openprot/.github/workflows/ci.yml at main · FerralCoder/openprot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# Licensed under the Apache-2.0 license

name: CI

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1

jobs:
  presubmit:
    name: Presubmit Checks
    runs-on: openprot-ci-runner
    steps:
    - uses: actions/checkout@v6

    - name: Setup Bazel
      uses: bazel-contrib/setup-bazel@0.19.0
      with:
        bazelisk-cache: true
        disk-cache: true
        repository-cache: true

    - name: Presubmit Checks
      # The presubmit workflow performs formatting checks, license checks
      # C/C++ include checks and clippy lints.
      # See workflows.json for the `presubmit` definition.
      run: ./pw presubmit

  test:
    name: Test
    needs: presubmit
    runs-on: openprot-ci-runner
    steps:
    - uses: actions/checkout@v6

    - name: Setup Bazel
      uses: bazel-contrib/setup-bazel@0.19.0
      with:
        bazelisk-cache: true
        disk-cache: true
        repository-cache: true

    - name: Run tests
      # See workflows.json for the `ci` definition.
      run: ./pw ci

  build:
    name: Build Targets
    needs: test
    runs-on: openprot-ci-runner

    steps:
    - uses: actions/checkout@v6

    - name: Setup Bazel
      uses: bazel-contrib/setup-bazel@0.19.0
      with:
        bazelisk-cache: true
        disk-cache: true
        repository-cache: true

    - name: Build
      # See workflows.json for the `default` definition.
      run: ./pw default

  security-audit:
    name: Security Audit
    needs: presubmit
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v6

    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@stable
      with:
        components: clippy

    - name: Cache cargo registry
      uses: actions/cache@v5
      with:
        path: |
          ~/.cargo/registry
          ~/.cargo/git
          target
        key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}

    - name: Install cargo-audit
      run: cargo install cargo-audit --locked

    - name: Install cargo-deny
      run: cargo install cargo-deny --version 0.19.0 --locked

    - name: Run security audit
      run: cd third_party/crates_io; cargo audit

    - name: Run cargo deny checks
      run: cd third_party/crates_io; cargo deny check

    - name: Run semgrep security scan
      uses: returntocorp/semgrep-action@v1
      with:
        config: p/rust