chore: onboard stepsecurity and apply security best practice #40
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test | |
| on: | |
| merge_group: | |
| pull_request: | |
| push: | |
| branches: main | |
| permissions: | |
| contents: read | |
| # If new code is pushed to a PR branch, then cancel in progress workflows for that PR. | |
| # Ensures that we don't waste CI time, and returns results quicker. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| CARGO_INCREMENTAL: 0 | |
| CARGO_TERM_COLOR: always | |
| CARGO_PROFILE_DEV_DEBUG: 1 | |
| CARGO_PROFILE_RELEASE_DEBUG: 1 | |
| RUST_BACKTRACE: short | |
| CARGO_NET_RETRY: 10 | |
| RUSTUP_MAX_RETRIES: 10 | |
| jobs: | |
| unit: | |
| name: Unit Tests | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Harden the runner | |
| uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| egress-policy: block | |
| policy: global-allowed-endpoints-policy | |
| - name: Checkout | |
| uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 | |
| - name: Install Protoc | |
| uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup Rust toolchain | |
| uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2 | |
| - name: Install cargo-nextest | |
| uses: taiki-e/install-action@93a3ae3bfd962e4d6dde57e468f29a5f2b7cb201 # cargo-nextest | |
| - name: Run tests | |
| run: | | |
| cargo nextest run \ | |
| --workspace \ | |
| --all-features \ | |
| --no-fail-fast \ | |
| --failure-output final |