From a3da0af8321ee1dc8f7ed2fba98dcc254e024343 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Mon, 4 Dec 2023 23:28:51 -0500 Subject: [PATCH] WIP: Add Rust CI And remove the Python CI. We still need to set up cargo-audit and cargo-vet jobs. --- .circleci/config.yml | 102 +-------------------------------------- .github/workflows/ci.yml | 24 +++++++++ Makefile | 50 ++++++------------- rust-toolchain.toml | 2 + src/main.rs | 2 + 5 files changed, 45 insertions(+), 135 deletions(-) create mode 100644 .github/workflows/ci.yml create mode 100644 rust-toolchain.toml diff --git a/.circleci/config.yml b/.circleci/config.yml index a39a4c5..e499195 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,30 +1,5 @@ --- common-steps: - - &install_poetry - run: - name: Install Poetry - command: | - set -e - source /etc/os-release - if [[ "$VERSION_CODENAME" == "bullseye" ]]; then - # Install Poetry via PyPI - apt-get update && apt-get install --yes --no-install-recommends python3-pip - pip install poetry==1.6.1 - elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then - # Install Poetry via system package - apt-get update && apt-get install --yes --no-install-recommends python3-poetry - else - echo "Unsupported Debian version: $VERSION_CODENAME" - exit 1 - fi - - - &install_testing_dependencies - run: - name: Install testing dependencies - command: | - apt-get install --yes --no-install-recommends git gnupg make - poetry install --no-ansi - - &install_build_dependencies run: name: Install build dependencies @@ -32,35 +7,6 @@ common-steps: set -e apt-get update && apt-get install --yes git make sudo - - &run_unit_tests - run: - name: Install requirements and run unit tests - command: | - export PYTHONPATH=$PYTHONPATH:. # so alembic can get to Base metadata - make test - - - &run_lint - run: - name: Run lint, type checking, code formatting - command: | - make lint - - - &check_security - run: - name: Run static analysis on source code to find security issues - command: | - set -e - poetry update bandit - make bandit - - - &check_python_dependencies_for_vulnerabilities - run: - name: Check Python dependencies for known vulnerabilities - command: | - set -e - poetry update safety - make safety - - &install_packaging_dependencies run: name: Install Debian packaging dependencies and download Python wheels @@ -111,62 +57,16 @@ jobs: - *verify_requirements - *build_debian_package - unit-test: - parameters: *parameters - docker: *docker - steps: - - checkout - - *install_poetry - - *install_testing_dependencies - - *run_unit_tests - - store_test_results: - path: test-results - - lint: - parameters: *parameters - docker: *docker - steps: - - checkout - - *install_poetry - - *install_testing_dependencies - - *run_lint - - check-security: - parameters: *parameters - docker: *docker - steps: - - checkout - - *install_poetry - - *install_testing_dependencies - - *check_security - - check-python-security: - parameters: *parameters - docker: *docker - steps: - - checkout - - *install_poetry - - *install_testing_dependencies - - *check_python_dependencies_for_vulnerabilities - workflows: securedrop_proxy_ci: jobs: &jobs - - unit-test: + - build: matrix: &matrix parameters: image: - bullseye - bookworm - - lint: - matrix: *matrix - - check-security: - matrix: *matrix - - check-python-security: - matrix: *matrix - - build: - matrix: *matrix nightly: triggers: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..c9f9645 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,24 @@ +name: CI +on: [push, pull_request] + +defaults: + run: + shell: bash + +jobs: + test: + runs-on: ubuntu-latest + # Keep version in sync with rust-toolchain.toml + container: rust:1.74.0 + steps: + - uses: actions/checkout@v3 + - name: Install dependencies + run: | + rustup component add rustfmt + rustup component add clippy + apt-get update && apt-get install python3-poetry --yes + poetry install --no-ansi + - name: Lint and test code + run: | + make rust-lint + make rust-test diff --git a/Makefile b/Makefile index b1590ef..011d8ef 100644 --- a/Makefile +++ b/Makefile @@ -3,23 +3,8 @@ .PHONY: all all: help -.PHONY: bandit -bandit: ## Run bandit with medium level excluding test-related folders - @echo "Running bandit security checks…" - @poetry run bandit -ll --recursive securedrop_proxy - -.PHONY: safety -safety: ## Runs `safety check` to check python dependencies for vulnerabilities - @echo "Running safety against build requirements…" - @poetry run safety check --full-report -r build-requirements.txt - .PHONY: lint -lint: check-isort check-black mypy ## Run isort, black and flake8 and mypy - @poetry run flake8 securedrop_proxy tests - -.PHONY: mypy -mypy: ## Run mypy static type checker - @poetry run mypy --ignore-missing-imports securedrop_proxy +lint: rust-lint check-isort check-black ## Run Rust and Python linters/formatters .PHONY: black black: ## Run black for file formatting @@ -42,26 +27,23 @@ check-isort: ## Check isort for file formatting @poetry run isort --check-only --diff securedrop_proxy/*.py tests/*.py .PHONY: test -test: clean .coverage ## Runs tests with coverage - -.coverage: - @poetry run coverage run --source securedrop_proxy -m unittest - -.PHONY: browse-coverage -browse-coverage: .coverage ## Generates and opens HTML coverage report - @poetry run coverage html - @xdg-open htmlcov/index.html 2>/dev/null || open htmlcov/index.html 2>/dev/null +test: ## Runs integration tests + @cargo build + @poetry run pytest .PHONY: check -check: clean lint test mypy safety bandit ## Runs all tests and code checkers - -.PHONY: clean -clean: ## Clean the workspace of generated resources - @rm -rf .mypy_cache build dist *.egg-info .coverage .eggs docs/_build .pytest_cache lib htmlcov .cache && \ - find . \( -name '*.py[co]' -o -name dropin.cache \) -delete && \ - find . \( -name '*.bak' -o -name dropin.cache \) -delete && \ - find . \( -name '*.tgz' -o -name dropin.cache \) -delete && \ - find . -name __pycache__ -print0 | xargs -0 rm -rf +check: lint rust-test test ## Runs all tests and code checkers + +.PHONY: rust-lint +rust-lint: ## Lint Rust code + @echo "Linting Rust code..." + cargo fmt --check + cargo clippy + +.PHONY: rust-test +rust-test: ## Run Rust tests + @echo "Running Rust tests..." + cargo test # Explanation of the below shell command should it ever break. # 1. Set the field separator to ": ##" and any make targets that might appear between : and ## diff --git a/rust-toolchain.toml b/rust-toolchain.toml new file mode 100644 index 0000000..639f4f1 --- /dev/null +++ b/rust-toolchain.toml @@ -0,0 +1,2 @@ +[toolchain] +channel = "1.74.0" diff --git a/src/main.rs b/src/main.rs index f02d88c..76b1066 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,3 +1,5 @@ +#![deny(clippy::all)] + use anyhow::{bail, Result}; use reqwest::blocking::{Client, Response}; use reqwest::header::HeaderMap;