ci: pin actions to commit SHAs + add explicit permissions #51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | ||
| on: | ||
| push: | ||
| branches: [main, feat/**] | ||
| pull_request: | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
| permissions: {} | ||
| jobs: | ||
| ci: | ||
|
Check failure on line 14 in .github/workflows/ci.yml
|
||
| uses: sebastienrousseau/pipelines/.github/workflows/rust-ci.yml@main | ||
| with: | ||
| rust-version: 'stable' | ||
| run-coverage: true | ||
| secrets: | ||
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | ||
| security: | ||
| uses: sebastienrousseau/pipelines/.github/workflows/security.yml@main | ||
| with: | ||
| language: rust | ||
| docs: | ||
| if: github.ref == 'refs/heads/main' | ||
| uses: sebastienrousseau/pipelines/.github/workflows/docs.yml@main | ||
| with: | ||
| type: rust | ||
| redirect-crate: hsh | ||
| feature-checks: | ||
| name: Feature permutations (cargo-hack) | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | ||
| with: | ||
| persist-credentials: false | ||
| - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master | ||
| with: | ||
| toolchain: stable | ||
| - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 | ||
| - name: Install cargo-hack | ||
| uses: taiki-e/install-action@213ccc1a076163c093f914550b94feb90fab916d # v2.79.2 | ||
| with: | ||
| tool: cargo-hack | ||
| - name: Check feature powerset (excl. hsh-digest) | ||
| # `--no-dev-deps` skips features that only exist for dev to keep | ||
| # the matrix size sane; `--exclude-features` skips the FIPS marker | ||
| # since enabling it without a real backend changes no behaviour. | ||
| run: cargo hack check --workspace --exclude hsh-digest --feature-powerset --no-dev-deps --exclude-features fips | ||
| - name: Check feature powerset (hsh-digest, at-least-one algorithm) | ||
| # hsh-digest requires at least one of sha2/sha3/blake3 — the | ||
| # empty feature set is rejected by a `compile_error!`. | ||
| run: cargo hack check -p hsh-digest --feature-powerset --no-dev-deps --at-least-one-of sha2,sha3,blake3 | ||
| public-api: | ||
| name: Public API diff vs main | ||
| if: github.event_name == 'pull_request' | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false | ||
| - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master | ||
| with: | ||
| toolchain: nightly | ||
| - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 | ||
| - name: Install cargo-public-api | ||
| uses: taiki-e/install-action@213ccc1a076163c093f914550b94feb90fab916d # v2.79.2 | ||
| with: | ||
| tool: cargo-public-api | ||
| - name: Diff public API | ||
| # Advisory only — flags additions/removals for reviewer attention. | ||
| # A breaking removal must be paired with a semver-major intent | ||
| # per doc/API-STABILITY.md. | ||
| run: | | ||
| cargo public-api --diff-git-checkouts origin/main HEAD --simplified -p hsh || true | ||
| cargo public-api --diff-git-checkouts origin/main HEAD --simplified -p hsh-kms || true | ||
| cargo public-api --diff-git-checkouts origin/main HEAD --simplified -p hsh-digest || true | ||
