MCP-Development-with-Rust/.github/workflows/ci.yml at main · RustSandbox/MCP-Development-with-Rust · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
# Workflow: Continuous Integration (CI)
#
# This workflow runs on every push and pull request to ensure code quality
# and compatibility across different platforms and Rust versions.
# It performs comprehensive testing, linting, formatting checks, and builds.

name: CI

# Trigger conditions: run on pushes to main branch and all pull requests
on:
  push:
    branches: [ "main", "master" ]
  pull_request:
    branches: [ "main", "master" ]

# Define environment variables used across all jobs
env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1

# Define the jobs that make up the CI pipeline
jobs:
  # Job 1: Run comprehensive tests across multiple platforms and Rust versions
  test:
    name: Test Suite
    runs-on: ${{ matrix.os }}

    # Strategy matrix: test on multiple operating systems and Rust versions
    # This ensures our code works across different environments
    strategy:
      matrix:
        os: [ubuntu-latest, windows-latest, macos-latest]
        # Using rust-toolchain.toml to enforce consistent Rust 1.86.0 across all environments
        # This ensures Cargo.lock v4 compatibility everywhere

    steps:
    # Step 1: Check out the source code from the repository
    - name: Checkout source code
      uses: actions/checkout@v4

    # Step 2: Install Rust toolchain from rust-toolchain.toml
    # This ensures consistent Rust 1.86.0 that supports Cargo.lock v4
    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@1.86.0
      with:
        components: rustfmt, clippy

    # Step 3: Configure Rust cargo caching to speed up builds
    # This caches dependencies and build artifacts between runs
    - name: Setup Rust cache
      uses: Swatinem/rust-cache@v2
      with:
        # Cache key includes OS for proper isolation
        key: ${{ matrix.os }}-rust-1.86.0

    # Step 4: Build all targets to ensure compilation succeeds
    # We build all binary examples defined in Cargo.toml
    - name: Build all examples
      run: cargo build --all-targets --verbose

    # Step 5: Run all unit and integration tests
    # The --all-targets flag ensures we test all our binary examples
    - name: Run tests
      run: cargo test --all-targets --verbose

    # Step 6: Build and run each example individually to verify they work
    # This is important since we have multiple binary targets
    - name: Test individual examples
      run: |
        # Get list of all binary examples from Cargo.toml
        for example in $(cargo read-manifest | jq -r '.targets[] | select(.kind[] == "bin") | .name'); do
          echo "Testing example: $example"
          cargo run --bin "$example" --help || true  # Run with --help to test basic functionality
        done
      shell: bash

    # Step 7: Run tests with all features enabled (if any)
    - name: Run tests with all features
      run: cargo test --all-features --verbose

  # Job 2: Code quality checks (formatting and linting)
  quality:
    name: Code Quality
    runs-on: ubuntu-latest

    steps:
    # Step 1: Check out the source code
    - name: Checkout source code
      uses: actions/checkout@v4

    # Step 2: Install Rust toolchain with Cargo.lock v4 support
    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@1.86.0
      with:
        components: rustfmt, clippy

    # Step 3: Setup caching for faster subsequent runs
    - name: Setup Rust cache
      uses: Swatinem/rust-cache@v2

    # Step 4: Check code formatting with rustfmt
    # This ensures all code follows consistent formatting standards
    - name: Check formatting
      run: cargo fmt --all -- --check

    # Step 5: Run Clippy linter for code quality and style issues
    # Clippy catches common mistakes and suggests improvements
    - name: Run Clippy linting
      run: cargo clippy --all-targets --all-features -- -D warnings

    # Step 6: Check for unused dependencies (educational note)
    # Note: For educational examples with multiple binaries, dependency usage
    # analysis is more complex since deps are used across different examples
    - name: Dependency usage information
      run: |
        echo "ℹ️  Dependency Usage Note for Educational Examples:"
        echo "   This project contains multiple binary examples, each using different subsets of dependencies"
        echo "   Dependencies like 'anyhow', 'futures', 'rmcp', 'thiserror' are intentionally included"
        echo "   For production projects, consider using: cargo +nightly udeps --all-targets"
        echo ""
        echo "📦 Current Dependencies:"
        cargo tree --depth 1

  # Job 3: Security audit to check for known vulnerabilities
  security:
    name: Security Audit
    runs-on: ubuntu-latest

    steps:
    # Step 1: Check out the source code
    - name: Checkout source code
      uses: actions/checkout@v4

    # Step 2: Install Rust toolchain with Cargo.lock v4 support
    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@1.86.0

    # Step 3: Setup Rust caching
    - name: Setup Rust cache
      uses: Swatinem/rust-cache@v2

    # Step 4: Install cargo-audit for security scanning
    - name: Install cargo-audit
      run: cargo install cargo-audit --locked

    # Step 5: Run security audit on dependencies
    # This checks for known security vulnerabilities in our dependencies
    # We ignore RUSTSEC-2023-0071 (RSA timing sidechannel) as it's a transitive
    # dependency through sqlx-mysql with no fix available, and poses minimal
    # risk for educational examples that don't handle sensitive RSA operations
    - name: Run security audit
      run: cargo audit --ignore RUSTSEC-2023-0071

    # Step 6: Check for vulnerabilities in our Cargo.lock file
    - name: Check advisories
      run: cargo audit --json | jq '.vulnerabilities'

  # Job 4: Documentation checks
  docs:
    name: Documentation
    runs-on: ubuntu-latest

    steps:
    # Step 1: Check out the source code
    - name: Checkout source code
      uses: actions/checkout@v4

    # Step 2: Install Rust toolchain with Cargo.lock v4 support
    - name: Install Rust toolchain
      uses: dtolnay/rust-toolchain@1.86.0

    # Step 3: Setup caching
    - name: Setup Rust cache
      uses: Swatinem/rust-cache@v2

    # Step 4: Build documentation to ensure it compiles without errors
    # This catches documentation issues early
    - name: Build documentation
      run: cargo doc --all --no-deps --document-private-items
      env:
        RUSTDOCFLAGS: "-D warnings"

    # Step 5: Check that documentation builds without errors
    # Note: We don't enforce missing-docs for examples since they are educational code
    - name: Check documentation builds
      run: cargo doc --all --no-deps

  # Job 5: Dependency review for supply chain security
  dependency-review:
    name: Dependency Review
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'

    steps:
    # Step 1: Check out the source code
    - name: Checkout source code
      uses: actions/checkout@v4

    # Step 2: Run GitHub's dependency review action
    # This checks for security issues in dependency changes
    - name: Dependency Review
      uses: actions/dependency-review-action@v4