Configure GitHub Actions CI

Abeeujah · Abeeujah · commit 949fefaa5475 · 2026-03-17T13:19:19.000+01:00
- Add GitHub Actions workflows for audit, code coverage, and continuous integration
- Add dependabot for automated dependency updates
- Add zizmor security configuration
- Add CI helper scripts for MSRV pinning and core node startup
- Add justfile for task automation
- Add pull request template
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+# Set update schedule for GitHub Actions
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,34 @@
+<!-- You can erase any parts of this template not applicable to your Pull Request. -->
+
+### Description
+
+<!-- Describe the purpose of this PR, what's being adding and/or fixed -->
+
+### Notes to the reviewers
+
+<!-- In this section you can include notes directed to the reviewers, like explaining why some parts
+of the PR were done in a specific way -->
+
+### Changelog notice
+
+<!-- Notice the release manager should include in the release tag message changelog -->
+<!-- See https://keepachangelog.com/en/1.0.0/ for examples -->
+
+### Checklists
+
+#### All Submissions:
+
+* [ ] I've signed all my commits
+* [ ] I followed the [contribution guidelines](https://github.com/bitcoindevkit/bdk/blob/master/CONTRIBUTING.md)
+* [ ] I ran `just p` before pushing
+
+#### New Features:
+
+* [ ] I've added tests for the new feature
+* [ ] I've added docs for the new feature
+
+#### Bugfixes:
+
+* [ ] This pull request breaks the existing API
+* [ ] I've added tests to reproduce the issue which are now passing
+* [ ] I'm linking the issue being fixed by this PR
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,35 @@
+name: Audit
+
+# Performs a security audit of Rust dependencies using cargo-audit through the actions-rust-lang/audit action.
+# Runs nightly on schedule and when Cargo.toml, Cargo.lock, or audit.toml files are modified.
+# Helps identify known security vulnerabilities in the dependency tree.
+
+on:
+  push:
+    paths:
+      # Run if workflow changes
+      - ".github/workflows/audit.yml"
+      # Run on changed dependencies
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+      # Run if the configuration file changes
+      - "**/audit.toml"
+  # Rerun periodically
+  schedule:
+    - cron: "0 0 * * *" # Nightly
+  # Run manually
+  workflow_dispatch:
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: actions-rust-lang/audit@v1
+        name: Audit Rust Dependencies
diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml
@@ -0,0 +1,51 @@
+name: Code Coverage
+
+# Generates code coverage reports using cargo-llvm-cov and uploads results to Codecov.
+# Runs on every push and pull request to track test coverage metrics.
+# Uploads coverage reports to Codecov for visualization and analysis.
+
+on: [push, pull_request]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  coverage:
+    name: Code Coverage
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: nightly
+          components: llvm-tools-preview
+          cache: true
+      - name: Install cargo-llvm-cov
+        run: cargo install cargo-llvm-cov
+      - name: Generate coverage data
+        run: cargo llvm-cov --all-features --branch --quiet --ignore-filename-regex "test_utils" --lcov --output-path lcov.info
+        env:
+          RUSTFLAGS: "--cfg coverage_nightly"
+      - name: Generate HTML coverage report
+        run: cargo llvm-cov --all-features --branch --quiet --ignore-filename-regex "test_utils" --html
+        env:
+          RUSTFLAGS: "--cfg coverage_nightly"
+      - name: Codecov upload
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de
+        with:
+          files: ./lcov.info
+          flags: rust
+          name: codecov-bdk-electrum-streaming-client
+          token: ${{ secrets.CODECOV_TOKEN }}
+          fail_ci_if_error: false
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-report
+          path: target/llvm-cov/html
diff --git a/.github/workflows/cont_integration.yml b/.github/workflows/cont_integration.yml
@@ -0,0 +1,147 @@
+on: [push, pull_request]
+
+# Main continuous integration workflow that runs build, test, and code quality checks.
+# Runs on every push and pull request, testing against both MSRV (1.85) and stable Rust.
+# # Includes no_std and WASM compatibility checks, formatting validation, and clippy linting.
+
+name: CI
+
+permissions: {}
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build-test-msrv:
+    name: Build & Test MSRV
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os:
+          - ubuntu-latest
+          - ubuntu-24.04-arm
+        features:
+          - --no-default-features --features tokio
+          - --all-features
+        exclude:
+          # electrsd does not provide ARM binaries, so integration tests fail on ARM
+          - os: ubuntu-24.04-arm
+            features: --all-features
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      # The 'toolchain' argument on this action overrides the Rust compiler version set in rust-toolchain.toml
+      # in order to test our MSRV.
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: 1.85 # MSRV
+          cache: true
+      - name: Pin dependencies for MSRV
+        run: ./ci/pin-msrv.sh
+      - name: Build + Test
+        run: |
+          cargo build --workspace --all-targets ${{ matrix.features }}
+          cargo test --workspace ${{ matrix.features }}
+
+  build-test-stable:
+    name: Build & Test Rust Stable
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os:
+          - ubuntu-latest
+          - ubuntu-24.04-arm
+        features:
+          - --no-default-features --features tokio
+          - --all-features
+        exclude:
+          # electrsd does not provide ARM binaries, so integration tests fail on ARM
+          - os: ubuntu-24.04-arm
+            features: --all-features
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          cache: true
+      - name: Build + Test
+        run: |
+          cargo build --workspace --all-targets ${{ matrix.features }}
+          cargo test --workspace ${{ matrix.features }}
+
+  check-no-std:
+    name: Check no_std
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          cache: true
+      - name: Check no-std
+        run: cargo check --workspace --all-targets --no-default-features --features tokio
+
+  check-wasm:
+    name: Check WASM
+    runs-on: ubuntu-latest
+    env:
+      CC: clang-14
+      CFLAGS: -I/usr/include
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - run: wget -qO - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add - || exit 1
+      - run: sudo apt-get update || true
+      - run: sudo apt-get install -y libclang-common-14-dev clang-14 libc6-dev-i386 || exit 1
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          cache: true
+          target: wasm32-unknown-unknown
+      - name: Check-WASM
+        run: |
+          rustup target add wasm32-unknown-unknown
+          cargo check --workspace --no-default-features --target wasm32-unknown-unknown
+
+  fmt:
+    name: Rust fmt
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          cache: true
+      - name: Check fmt
+        run: cargo fmt --all -- --check
+
+  clippy_check:
+    name: Rust Clippy
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Install Rust toolchain
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          cache: true
+      - name: Check Clippy
+        run: cargo clippy --workspace --all-targets -- -D warnings
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,40 @@
+name: Zizmor Actions Analysis
+
+# Analyzes Github Actions workflows for security vulnerabilities using zizmor.
+# Runs on pushes to master and all pull requests to detect potential security issues
+# in workflow configurations. Results are uploaded as a GitHub's security dashboard.
+# The .github/zizmor.yml configures the rules this action will check against.
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    branches: ["master"]
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Rust Cache
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5
+
+      - name: Install zizmor
+        run: cargo install zizmor --locked --version 1.6.0
+
+      - name: Run zizmor 🌈
+        run: zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: results.sarif
+          category: zizmor
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,7 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions-rust-lang/setup-rust-toolchain: ref-pin
+        github/codeql-action/*: ref-pin
+        actions/*: ref-pin
diff --git a/ci/pin-msrv.sh b/ci/pin-msrv.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -x
+set -euo pipefail
+
+# Pin dependencies for MSRV
+
+# To pin deps, switch toolchain to MSRV and execute the below updates
+
+# cargo clean
+# rustup override set 1.85.0
+
+# e.g cargo update -p home --precise "0.5.11"
diff --git a/ci/start-core.sh b/ci/start-core.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env sh
+
+echo "Starting bitcoin node."
+mkdir $GITHUB_WORKSPACE/.bitcoin
+/root/bitcoind -regtest -server -daemon -datadir=$GITHUB_WORKSPACE/.bitcoin -fallbackfee=0.0002 -rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0 -blockfilterindex=1 -peerblockfilters=1
+
+echo "Waiting for bitcoin node."
+until /root/bitcoin-cli -regtest -datadir=$GITHUB_WORKSPACE/.bitcoin getblockchaininfo; do
+    sleep 1
+done
+/root/bitcoin-cli -regtest -datadir=$GITHUB_WORKSPACE/.bitcoin createwallet $BDK_RPC_WALLET
+echo "Generating 150 bitcoin blocks."
+ADDR=$(/root/bitcoin-cli -regtest -datadir=$GITHUB_WORKSPACE/.bitcoin -rpcwallet=$BDK_RPC_WALLET getnewaddress)
+/root/bitcoin-cli -regtest -datadir=$GITHUB_WORKSPACE/.bitcoin generatetoaddress 150 $ADDR
diff --git a/justfile b/justfile
@@ -0,0 +1,32 @@
+alias b := build
+alias c := check
+alias f := fmt
+alias t := test
+alias p := pre-push
+
+_default:
+   @just --list
+
+# Build the project
+build:
+   cargo build
+
+# Check code: formatting, compilation, linting, and commit signature
+check:
+   cargo +nightly fmt --all -- --check
+   cargo check --all-features --all-targets
+   cargo clippy --all-features --all-targets -- -D warnings
+   @[ "$(git log --pretty='format:%G?' -1 HEAD)" = "N" ] && \
+       echo "\n⚠️  Unsigned commit: BDK requires that commits be signed." || \
+       true
+
+# Format all code
+fmt:
+   cargo +nightly fmt
+
+# Run all tests on the workspace with all features
+test:
+   cargo test --all-features
+
+# Run pre-push suite: format, check, and test
+pre-push: fmt check test
