From bb31c481fc0a9d5fdb6e1321cb0ec5423e35c203 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Wed, 8 Apr 2020 19:05:23 -0700 Subject: [PATCH] infra: add basic CI and security audit workflows This introduces two workflows: one for basic CI (format and check) and one for security audits. The security audit workflow probably isn't going to catch anything, but it only runs when the cargo manifest changes, so hopefully it doesn't slow things down too much. The CI workflow is designed to run `cargo fmt` against the code and to run `cargo check` with every combination of options. Right now, the `unproven` feature must be enabled, which ends up requiring a nightly compiler. As a result, the build matrix only runs two variants (one for each of the two supported devices). Once builds can be done without the `unproven` feature, `~` can be added to the `proven` dimension of the matrix, which will then allow builds to run against both nightly and stable. Regarding the actual implementation, there are a few quirks in this config. The verbose `on` object is the result of pushes to pull requests triggering the workflow twice - the workflow is triggerd by both the `push` and `pull_request` events. By restricting these to the master branch, it ensures that only pushes to the master branch or pull requests to the master branch (but not pushes to pull request branches) trigger. The bizarre construction of the `run` step in the `check` job is needed because GitHub isn't parsing the declaration correctly [1]. The preferred syntax would be to make use of the folded chomping block operator and to drop the shell linewraps. Something closer to this: ```yaml steps: - run: >- cargo check --verbose --no-default-features ``` [1]: https://github.com/actions/runner/issues/418 --- .github/workflows/ci.yaml | 52 +++++++++++++++++++++++++++++++++ .github/workflows/security.yaml | 17 +++++++++++ README.md | 2 ++ 3 files changed, 71 insertions(+) create mode 100644 .github/workflows/ci.yaml create mode 100644 .github/workflows/security.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..5157afc --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,52 @@ +name: CI +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + format: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions-rs/toolchain@v1 + with: + toolchain: stable + components: rustfmt + override: true + - uses: mbrobbel/rustfmt-check@master + with: + token: ${{ secrets.GITHUB_TOKEN }} + + check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions-rs/toolchain@v1 + with: + toolchain: nightly + target: thumbv7m-none-eabi + override: true + - run: | + cargo check \ + --verbose \ + --no-default-features \ + --features="${{matrix.chip}} ${{matrix.proven}}" \ + --target="${{matrix.target}}" + strategy: + fail-fast: false + matrix: + chip: + - chip-efm32gg + - chip-efr32xg1 + proven: + - unproven + toolchain: + - stable + - nightly + target: + - thumbv7m-none-eabi + exclude: + - toolchain: stable + proven: unproven diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 0000000..02e3c20 --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,17 @@ +name: Security Audit +on: + push: + branches: [ master ] + paths: [ Cargo.toml ] + pull_request: + branches: [ master ] + paths: [ Cargo.toml ] + +jobs: + audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions-rs/audit-check@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/README.md b/README.md index 6de100e..a23c489 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +![CI Status](https://github.com/crawford/action-test/workflows/CI/badge.svg) + `efm32gg-hal` -------------