Skip to content

Commit

Permalink
chore: adds tests, clippy, formatting, and auditing to CI
Browse files Browse the repository at this point in the history 
changes the following to appease the new CI rules:
  * ignores unused dep warning for openssl-sys.
  * runs cargo +nightly fmt on source.
  * fixes clippy issues.
  * removes modules from V1 that weren't being used. These modules were behind v1
    feature flags that had been removed as well.
  * adds deny.toml from c2pa-rs.
  • Loading branch information
Dylan Ross committed Oct 30, 2024
1 parent 11745b9 commit 1b00eb1
Show file tree
Hide file tree
Showing 10 changed files with 322 additions and 218 deletions.
213 changes: 212 additions & 1 deletion .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,185 @@ on:
default: 'false'

jobs:
tests:
name: Unit tests

if: |
github.event_name != 'pull_request' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.user.login == 'dependabot[bot]' ||
contains(github.event.pull_request.labels.*.name, 'safe to test')
runs-on: ${{ matrix.os }}

strategy:
fail-fast: false
matrix:
os: [ windows-latest, macos-latest, ubuntu-latest ]
rust_version: [ stable, 1.76.0 ]

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ matrix.rust_version }}
components: llvm-tools-preview

- name: Cache Rust dependencies
uses: Swatinem/rust-cache@v2

clippy_check:
name: Clippy

if: |
github.event_name != 'pull_request' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.user.login == 'dependabot[bot]' ||
contains(github.event.pull_request.labels.*.name, 'safe to test')
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
with:
components: clippy

- name: Cache Rust dependencies
uses: Swatinem/rust-cache@v2

- name: Run Clippy
run: cargo clippy --all-features --all-targets -- -Dwarnings

cargo_fmt:
name: Enforce Rust code format

if: |
github.event_name != 'pull_request' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.user.login == 'dependabot[bot]' ||
contains(github.event.pull_request.labels.*.name, 'safe to test')
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install nightly toolchain
uses: dtolnay/rust-toolchain@nightly
with:
components: rustfmt

- name: Check format
run: cargo +nightly fmt --all -- --check

docs_rs:
name: Preflight docs.rs build

if: |
github.event_name != 'pull_request' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.user.login == 'dependabot[bot]' ||
contains(github.event.pull_request.labels.*.name, 'safe to test')
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install nightly Rust toolchain
# Nightly is used here because the docs.rs build
# uses nightly and we use doc_cfg features that are
# not in stable Rust as of this writing (Rust 1.76).
uses: dtolnay/rust-toolchain@nightly

- name: Run cargo docs
# This is intended to mimic the docs.rs build
# environment. The goal is to fail PR validation
# if the subsequent release would result in a failed
# documentation build on docs.rs.
run: cargo +nightly doc --workspace --all-features --no-deps
env:
RUSTDOCFLAGS: --cfg docsrs
DOCS_RS: 1
cargo-deny:
name: License / vulnerability audit

if: |
github.event_name != 'pull_request' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.user.login == 'dependabot[bot]' ||
contains(github.event.pull_request.labels.*.name, 'safe to test')
runs-on: ubuntu-latest

strategy:
fail-fast: false
matrix:
checks:
- advisories
- bans licenses sources

# Prevent sudden announcement of a new advisory from failing CI:
continue-on-error: ${{ matrix.checks == 'advisories' }}

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Audit crate dependencies
uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check ${{ matrix.checks }}

unused_deps:
name: Check for unused dependencies

if: |
github.event_name != 'pull_request' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.user.login == 'dependabot[bot]' ||
contains(github.event.pull_request.labels.*.name, 'safe to test')
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Install nightly Rust toolchain
uses: dtolnay/rust-toolchain@nightly

- name: Run cargo-udeps
uses: aig787/cargo-udeps-action@v1
with:
version: latest
args: --all-targets --all-features

linux:
runs-on: ubuntu-latest

if: |
github.event_name != 'pull_request' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.user.login == 'dependabot[bot]' ||
contains(github.event.pull_request.labels.*.name, 'safe to test')
strategy:
matrix:
target: [x86_64, aarch64]
Expand Down Expand Up @@ -63,6 +240,14 @@ jobs:

windows:
runs-on: windows-latest

if: |
github.event_name != 'pull_request' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.user.login == 'dependabot[bot]' ||
contains(github.event.pull_request.labels.*.name, 'safe to test')
strategy:
matrix:
target: [x64, x86]
Expand All @@ -88,6 +273,14 @@ jobs:

macos_x86:
runs-on: macos-latest

if: |
github.event_name != 'pull_request' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.user.login == 'dependabot[bot]' ||
contains(github.event.pull_request.labels.*.name, 'safe to test')
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
Expand All @@ -109,6 +302,14 @@ jobs:

macos_aarch64:
runs-on: macos-latest-large

if: |
github.event_name != 'pull_request' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.user.login == 'dependabot[bot]' ||
contains(github.event.pull_request.labels.*.name, 'safe to test')
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
Expand All @@ -130,6 +331,14 @@ jobs:

sdist:
runs-on: ubuntu-latest

if: |
github.event_name != 'pull_request' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.user.login == 'dependabot[bot]' ||
contains(github.event.pull_request.labels.*.name, 'safe to test')
steps:
- uses: actions/checkout@v4
- name: Build sdist
Expand All @@ -145,9 +354,11 @@ jobs:

release:
name: Release

if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true'

runs-on: ubuntu-latest
environment: Publish
if: startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true'
needs: [linux, windows, macos_x86, macos_aarch64, sdist]
steps:
- uses: actions/download-artifact@v3
Expand Down
3 changes: 2 additions & 1 deletion Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ authors = ["Gavin Peacock <[email protected]"]
name = "c2pa"
crate-type = ["cdylib"]

[package.metadata.cargo-udeps.ignore]
normal = ["openssl-src"]

[dependencies]
c2pa = {version = "0.35.0", features = ["unstable_api", "file_io", "openssl", "pdf", "fetch_remote_manifests"]}
Expand All @@ -20,7 +22,6 @@ thiserror = "1.0.49"
uniffi = "0.24.1"
openssl-src = "=300.3.1" # Required for openssl-sys
log = "0.4.21"
env_logger = "0.11.3"

[build-dependencies]
uniffi = { version = "0.24.1", features = ["build"] }
52 changes: 52 additions & 0 deletions deny.toml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# Configuration used for dependency checking with cargo-deny.
#
# For further details on all configuration options see:
# https://embarkstudios.github.io/cargo-deny/checks/cfg.html

[graph]
targets = [
{ triple = "x86_64-unknown-linux-gnu" },
{ triple = "x86_64-apple-darwin" },
{ triple = "x86_64-pc-windows-msvc" },
{ triple = "aarch64-apple-darwin" },
{ triple = "wasm32-unknown-unknown" },
]

[advisories]
yanked = "deny"

ignore = [
"RUSTSEC-2021-0127", # serde_cbor
"RUSTSEC-2023-0071", # rsa Marvin Attack: (https://jira.corp.adobe.com/browse/CAI-5104)
]

[bans]
multiple-versions = "allow"

[licenses]
allow = [
"Apache-2.0",
"BSD-2-Clause",
"BSD-3-Clause",
"CC0-1.0",
"ISC",
"LicenseRef-ring",
"MIT",
"MPL-2.0",
"Unicode-DFS-2016",
"Zlib",
]
confidence-threshold = 0.9

[[licenses.clarify]]
name = "ring"
expression = "LicenseRef-ring"
license-files = [
{ path = "LICENSE", hash = 3171872035 }
]

[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []
Loading

0 comments on commit 1b00eb1

Please sign in to comment.