fix: clippy regressions from refactor splits (#2412) #55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| # On PRs: only one run per branch, cancel stale runs. | |
| # On main: each push gets its own group (by SHA) so parallel runs never interfere. | |
| concurrency: | |
| group: ${{ github.ref == 'refs/heads/main' && format('{0}-{1}', github.workflow, github.sha) || format('{0}-{1}', github.workflow, github.ref) }} | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUSTFLAGS: "-D warnings" | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | |
| jobs: | |
| # ── Detect changed files to skip unnecessary jobs ────────────────────────────────── | |
| changes: | |
| name: Detect Changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| rust: ${{ steps.filter.outputs.rust }} | |
| docs: ${{ steps.filter.outputs.docs }} | |
| ci: ${{ steps.filter.outputs.ci }} | |
| install: ${{ steps.filter.outputs.install }} | |
| crates: ${{ steps.crates.outputs.crates }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - uses: dorny/paths-filter@v4 | |
| id: filter | |
| with: | |
| filters: | | |
| rust: | |
| - 'crates/**' | |
| - 'Cargo.toml' | |
| - 'Cargo.lock' | |
| - 'xtask/**' | |
| docs: | |
| - 'docs/**' | |
| - '*.md' | |
| ci: | |
| - '.github/workflows/**' | |
| install: | |
| - 'web/public/install.sh' | |
| - 'web/public/install.ps1' | |
| - 'scripts/tests/install_sh_test.sh' | |
| - name: Detect affected crates | |
| id: crates | |
| if: steps.filter.outputs.rust == 'true' | |
| run: | | |
| BASE_REF="${{ github.event.pull_request.base.sha || 'HEAD~1' }}" | |
| CHANGED=$(git diff --name-only "$BASE_REF" HEAD -- crates/ | sed 's|crates/\([^/]*\)/.*|\1|' | sort -u) | |
| # Map directory names to crate names (replace - with -) | |
| ALL_CRATES="librefang-types librefang-wire librefang-telemetry librefang-memory librefang-channels librefang-skills librefang-hands librefang-extensions librefang-kernel librefang-api librefang-runtime librefang-migrate librefang-testing librefang-cli librefang-desktop" | |
| # If Cargo.toml/lock changed or CI changed, test everything | |
| if git diff --name-only "$BASE_REF" HEAD | grep -qE '^(Cargo\.(toml|lock)|xtask/)'; then | |
| echo "crates=$ALL_CRATES" >> "$GITHUB_OUTPUT" | |
| elif [ -z "$CHANGED" ]; then | |
| echo "crates=$ALL_CRATES" >> "$GITHUB_OUTPUT" | |
| else | |
| # Include changed crates + their reverse dependencies | |
| AFFECTED="" | |
| for dir in $CHANGED; do | |
| AFFECTED="$AFFECTED $dir" | |
| done | |
| # Always include downstream crates when upstream changes | |
| # Dependency order: types -> memory -> runtime -> kernel -> api -> cli | |
| if echo "$AFFECTED" | grep -q "librefang-types"; then | |
| AFFECTED="$ALL_CRATES" | |
| elif echo "$AFFECTED" | grep -q "librefang-memory"; then | |
| AFFECTED="$AFFECTED librefang-runtime librefang-kernel librefang-api librefang-cli librefang-testing" | |
| elif echo "$AFFECTED" | grep -q "librefang-runtime"; then | |
| AFFECTED="$AFFECTED librefang-kernel librefang-api librefang-cli librefang-testing" | |
| elif echo "$AFFECTED" | grep -q "librefang-kernel"; then | |
| AFFECTED="$AFFECTED librefang-api librefang-cli librefang-testing" | |
| fi | |
| # Deduplicate and filter to valid crate names | |
| AFFECTED=$(echo "$AFFECTED" | tr ' ' '\n' | sort -u | tr '\n' ' ') | |
| VALID="" | |
| for crate in $AFFECTED; do | |
| if echo "$ALL_CRATES" | grep -qw "$crate"; then | |
| VALID="$VALID $crate" | |
| fi | |
| done | |
| echo "crates=${VALID:-$ALL_CRATES}" >> "$GITHUB_OUTPUT" | |
| fi | |
| echo "Affected crates: $(cat "$GITHUB_OUTPUT" | grep crates)" | |
| # ── Reject dashboard build artifacts in PRs ───────────────────────────────────────── | |
| no-build-artifacts: | |
| name: No Build Artifacts | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Reject static/react/ in PR | |
| run: | | |
| # Only flag added or modified files (not deletions — cleanup PRs are OK) | |
| ADDED=$(git diff --diff-filter=AM --name-only origin/${{ github.base_ref }}...HEAD -- 'crates/librefang-api/static/react/' || true) | |
| if [ -n "$ADDED" ]; then | |
| echo "::error::PR adds/modifies dashboard build artifacts (static/react/). These are auto-built by CI — remove them from your commits." | |
| echo "Fix: git rm --cached crates/librefang-api/static/react/ && git commit --amend" | |
| exit 1 | |
| fi | |
| # ── Code quality checks (fast, run in parallel) ───────────────────────────────────── | |
| quality: | |
| name: Quality | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' || needs.changes.outputs.ci == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy, rustfmt | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Install Tauri system deps | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| libwebkit2gtk-4.1-dev \ | |
| libgtk-3-dev \ | |
| libayatana-appindicator3-dev \ | |
| librsvg2-dev \ | |
| patchelf | |
| - name: Check formatting | |
| run: cargo xtask fmt | |
| - name: Ensure dashboard build dir exists | |
| run: mkdir -p crates/librefang-api/static/react | |
| - name: Run clippy | |
| run: cargo xtask ci --no-test --no-web | |
| # ── Security audit (independent) ───────────────────────────────────────────────────── | |
| security: | |
| name: Security | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' || needs.changes.outputs.ci == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Run security audit | |
| run: | | |
| # Ignore known vulnerabilities without fix: | |
| # - GTK/webkit: transitive from Tauri 2.x | |
| # - lexical-core: transitive through imap (imap 3.x is alpha, nom 8+ required) | |
| # - rsa: Marvin Attack timing side-channel, no fix available (transitive from librefang-channels) | |
| # - rustls-webpki 0.102.x: transitive from rumqttc, no compatible upgrade available | |
| cargo xtask deps --audit \ | |
| --ignore RUSTSEC-2024-0384 \ | |
| --ignore RUSTSEC-2024-0385 \ | |
| --ignore RUSTSEC-2024-0412 \ | |
| --ignore RUSTSEC-2024-0413 \ | |
| --ignore RUSTSEC-2024-0418 \ | |
| --ignore RUSTSEC-2024-0419 \ | |
| --ignore RUSTSEC-2024-0386 \ | |
| --ignore RUSTSEC-2024-0387 \ | |
| --ignore RUSTSEC-2024-0388 \ | |
| --ignore RUSTSEC-2024-0389 \ | |
| --ignore RUSTSEC-2024-0390 \ | |
| --ignore RUSTSEC-2023-0086 \ | |
| --ignore RUSTSEC-2024-0370 \ | |
| --ignore RUSTSEC-2023-0071 \ | |
| --ignore RUSTSEC-2026-0049 | |
| # ── Secrets scanning (independent) ──────────────────────────────────────────────────── | |
| secrets: | |
| name: Secrets Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install trufflehog | |
| run: | | |
| curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Scan for secrets | |
| run: | | |
| trufflehog filesystem . \ | |
| --no-update \ | |
| --fail \ | |
| --only-verified \ | |
| --exclude-paths=<(echo -e "target/\n.git/\nCargo.lock") | |
| # ── Installer smoke test (fast, independent) ──────────────────────────────────────── | |
| install-smoke: | |
| name: Install Smoke | |
| needs: changes | |
| if: needs.changes.outputs.install == 'true' || needs.changes.outputs.ci == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Syntax-check shell installer | |
| run: | | |
| sh -n web/public/install.sh | |
| bash -n web/public/install.sh | |
| - name: Run shell installer regression tests | |
| run: sh scripts/tests/install_sh_test.sh | |
| - name: Parse PowerShell installer | |
| run: pwsh -NoProfile -Command '$tokens=$null; $errors=$null; [void][System.Management.Automation.Language.Parser]::ParseFile("web/public/install.ps1",[ref]$tokens,[ref]$errors); if ($errors) { $errors | ForEach-Object { Write-Error $_.Message }; exit 1 }' | |
| # ── Tests ───────────────────────────────────── | |
| test-windows: | |
| name: Test / Windows | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' || needs.changes.outputs.ci == 'true' | |
| runs-on: windows-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| key: test-windows-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Install nextest | |
| uses: taiki-e/install-action@nextest | |
| - name: Ensure dashboard build dir exists | |
| run: mkdir -p crates/librefang-api/static/react | |
| shell: bash | |
| - name: Run tests | |
| run: cargo nextest run --workspace --no-fail-fast | |
| test-macos: | |
| name: Test / macOS | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' || needs.changes.outputs.ci == 'true' | |
| runs-on: macos-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| key: test-macos-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Install nextest | |
| uses: taiki-e/install-action@nextest | |
| - name: Ensure dashboard build dir exists | |
| run: mkdir -p crates/librefang-api/static/react | |
| - name: Run tests | |
| run: cargo nextest run --workspace --no-fail-fast | |
| test-ubuntu: | |
| name: Test / Ubuntu | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' || needs.changes.outputs.ci == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 45 | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| key: test-ubuntu-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Install nextest | |
| uses: taiki-e/install-action@nextest | |
| - name: Ensure dashboard build dir exists | |
| run: mkdir -p crates/librefang-api/static/react | |
| - name: Install Tauri system deps | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| libwebkit2gtk-4.1-dev \ | |
| libgtk-3-dev \ | |
| libayatana-appindicator3-dev \ | |
| librsvg2-dev \ | |
| patchelf | |
| - name: Build tests (throttled to reduce peak memory) | |
| run: cargo test --workspace --no-run -j 2 | |
| - name: Run tests per crate | |
| env: | |
| RUST_TEST_THREADS: "1" | |
| run: | | |
| CRATES="${{ needs.changes.outputs.crates }}" | |
| if [ -z "$CRATES" ]; then | |
| CRATES="librefang-types librefang-wire librefang-telemetry librefang-memory librefang-channels librefang-skills librefang-hands librefang-extensions librefang-kernel librefang-api librefang-runtime librefang-migrate librefang-testing librefang-cli librefang-desktop xtask" | |
| fi | |
| for crate in $CRATES; do | |
| echo "::group::Testing $crate" | |
| cargo test -p "$crate" && echo "✓ $crate" || exit 1 | |
| echo "::endgroup::" | |
| done |