Merge pull request #35 from solisoft/task/ensure-dev-bar-appear-once #562
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| tags: ['v*'] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: write | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install system dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libssl-dev pkg-config | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Restore cargo cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/ | |
| ~/.cargo/git/ | |
| target/ | |
| key: ${{ runner.os }}-cargo-${{ github.sha }} | |
| - name: Run tests | |
| run: cargo test | |
| - name: Run Soli tests | |
| run: cargo run -- test | |
| clippy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install system dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libssl-dev pkg-config | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - name: Restore cargo cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/ | |
| ~/.cargo/git/ | |
| target/ | |
| key: ${{ runner.os }}-cargo-${{ github.sha }} | |
| - name: Clippy | |
| run: cargo clippy -- -D warnings | |
| fmt: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt | |
| - name: Check formatting | |
| run: cargo fmt --check | |
| # SEC-094: scan Cargo.lock for known RustSec advisories on every push | |
| # and PR. Default policy: cargo audit exits non-zero on a confirmed | |
| # vulnerability, making CI fail; informational notices (unmaintained / | |
| # unsound dependency tree) surface as warnings without blocking. | |
| # | |
| # Waiving a finding: prefer fixing the upstream version. If a wait is | |
| # justified (no fix available, transitive-only, etc.), commit a | |
| # `.cargo/audit.toml` with an `[advisories] ignore = ["RUSTSEC-..."]` | |
| # entry and a comment explaining why and when to revisit. | |
| # | |
| # Not gated on by `release` on purpose — fresh advisories can land at | |
| # any moment and shouldn't block an in-flight tag; they surface on the | |
| # next push/PR for prompt remediation. | |
| audit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Restore cargo cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/ | |
| ~/.cargo/git/ | |
| key: ${{ runner.os }}-cargo-audit-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-audit- | |
| ${{ runner.os }}-cargo- | |
| - name: Install cargo-audit | |
| run: cargo install --locked cargo-audit | |
| - name: Run cargo audit | |
| run: cargo audit | |
| release: | |
| needs: [test, clippy, fmt] | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Verify tag matches Cargo.toml version | |
| run: | | |
| TAG_VERSION="${GITHUB_REF_NAME#v}" | |
| CARGO_VERSION=$(grep '^version' Cargo.toml | head -1 | sed 's/.*"\(.*\)".*/\1/') | |
| if [ "$TAG_VERSION" != "$CARGO_VERSION" ]; then | |
| echo "::error::Tag version ($TAG_VERSION) does not match Cargo.toml version ($CARGO_VERSION)" | |
| exit 1 | |
| fi | |
| echo "Version check passed: $TAG_VERSION" | |
| - name: Create GitHub Release | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: gh release create ${{ github.ref_name }} --draft --generate-notes | |
| build-binaries: | |
| needs: release | |
| strategy: | |
| matrix: | |
| include: | |
| - target: x86_64-unknown-linux-gnu | |
| os: ubuntu-latest | |
| artifact: soli-linux-amd64 | |
| - target: aarch64-unknown-linux-gnu | |
| os: ubuntu-latest | |
| artifact: soli-linux-arm64 | |
| - target: aarch64-apple-darwin | |
| os: macos-latest | |
| artifact: soli-darwin-arm64 | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.target }} | |
| - name: Install system dependencies (Linux x86_64) | |
| if: matrix.target == 'x86_64-unknown-linux-gnu' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libssl-dev pkg-config | |
| - name: Install cross-compilation tools (Linux ARM64) | |
| if: matrix.target == 'aarch64-unknown-linux-gnu' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc-aarch64-linux-gnu libssl-dev pkg-config | |
| sudo dpkg --add-architecture arm64 | |
| sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list | |
| # Pin existing sources to amd64 (handles both .list and .sources formats) | |
| if ls /etc/apt/sources.list.d/*.list 1>/dev/null 2>&1; then | |
| sudo sed -i 's/^deb /deb [arch=amd64] /' /etc/apt/sources.list.d/*.list | |
| fi | |
| if ls /etc/apt/sources.list.d/*.sources 1>/dev/null 2>&1; then | |
| sudo sed -i '/^Types: /a Architectures: amd64' /etc/apt/sources.list.d/*.sources | |
| fi | |
| echo "deb [arch=arm64] http://ports.ubuntu.com/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/arm64.list | |
| echo "deb [arch=arm64] http://ports.ubuntu.com/ $(lsb_release -cs)-updates main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list.d/arm64.list | |
| sudo apt-get update | |
| sudo apt-get install -y libssl-dev:arm64 | |
| - name: Build | |
| run: cargo build --release --target ${{ matrix.target }} | |
| env: | |
| CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc | |
| CC_aarch64_unknown_linux_gnu: aarch64-linux-gnu-gcc | |
| PKG_CONFIG_PATH_aarch64_unknown_linux_gnu: /usr/lib/aarch64-linux-gnu/pkgconfig | |
| PKG_CONFIG_ALLOW_CROSS: 1 | |
| - name: Package binary | |
| run: | | |
| ls -la target/${{ matrix.target }}/release/soli | |
| tar -czf ${{ matrix.artifact }}.tar.gz -C target/${{ matrix.target }}/release soli | |
| # SEC-041: publish a `.sha256` sibling so `soli update` can | |
| # verify the downloaded tarball before extracting / chmod-ing. | |
| # `shasum -a 256` is portable across the matrix (macos-latest | |
| # ships shasum but not coreutils' `sha256sum`). | |
| shasum -a 256 ${{ matrix.artifact }}.tar.gz | awk '{print $1}' > ${{ matrix.artifact }}.tar.gz.sha256 | |
| - name: Upload to release | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh release upload --clobber ${{ github.ref_name }} ${{ matrix.artifact }}.tar.gz | |
| gh release upload --clobber ${{ github.ref_name }} ${{ matrix.artifact }}.tar.gz.sha256 | |
| publish-release: | |
| needs: [build-binaries] | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Publish release | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: gh release edit ${{ github.ref_name }} --draft=false | |
| docker: | |
| needs: publish-release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GHCR | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: true | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| tags: | | |
| ghcr.io/${{ github.repository }}:${{ github.ref_name }} | |
| ghcr.io/${{ github.repository }}:latest |