feat(uninstall): first-class icm uninstall with backups, dry-run, audit, check
#366
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| branches: [develop, main] | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| # ─── Fast gates (fail early, save CI minutes) ─── | |
| fmt: | |
| name: fmt | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| - run: cargo fmt --all -- --check | |
| clippy: | |
| name: clippy | |
| needs: fmt | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - uses: Swatinem/rust-cache@v2 | |
| - run: cargo clippy --workspace --all-targets -- -D warnings | |
| # ─── Parallel gates (require code to compile) ─── | |
| test: | |
| name: test (${{ matrix.os }}) | |
| needs: clippy | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, windows-latest, macos-latest] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - run: cargo test --workspace | |
| security: | |
| name: security scan | |
| needs: clippy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Install cargo-audit | |
| run: cargo install cargo-audit | |
| - name: Cargo Audit (CVE check) | |
| run: | | |
| echo "## Security Scan Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Dependency Vulnerabilities" >> $GITHUB_STEP_SUMMARY | |
| if cargo audit 2>&1 | tee audit.log; then | |
| echo "No known vulnerabilities detected" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "Vulnerabilities found:" >> $GITHUB_STEP_SUMMARY | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| cat audit.log >> $GITHUB_STEP_SUMMARY | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| echo "::warning::Dependency vulnerabilities detected — review required" | |
| fi | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| - name: New dependencies check | |
| run: | | |
| echo "### New Dependencies" >> $GITHUB_STEP_SUMMARY | |
| if git diff origin/${{ github.base_ref }}...HEAD -- '**/Cargo.toml' \ | |
| | grep -E "^\+.*=" | grep -v "^\+\+\+" > new_deps.txt; then | |
| echo "**New dependencies added:**" >> $GITHUB_STEP_SUMMARY | |
| echo '```toml' >> $GITHUB_STEP_SUMMARY | |
| cat new_deps.txt >> $GITHUB_STEP_SUMMARY | |
| echo '```' >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Required Actions:**" >> $GITHUB_STEP_SUMMARY | |
| echo "- [ ] Audit each new dependency on crates.io" >> $GITHUB_STEP_SUMMARY | |
| echo "- [ ] Verify maintainer reputation and download counts" >> $GITHUB_STEP_SUMMARY | |
| echo "- [ ] Check for typosquatting" >> $GITHUB_STEP_SUMMARY | |
| echo "::warning::New dependencies require supply-chain audit" | |
| else | |
| echo "No new dependencies added" >> $GITHUB_STEP_SUMMARY | |
| fi |