From de8337684af389d68d5f533395ef2c17db3cdfd8 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Tue, 26 May 2026 10:32:27 +0100 Subject: [PATCH 1/2] ci(rust): convert rust-ci.yml to thin wrapper (standards#174) Replaces the per-repo `rust-ci.yml` copy with a 5-line wrapper invoking the shared reusable workflow in `hyperpolymath/standards` (PR #174). Pinned to PR #174's HEAD SHA `4fdf4314b4ab54269adbaff10e30e483b5e86845`; will resolve to standards/main once #174 merges. Estate audit found ~87 rust-ci.yml copies across the estate; this is one of them. The reusable provides identical cargo check/clippy/fmt/test behaviour with opt-in `enable_audit` + `enable_coverage` inputs. Pattern precedent: standards#168 (governance-reusable) + downstream wrappers absolute-zero#41 + tma-mark2#41. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/rust-ci.yml | 65 +++++++++-------------------------- 1 file changed, 16 insertions(+), 49 deletions(-) diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index b0d4690..7f0b7f8 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -1,53 +1,20 @@ -# SPDX-License-Identifier: MPL-2.0-or-later +# SPDX-License-Identifier: MPL-2.0 +# Rust CI — thin wrapper calling the shared estate reusable in +# hyperpolymath/standards. Configure once, propagate everywhere. +# See: docs/CI-REUSABLE-WORKFLOWS.adoc in standards. name: Rust CI -on: [push, pull_request] -env: - CARGO_TERM_COLOR: always - RUSTFLAGS: -Dwarnings -jobs: - test: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6.0.2 - - uses: dtolnay/rust-toolchain@stable - with: - components: rustfmt, clippy - - uses: Swatinem/rust-cache@v2 - - - name: Check formatting - run: cargo fmt --all -- --check - - - name: Clippy lints - run: cargo clippy --all-targets --all-features -- -D warnings - - - name: Run tests - run: cargo test --all-features - - - name: Build release - run: cargo build --release +on: + push: + branches: [main, master] + pull_request: - security: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6.0.2 - - uses: dtolnay/rust-toolchain@stable - - name: Install cargo-audit - run: cargo install cargo-audit - - name: Security audit - run: cargo audit - - name: Check for outdated deps - run: cargo install cargo-outdated && cargo outdated --exit-code 1 || true +permissions: + contents: read - coverage: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6.0.2 - - uses: dtolnay/rust-toolchain@stable - - name: Install tarpaulin - run: cargo install cargo-tarpaulin - - name: Generate coverage - run: cargo tarpaulin --out Xml - - uses: codecov/codecov-action@v6 - with: - files: cobertura.xml +jobs: + rust-ci: + uses: hyperpolymath/standards/.github/workflows/rust-ci-reusable.yml@4fdf4314b4ab54269adbaff10e30e483b5e86845 + with: + enable_audit: true + enable_coverage: true From 61da7b7ead3273c11fcf877eec7f820139ee503b Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Tue, 26 May 2026 13:40:21 +0100 Subject: [PATCH 2/2] ci(sweep): workflow permissions - Add top-level `permissions: contents: read` to workflows flagged by governance-reusable's Workflow security linter. --- .github/workflows/language-policy.yml | 3 +++ .github/workflows/rescript-deno-ci.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/language-policy.yml b/.github/workflows/language-policy.yml index ad21af9..c747b10 100644 --- a/.github/workflows/language-policy.yml +++ b/.github/workflows/language-policy.yml @@ -1,6 +1,9 @@ # SPDX-License-Identifier: MPL-2.0-or-later name: Language Policy Enforcement on: [push, pull_request] +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/rescript-deno-ci.yml b/.github/workflows/rescript-deno-ci.yml index 24b82d0..9ebabc9 100644 --- a/.github/workflows/rescript-deno-ci.yml +++ b/.github/workflows/rescript-deno-ci.yml @@ -2,6 +2,9 @@ name: ReScript/Deno CI on: [push, pull_request] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest