Skip to content

Commit 103f22f

Browse files
committed
Refactor CI/CD workflows and branch protection
Update dependabot to target dependencies branch. Remove branch protection rulesets and add dedicated audit workflow. Simplify CI matrix and split test job from checks. Add lite CI for dependencies branch and sync workflow from master.
1 parent fab4c2e commit 103f22f

9 files changed

Lines changed: 106 additions & 153 deletions

File tree

.github/dependabot.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ updates:
44
directory: /
55
schedule:
66
interval: weekly
7-
time: "06:00"
7+
target-branch: "dependencies"
88
open-pull-requests-limit: 5
99
assignees:
1010
- nerjs
@@ -21,7 +21,7 @@ updates:
2121
directory: /
2222
schedule:
2323
interval: weekly
24-
time: "06:00"
24+
target-branch: "dependencies"
2525
open-pull-requests-limit: 5
2626
assignees:
2727
- nerjs

.github/rulesets/master-merge-queue.json

Lines changed: 0 additions & 54 deletions
This file was deleted.

.github/rulesets/master.json

Lines changed: 0 additions & 42 deletions
This file was deleted.

.github/workflows/audit.yml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
name: "audit"
2+
3+
on:
4+
schedule:
5+
- cron: "0 6 * * 1"
6+
push:
7+
paths:
8+
- "**/Cargo.toml"
9+
- "**/Cargo.lock"
10+
workflow_dispatch:
11+
12+
permissions:
13+
contents: read
14+
15+
concurrency:
16+
group: ${{ github.workflow }}-${{ github.ref }}
17+
cancel-in-progress: true
18+
19+
jobs:
20+
audit:
21+
runs-on: ubuntu-latest
22+
steps:
23+
- uses: actions/checkout@v6
24+
- uses: taiki-e/install-action@v2
25+
with:
26+
tool: cargo-audit
27+
- run: cargo audit

.github/workflows/bump-and-release.yml

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,9 +27,19 @@ jobs:
2727
checks:
2828
uses: ./.github/workflows/checks.yml
2929

30-
bump:
30+
test:
3131
needs: checks
3232
runs-on: ubuntu-latest
33+
steps:
34+
- uses: actions/checkout@v7
35+
- uses: Swatinem/rust-cache@v2
36+
- run: cargo test --all-features
37+
38+
bump:
39+
needs:
40+
- checks
41+
- test
42+
runs-on: ubuntu-latest
3343
outputs:
3444
tag: ${{ steps.tag.outputs.tag }}
3545
steps:

.github/workflows/checks.yml

Lines changed: 2 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,5 @@
11
name: Checks
22

3-
# Reusable gate: fmt, clippy and tests on the dev toolchain, auto-installed by
4-
# rustup from rust-toolchain.toml. Deleting that file silently falls back to
5-
# the runner's bundled Rust. Called by bump-and-release and the publish
6-
# workflows so nothing ships without passing checks, even if a tag points at a
7-
# commit that never went through the PR CI. Jobs run in parallel.
8-
#
9-
# This is a smoke gate on the dev toolchain only; the full version x distro
10-
# matrix runs in ci.yml on PRs.
11-
123
on:
134
workflow_call:
145

@@ -29,9 +20,9 @@ jobs:
2920
- uses: Swatinem/rust-cache@v2
3021
- run: cargo clippy --all-targets --all-features -- -D warnings
3122

32-
test:
23+
check:
3324
runs-on: ubuntu-latest
3425
steps:
3526
- uses: actions/checkout@v7
3627
- uses: Swatinem/rust-cache@v2
37-
- run: cargo test --all-features
28+
- run: cargo check --all-features
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
name: "CI (lite): dependencies"
2+
3+
on:
4+
workflow_dispatch:
5+
push:
6+
branches:
7+
- dependencies
8+
pull_request:
9+
branches:
10+
- dependencies
11+
12+
permissions:
13+
contents: read
14+
15+
concurrency:
16+
group: ${{ github.workflow }}-${{ github.ref }}
17+
cancel-in-progress: false
18+
19+
jobs:
20+
checks:
21+
uses: ./.github/workflows/checks.yml
22+
23+
test:
24+
needs: checks
25+
runs-on: ubuntu-latest
26+
steps:
27+
- uses: actions/checkout@v7
28+
- uses: Swatinem/rust-cache@v2
29+
- run: cargo test --all-features
30+

.github/workflows/ci.yml

Lines changed: 9 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,11 @@ name: CI
33
on:
44
workflow_dispatch:
55
push:
6-
branches: [master]
6+
branches:
7+
- master
78
pull_request:
8-
branches: [master]
9-
merge_group:
9+
branches:
10+
- master
1011

1112
permissions:
1213
contents: read
@@ -16,68 +17,33 @@ concurrency:
1617
cancel-in-progress: true
1718

1819
jobs:
19-
# fmt, clippy and build run on the dev toolchain, auto-installed by rustup
20-
# from rust-toolchain.toml. Only the test matrix pins explicit versions.
21-
fmt:
22-
runs-on: ubuntu-latest
23-
steps:
24-
- uses: actions/checkout@v7
25-
- run: cargo fmt --all --check
26-
27-
clippy:
28-
runs-on: ubuntu-latest
29-
steps:
30-
- uses: actions/checkout@v7
31-
- uses: Swatinem/rust-cache@v2
32-
- run: cargo clippy --all-targets --all-features -- -D warnings
33-
20+
checks:
21+
uses: ./.github/workflows/checks.yml
22+
3423
test:
3524
needs: [fmt, clippy]
3625
strategy:
3726
fail-fast: false
3827
matrix:
39-
# Pinned floor (dev version from rust-toolchain.toml plus the three
40-
# below it) tests the toolchains you develop and ship on; "stable" and
41-
# "beta" track the moving channels. beta is allowed to fail, see
42-
# continue-on-error below. Raise the pinned list and rust-toolchain.toml
43-
# together by hand.
44-
rust: ["stable", "beta", "1.95", "1.94", "1.93", "1.92"]
28+
# More extensive checks would be desirable, but we're running up against the g limits
29+
rust: ["stable", "beta"]
4530
env:
4631
- name: ubuntu
4732
container: ""
48-
- name: debian
49-
container: "debian:12"
5033
- name: arch
5134
container: "archlinux:latest"
52-
- name: alpine
53-
container: "rust:1-alpine"
5435
name: test (${{ matrix.env.name }} / ${{ matrix.rust }})
5536
runs-on: ubuntu-latest
56-
# beta tracks the upcoming release; an upstream regression there must not
57-
# block the merge queue. ci-success counts a continued job as success.
5837
continue-on-error: ${{ matrix.rust == 'beta' }}
5938
container: ${{ matrix.env.container }}
6039
env:
6140
RUSTUP_TOOLCHAIN: ${{ matrix.rust }}
6241
steps:
63-
- name: Prep (debian)
64-
if: matrix.env.name == 'debian'
65-
run: |
66-
apt-get update
67-
apt-get install -y --no-install-recommends \
68-
git curl ca-certificates build-essential pkg-config libssl-dev
69-
7042
- name: Prep (arch)
7143
if: matrix.env.name == 'arch'
7244
run: |
7345
pacman -Syu --noconfirm git curl base-devel openssl pkgconf
7446
75-
- name: Prep (alpine)
76-
if: matrix.env.name == 'alpine'
77-
shell: sh
78-
run: |
79-
apk add --no-cache git curl ca-certificates bash nodejs musl-dev
80-
8147
- uses: actions/checkout@v7
8248

8349
# Explicit per-version install: RUSTUP_TOOLCHAIN overrides
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
name: "SYNC: dependencies <- master"
2+
3+
on:
4+
push:
5+
branches:
6+
- master
7+
workflow_dispatch:
8+
9+
permissions:
10+
contents: write
11+
pull-requests: write
12+
13+
concurrency:
14+
group: sync-dependencies
15+
cancel-in-progress: false
16+
17+
jobs:
18+
sync:
19+
runs-on: ubuntu-latest
20+
steps:
21+
- uses: nerjs/branch-sync-action@master
22+
with:
23+
token: ${{ secrets.PUBLISH_TOKEN }}
24+
base: master
25+
head: dependencies

0 commit comments

Comments
 (0)