: produces a list of commits to be checked +# - fmt: checks that the code is formatted according to rustfmt +# - clippy: checks that the code does not contain any clippy warnings +# - doc: checks that the code can be documented without errors +# - hack: check combinations of feature flags +# - msrv: check that the msrv specified in the crate is correct +permissions: + contents: read +# This configuration allows maintainers of this repo to create a branch and pull request based on +# the new branch. Restricting the push trigger to the main branch ensures that the PR only gets +# built once. +on: + push: + branches: [main] + pull_request: +# If new code is pushed to a PR branch, then cancel in progress workflows for that PR. Ensures that +# we don't waste CI time, and returns results quicker https://github.com/jonhoo/rust-ci-conf/pull/5 +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true +name: check +jobs: + fmt: + runs-on: ubuntu-latest + name: stable / fmt + steps: + - uses: actions/checkout@v4 + with: + submodules: true + - name: Install stable + uses: dtolnay/rust-toolchain@stable + with: + components: rustfmt + - name: cargo fmt --check + run: cargo fmt --check + + clippy: + runs-on: ubuntu-latest + name: ${{ matrix.toolchain }} / clippy + permissions: + contents: read + checks: write + strategy: + fail-fast: false + matrix: + # Get early warning of new lints which are regularly introduced in beta channels. + toolchain: [stable, beta] + steps: + - uses: actions/checkout@v4 + with: + submodules: true + - name: Install ${{ matrix.toolchain }} + uses: dtolnay/rust-toolchain@master + with: + toolchain: ${{ matrix.toolchain }} + components: clippy + - name: cargo clippy + uses: giraffate/clippy-action@v1 + with: + reporter: 'github-pr-check' + github_token: ${{ secrets.GITHUB_TOKEN }} + + # Enable once we have a released crate + # semver: + # runs-on: ubuntu-latest + # name: semver + # strategy: + # fail-fast: false + # steps: + # - uses: actions/checkout@v4 + # with: + # submodules: true + # - name: Install stable + # uses: dtolnay/rust-toolchain@stable + # with: + # components: rustfmt + # - name: cargo-semver-checks + # uses: obi1kenobi/cargo-semver-checks-action@v2 + + doc: + # run docs generation on nightly rather than stable. This enables features like + # https://doc.rust-lang.org/beta/unstable-book/language-features/doc-cfg.html which allows an + # API be documented as only available in some specific platforms. + runs-on: ubuntu-latest + name: nightly / doc + steps: + - uses: actions/checkout@v4 + with: + submodules: true + - name: Install nightly + uses: dtolnay/rust-toolchain@nightly + - name: cargo doc + run: cargo doc --no-deps --all-features + env: + RUSTDOCFLAGS: --cfg docsrs + + hack: + # cargo-hack checks combinations of feature flags to ensure that features are all additive + # which is required for feature unification + runs-on: ubuntu-latest + name: ubuntu / stable / features + steps: + - uses: actions/checkout@v4 + with: + submodules: true + - name: Install stable + uses: dtolnay/rust-toolchain@stable + - name: cargo install cargo-hack + uses: taiki-e/install-action@cargo-hack + # intentionally no target specifier; see https://github.com/jonhoo/rust-ci-conf/pull/4 + # --feature-powerset runs for every combination of features + - name: cargo hack + run: cargo hack --feature-powerset check + + deny: + # cargo-deny checks licenses, advisories, sources, and bans for + # our dependencies. + runs-on: ubuntu-latest + name: ubuntu / stable / deny + steps: + - uses: actions/checkout@v4 + with: + submodules: true + - name: Install stable + uses: dtolnay/rust-toolchain@stable + - name: cargo install cargo-deny + uses: EmbarkStudios/cargo-deny-action@v2 + with: + log-level: warn + manifest-path: ./Cargo.toml + command: check + arguments: --all-features + + test: + runs-on: ubuntu-latest + name: ubuntu / stable / test + steps: + - uses: actions/checkout@v4 + with: + submodules: true + - name: Install stable + uses: dtolnay/rust-toolchain@stable + - name: cargo install cargo-hack + uses: taiki-e/install-action@cargo-hack + - name: cargo test + run: cargo hack --feature-powerset test + + msrv: + # check that we can build using the minimal rust version that is specified by this crate + runs-on: ubuntu-latest + # we use a matrix here just because env can't be used in job names + # https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + strategy: + fail-fast: false + matrix: + msrv: ["1.85"] + name: ubuntu / ${{ matrix.msrv }} + steps: + - uses: actions/checkout@v4 + with: + submodules: true + - name: Install ${{ matrix.msrv }} + uses: dtolnay/rust-toolchain@master + with: + toolchain: ${{ matrix.msrv }} + - name: cargo +${{ matrix.msrv }} check + run: cargo check diff --git a/.github/workflows/nostd.yml b/.github/workflows/nostd.yml new file mode 100644 index 000000000..532235851 --- /dev/null +++ b/.github/workflows/nostd.yml @@ -0,0 +1,30 @@ +# This workflow checks whether the library is able to run without the std library (e.g., embedded). +# This entire file should be removed if this crate does not support no-std. See check.yml for +# information about how the concurrency cancellation and workflow triggering works +permissions: + contents: read +on: + push: + branches: [main] + pull_request: +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true +name: no-std +jobs: + nostd: + runs-on: ubuntu-latest + name: ${{ matrix.target }} + strategy: + matrix: + target: [thumbv8m.main-none-eabihf] + steps: + - uses: actions/checkout@v4 + with: + submodules: true + - name: Install stable + uses: dtolnay/rust-toolchain@stable + - name: rustup target add ${{ matrix.target }} + run: rustup target add ${{ matrix.target }} + - name: cargo check + run: cargo check --target ${{ matrix.target }} -- cgit