v0.0.9 — Enterprise readiness: 4-crate workspace, multi-algo verify+rehash, KMS pepper, FIPS contract, CLI #46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, feat/**] | |
| pull_request: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| ci: | |
| uses: sebastienrousseau/pipelines/.github/workflows/rust-ci.yml@main | |
| with: | |
| rust-version: 'stable' | |
| run-coverage: true | |
| secrets: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| security: | |
| uses: sebastienrousseau/pipelines/.github/workflows/security.yml@main | |
| with: | |
| language: rust | |
| docs: | |
| if: github.ref == 'refs/heads/main' | |
| uses: sebastienrousseau/pipelines/.github/workflows/docs.yml@main | |
| with: | |
| type: rust | |
| redirect-crate: hsh | |
| feature-checks: | |
| name: Feature permutations (cargo-hack) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Install cargo-hack | |
| uses: taiki-e/install-action@v2 | |
| with: | |
| tool: cargo-hack | |
| - name: Check feature powerset (excl. hsh-digest) | |
| # `--no-dev-deps` skips features that only exist for dev to keep | |
| # the matrix size sane; `--exclude-features` skips the FIPS marker | |
| # since enabling it without a real backend changes no behaviour. | |
| run: cargo hack check --workspace --exclude hsh-digest --feature-powerset --no-dev-deps --exclude-features fips | |
| - name: Check feature powerset (hsh-digest, at-least-one algorithm) | |
| # hsh-digest requires at least one of sha2/sha3/blake3 — the | |
| # empty feature set is rejected by a `compile_error!`. | |
| run: cargo hack check -p hsh-digest --feature-powerset --no-dev-deps --at-least-one-of sha2,sha3,blake3 | |
| public-api: | |
| name: Public API diff vs main | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: dtolnay/rust-toolchain@nightly | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Install cargo-public-api | |
| uses: taiki-e/install-action@v2 | |
| with: | |
| tool: cargo-public-api | |
| - name: Diff public API | |
| # Advisory only — flags additions/removals for reviewer attention. | |
| # A breaking removal must be paired with a semver-major intent | |
| # per doc/API-STABILITY.md. | |
| run: | | |
| cargo public-api --diff-git-checkouts origin/main HEAD --simplified -p hsh || true | |
| cargo public-api --diff-git-checkouts origin/main HEAD --simplified -p hsh-kms || true | |
| cargo public-api --diff-git-checkouts origin/main HEAD --simplified -p hsh-digest || true |