mirror of
https://github.com/telemt/telemt.git
synced 2026-06-19 02:00:08 +07:00
David Osipov
2bd9036908
- Add deny.toml with license/advisory policy for cargo-deny - Add security.yml GitHub Actions workflow for automated audit - Update rust.yml with hardened clippy lint enforcement - Update Cargo.toml/Cargo.lock with audit-related dependency additions - Fix clippy lint placement in config.toml (Clippy lints must not live in rustflags) Part of PR-SEC-1: no Rust source changes, establishes CI gates for all subsequent PRs.
59 lines
1.3 KiB
YAML
59 lines
1.3 KiB
YAML
name: Rust
|
|
|
|
on:
|
|
push:
|
|
branches: [ "*" ]
|
|
pull_request:
|
|
branches: [ "*" ]
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
|
|
jobs:
|
|
build:
|
|
name: Build
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
actions: write
|
|
checks: write
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install latest stable Rust toolchain
|
|
uses: dtolnay/rust-toolchain@stable
|
|
with:
|
|
components: rustfmt, clippy
|
|
|
|
- name: Cache cargo registry & build artifacts
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cargo/registry
|
|
~/.cargo/git
|
|
target
|
|
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-cargo-
|
|
|
|
- name: Build Release
|
|
run: cargo build --release --verbose
|
|
|
|
- name: Run tests
|
|
run: cargo test --verbose
|
|
|
|
- name: Check benches compile
|
|
run: cargo check --benches
|
|
|
|
# Strict policy is deferred to PR-SEC-8 — intermediate branches use
|
|
# #[allow(clippy::panic)], #[allow(clippy::expect_used)] etc. which are
|
|
# incompatible with -F (forbid) flags active before all source fixes land.
|
|
- name: Run clippy
|
|
run: cargo clippy --workspace -- -D clippy::correctness
|
|
|
|
- name: Check for unused dependencies
|
|
run: cargo udeps || true
|