-
Notifications
You must be signed in to change notification settings - Fork 0
146 lines (125 loc) · 3.94 KB
/
ci.yml
File metadata and controls
146 lines (125 loc) · 3.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
env:
CARGO_TERM_COLOR: always
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy, rustfmt
- name: Cache cargo
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ci-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: ci-cargo-
- name: Check compilation
run: cargo check --all-targets
- name: Run clippy
run: cargo clippy --all-targets -- -D warnings
continue-on-error: true
- name: Check formatting
run: cargo fmt --all -- --check
continue-on-error: true
test:
runs-on: ubuntu-latest
needs: check
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: Cache cargo
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ci-cargo-${{ hashFiles('**/Cargo.lock') }}
restore-keys: ci-cargo-
- name: Run tests
run: cargo test --lib
lint-scripts:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check for UTF-8 BOM in JS/TS scripts
shell: bash
run: |
# BOM bytes: EF BB BF — fatal in Node.js scripts (breaks shebang parsing)
BOM_FILES=$(grep -rlP '^\xEF\xBB\xBF' --include='*.js' --include='*.ts' --include='*.mjs' --include='*.cjs' . 2>/dev/null || true)
if [ -n "$BOM_FILES" ]; then
echo "ERROR: UTF-8 BOM detected in the following files:"
echo "$BOM_FILES"
echo ""
echo "BOM causes Node.js SyntaxError when the file is used as a script."
echo "Fix: save the file as UTF-8 without BOM."
exit 1
fi
echo "No BOM detected in JS/TS files."
- name: Check for UTF-8 BOM in shell scripts
shell: bash
run: |
BOM_FILES=$(grep -rlP '^\xEF\xBB\xBF' --include='*.sh' . 2>/dev/null || true)
if [ -n "$BOM_FILES" ]; then
echo "ERROR: UTF-8 BOM detected in shell scripts:"
echo "$BOM_FILES"
exit 1
fi
echo "No BOM detected in shell scripts."
security-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check for known vulnerabilities
uses: rustsec/audit-check@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true
pr-checks:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check PR title format
shell: bash
run: |
TITLE="${{ github.event.pull_request.title }}"
if [[ ${#TITLE} -lt 10 ]]; then
echo "PR title too short (minimum 10 characters)"
exit 1
fi
if [[ ${#TITLE} -gt 72 ]]; then
echo "PR title too long (maximum 72 characters)"
exit 1
fi
- name: Check for large files
shell: bash
run: |
LARGE_FILES=$(find . -type f -size +5M -not -path './.git/*' -not -path './target/*')
if [ -n "$LARGE_FILES" ]; then
echo "Large files detected (>5MB):"
echo "$LARGE_FILES"
exit 1
fi
- name: Check no secrets in diff
shell: bash
run: |
DIFF=$(git diff origin/main...HEAD -- . ':!*.lock' ':!Cargo.lock')
if echo "$DIFF" | grep -qiE '(PRIVATE.KEY|sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36})' 2>/dev/null; then
echo "Potential secrets detected in PR diff."
exit 1
fi
continue-on-error: true