diff --git a/.github/renovate.json5 b/.github/renovate.json5 index cc1fefc..c02c2a6 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -1,4 +1,5 @@ { + extends: ["helpers:pinGitHubActionDigests"], schedule: [ 'before 5am on the first day of the month', ], @@ -64,12 +65,23 @@ matchDepNames: [ 'prek', ], - extractVersion: '^(?\\d+\\.\\d+\\.\\d+)', + extractVersion: '^v(?\\d+\\.\\d+\\.\\d+)', schedule: [ '* * * * *', ], automerge: true, }, + { + matchManagers: [ + 'github-actions', + ], + matchUpdateTypes: [ + 'minor', + 'patch', + ], + automerge: true, + groupName: 'compatible (actions)', + }, // Goals: // - Keep version reqs low, ignoring compatible normal/build dependencies // - Take advantage of latest dev-dependencies diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 7446e08..8158c03 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -1,13 +1,10 @@ -name: Security audit +name: Audit permissions: contents: read on: pull_request: - paths: - - '**/Cargo.toml' - - '**/Cargo.lock' push: branches: - main @@ -22,19 +19,38 @@ concurrency: cancel-in-progress: true jobs: - security_audit: + audit: + permissions: + contents: none + name: Audit + needs: [advisories, cargo_deny, actions] + runs-on: ubuntu-latest + if: "always()" + steps: + - name: Failed + run: exit 1 + if: "contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped')" + advisories: permissions: issues: write # to create issues (actions-rs/audit-check) checks: write # to create check (actions-rs/audit-check) runs-on: ubuntu-latest # Prevent sudden announcement of a new advisory from failing ci: continue-on-error: true + strategy: + matrix: + checks: + - advisories steps: - name: Checkout repository - uses: actions/checkout@v6 - - uses: actions-rs/audit-check@v1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Lint advisories + uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15 with: - token: ${{ secrets.GITHUB_TOKEN }} + command: check ${{ matrix.checks }} + rust-version: stable cargo_deny: permissions: @@ -46,8 +62,26 @@ jobs: checks: - bans licenses sources steps: - - uses: actions/checkout@v6 - - uses: EmbarkStudios/cargo-deny-action@v2 + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Lint bans + uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15 with: command: check ${{ matrix.checks }} rust-version: stable + + actions: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read # only needed for private or internal repos + actions: read # only needed for private or internal repos + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e0b7606..2f8fbb3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,13 +43,19 @@ jobs: CARGO_PROFILE_DEV_DEBUG: line-tables-only steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: ${{ matrix.rust }} - - uses: Swatinem/rust-cache@v2 - - uses: taiki-e/install-action@cargo-hack + - name: Initialize cache + uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 + - name: Install cargo-hack + uses: taiki-e/install-action@97a5807a604e12de3a13b52d868ebecaeeea757c # v2.75.4 + with: + tool: cargo-hack - name: Build run: cargo test --workspace --no-run - name: Test @@ -62,13 +68,19 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: stable - - uses: Swatinem/rust-cache@v2 - - uses: taiki-e/install-action@cargo-hack + - name: Initialize cache + uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 + - name: Install cargo-hack + uses: taiki-e/install-action@97a5807a604e12de3a13b52d868ebecaeeea757c # v2.75.4 + with: + tool: cargo-hack - name: Default features run: cargo hack check --each-feature --locked --rust-version --ignore-private --workspace --all-targets --keep-going minimal-versions: @@ -79,13 +91,15 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install stable Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: stable - name: Install nightly Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: nightly - name: Downgrade dependencies to minimal versions @@ -96,12 +110,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: stable - - uses: Swatinem/rust-cache@v2 + - name: Initialize cache + uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 - name: "Is lockfile updated?" run: cargo update --workspace --locked docs: @@ -109,12 +126,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: "1.95" # STABLE - - uses: Swatinem/rust-cache@v2 + - name: Initialize cache + uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 - name: Check documentation env: RUSTDOCFLAGS: -D warnings @@ -124,13 +144,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: "1.95" # STABLE components: rustfmt - - uses: Swatinem/rust-cache@v2 + - name: Initialize cache + uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 - name: Check formatting run: cargo fmt --check clippy: @@ -140,13 +163,16 @@ jobs: security-events: write # to upload sarif results steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: "1.95" # STABLE components: clippy - - uses: Swatinem/rust-cache@v2 + - name: Initialize cache + uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 - name: Install SARIF tools run: cargo install clippy-sarif --locked - name: Install SARIF tools @@ -159,7 +185,7 @@ jobs: | sarif-fmt continue-on-error: true - name: Upload - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 with: sarif_file: clippy-results.sarif wait-for-processing: true @@ -170,17 +196,20 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: stable - - uses: Swatinem/rust-cache@v2 + - name: Initialize cache + uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 - name: Install cargo-tarpaulin run: cargo install cargo-tarpaulin - name: Gather coverage run: cargo tarpaulin --output-dir coverage --out lcov - name: Publish to Coveralls - uses: coverallsapp/github-action@master + uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # master with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/committed.yml b/.github/workflows/committed.yml index 9138a8e..3f18252 100644 --- a/.github/workflows/committed.yml +++ b/.github/workflows/committed.yml @@ -20,9 +20,10 @@ jobs: name: Lint Commits runs-on: ubuntu-latest steps: - - name: Checkout Actions Repository - uses: actions/checkout@v6 + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Lint Commits - uses: crate-ci/committed@master + uses: crate-ci/committed@faeed42f2e10c244533a01525f13c4d8b6ce383f # v1.11.1 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 1a96a38..b3d501c 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -22,7 +22,11 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: j178/prek-action@v2 + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - prek-version: '0.2.27' + persist-credentials: false + - name: prek + uses: j178/prek-action@53276d8b0d10f8b6672aa85b4588c6921d0370cc # v2.0.1 + with: + prek-version: '0.3.11' diff --git a/.github/workflows/rust-next.yml b/.github/workflows/rust-next.yml index 8e4a1e9..d749e86 100644 --- a/.github/workflows/rust-next.yml +++ b/.github/workflows/rust-next.yml @@ -33,13 +33,19 @@ jobs: CARGO_PROFILE_DEV_DEBUG: line-tables-only steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: ${{ matrix.rust }} - - uses: Swatinem/rust-cache@v2 - - uses: taiki-e/install-action@cargo-hack + - name: Initialize cache + uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 + - name: Install cargo-hack + uses: taiki-e/install-action@97a5807a604e12de3a13b52d868ebecaeeea757c # v2.75.4 + with: + tool: cargo-hack - name: Build run: cargo test --workspace --no-run - name: Test @@ -54,13 +60,19 @@ jobs: CARGO_RESOLVER_INCOMPATIBLE_RUST_VERSIONS: allow steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: toolchain: stable - - uses: Swatinem/rust-cache@v2 - - uses: taiki-e/install-action@cargo-hack + - name: Initialize cache + uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 + - name: Install cargo-hack + uses: taiki-e/install-action@97a5807a604e12de3a13b52d868ebecaeeea757c # v2.75.4 + with: + tool: cargo-hack - name: Update dependencies run: cargo update - name: Build diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml index cf4c1bf..37a8847 100644 --- a/.github/workflows/spelling.yml +++ b/.github/workflows/spelling.yml @@ -20,6 +20,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Actions Repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Spell Check Repo - uses: crate-ci/typos@master + uses: crate-ci/typos@bbaefadf97b0ec5fdc942684b647f1a6ab250274 # v1.46.0 diff --git a/.github/workflows/template.yml b/.github/workflows/template.yml index 1d4fd85..0ca8d2d 100644 --- a/.github/workflows/template.yml +++ b/.github/workflows/template.yml @@ -28,12 +28,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: true # to push the branch and create PR - name: Configure git run: | - git config --global user.name '${{ github.actor }}' + git config --global user.name '${GITHUB_ACTOR}' git config --global user.email '<>' - name: Fetch template run: "git remote add template ${{ env.TEMPLATE_URL }} && git fetch template ${{ env.TEMPLATE_BRANCH }}" diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..45aa9c9 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,4 @@ +rules: + superfluous-actions: + # https://github.com/zizmorcore/zizmor/issues/1817 + disable: true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bbd1af3..193a302 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -17,3 +17,7 @@ repos: rev: v1.1.11 hooks: - id: committed + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.22.0 + hooks: + - id: zizmor diff --git a/Cargo.toml b/Cargo.toml index 7955ba8..3c66400 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -7,17 +7,20 @@ license = "MIT OR Apache-2.0" edition = "2024" rust-version = "1.85" # MSRV include = [ - "build.rs", - "src/**/*", - "Cargo.toml", - "Cargo.lock", - "LICENSE*", - "README.md", - "examples/**/*" + "/build.rs", + "/src/**/*", + "/Cargo.toml", + "/Cargo.lock", + "/LICENSE*", + "/README.md", + "/examples/**/*" ] [workspace.lints.rust] rust_2018_idioms = { level = "warn", priority = -1 } + +non_ascii_idents = "warn" +trivial_numeric_casts = "warn" unnameable_types = "warn" unreachable_pub = "warn" unsafe_op_in_unsafe_fn = "warn" @@ -26,10 +29,16 @@ unused_macro_rules = "warn" unused_qualifications = "warn" [workspace.lints.clippy] +allow_attributes_without_reason = "warn" bool_assert_comparison = "allow" branches_sharing_code = "allow" +cast_possible_truncation = "warn" +cast_possible_wrap = "warn" +cast_sign_loss = "warn" checked_conversions = "warn" collapsible_else_if = "allow" +collapsible_match = "allow" +collection_is_never_read = "warn" create_dir = "warn" dbg_macro = "warn" debug_assert_with_mut_call = "warn" @@ -42,8 +51,10 @@ explicit_into_iter_loop = "warn" fallible_impl_from = "warn" filter_map_next = "warn" flat_map_option = "warn" +float_cmp = "warn" float_cmp_const = "warn" fn_params_excessive_bools = "warn" +fn_to_numeric_cast_any = "warn" from_iter_instead_of_collect = "warn" if_same_then_else = "allow" implicit_clone = "warn" @@ -60,10 +71,12 @@ linkedlist = "warn" lossy_float_literal = "warn" macro_use_imports = "warn" mem_forget = "warn" +mismatching_type_param_order = "warn" mutex_integer = "warn" needless_continue = "allow" needless_for_each = "warn" negative_feature_names = "warn" +partial_pub_fields = "warn" path_buf_push_overwrite = "warn" ptr_as_ptr = "warn" rc_mutex = "warn" @@ -74,13 +87,19 @@ result_large_err = "allow" same_functions_in_if_condition = "warn" self_named_module_files = "warn" semicolon_if_nothing_returned = "warn" +should_panic_without_expect = "warn" str_to_string = "warn" string_add = "warn" string_add_assign = "warn" string_lit_as_bytes = "warn" todo = "warn" trait_duplication_in_bounds = "warn" +undocumented_unsafe_blocks = "warn" uninlined_format_args = "warn" +unnecessary_safety_comment = "warn" +unnecessary_safety_doc = "warn" +unseparated_literal_suffix = "warn" +use_self = "warn" verbose_file_reads = "warn" wildcard_imports = "warn" zero_sized_map_values = "warn" @@ -117,7 +136,7 @@ pre-release-replacements = [ {file="CHANGELOG.md", search="\\.\\.\\.HEAD", replace="...{{tag_name}}", exactly=1}, {file="CHANGELOG.md", search="ReleaseDate", replace="{{date}}", min=1}, {file="CHANGELOG.md", search="", replace="\n## [Unreleased] - ReleaseDate\n", exactly=1}, - {file="CHANGELOG.md", search="", replace="\n[Unreleased]: https://github.com/rust-cli/argfile/compare/{{tag_name}}...HEAD", exactly=1}, + {file="CHANGELOG.md", search="", replace="\n[Unreleased]: {{repository}}/compare/{{tag_name}}...HEAD", exactly=1}, ] [features] diff --git a/deny.toml b/deny.toml index 27bf59a..c617b41 100644 --- a/deny.toml +++ b/deny.toml @@ -97,6 +97,7 @@ allow = [ "OpenSSL", "Zlib", "NCSA", + "CDLA-Permissive-2.0", ] # The confidence threshold for detecting a license from license text. # The higher the value, the more closely the license text must be to the diff --git a/src/argument.rs b/src/argument.rs index 5e7a97c..5cd63c6 100644 --- a/src/argument.rs +++ b/src/argument.rs @@ -2,7 +2,7 @@ use std::ffi::{OsStr, OsString}; use std::path::PathBuf; /// An individual argument -#[allow(clippy::exhaustive_enums)] +#[allow(clippy::exhaustive_enums, reason = "no plans for expansion")] #[derive(Clone, Debug, PartialEq, Eq)] pub enum Argument { /// Literal argument to use