|
| 1 | +# rust-template |
| 2 | + |
| 3 | +GitHub template repository for new Rust projects. Provides CI, dependabot, |
| 4 | +release tagging and three publish workflows out of the box. |
| 5 | + |
| 6 | +## Use it |
| 7 | + |
| 8 | +1. Click "Use this template" -> "Create a new repository" on GitHub. |
| 9 | +2. Rename the package in `Cargo.toml` and update the binary path in `Dockerfile` |
| 10 | + (the `target/release/rust-template` line). |
| 11 | +3. Add the secrets listed in [Secrets](#secrets). |
| 12 | +4. Push to `master`. The first `sync-dependencies` run creates the |
| 13 | + `dependencies` branch. |
| 14 | + |
| 15 | +## Branches |
| 16 | + |
| 17 | +| Branch | Role | |
| 18 | +|----------------|------------------------------------------------------------------| |
| 19 | +| `master` | Main line. Protected by required PR. | |
| 20 | +| `dependencies` | Receives dependabot PRs and accumulates updates. | |
| 21 | +| `deps-sync` | Throwaway branch for resolving `master` -> `dependencies` conflicts. | |
| 22 | + |
| 23 | +Dependabot opens PRs into `dependencies`, not `master`, so dependency churn |
| 24 | +stays out of the main line until a human merges it. |
| 25 | + |
| 26 | +`sync-dependencies.yml` runs on each push to `master` and fast-forwards |
| 27 | +`dependencies` when possible. On conflict it force-pushes a fresh snapshot of |
| 28 | +`master` to `deps-sync` and opens (or reuses) a PR `deps-sync -> dependencies` |
| 29 | +for manual conflict resolution. |
| 30 | + |
| 31 | +## Workflows |
| 32 | + |
| 33 | +| File | Trigger | Purpose | |
| 34 | +|-------------------------------------|------------------------------------|---------------------------------------------------------------| |
| 35 | +| `ci.yml` | push/PR on master, manual | fmt, clippy, test matrix (rust x distro), release build | |
| 36 | +| `ci-deps.yml` | push/PR on dependencies, deps-sync | cargo check + cargo test | |
| 37 | +| `sync-dependencies.yml` | push on master, manual | sync `master` into `dependencies` | |
| 38 | +| `bump-and-release.yml` | manual | bump version, tag, optional GitHub Release | |
| 39 | +| `publish-crates.yml` | manual on a tag | publish to crates.io | |
| 40 | +| `publish-docker-hub.yml` | manual on a tag | build and push image to Docker Hub, multi-arch | |
| 41 | +| `publish-ghcr.yml` | manual on a tag | build and push image to ghcr.io, multi-arch | |
| 42 | + |
| 43 | +Commit-message or PR-title marker `[skip-CI]` skips `ci.yml` and `ci-deps.yml`. |
| 44 | + |
| 45 | +### Test matrix |
| 46 | + |
| 47 | +`ci.yml` runs `cargo test --all-features` across: |
| 48 | + |
| 49 | +- rust: `stable`, `beta` |
| 50 | +- env: `ubuntu-latest`, `debian:12`, `archlinux:latest`, `rust:1-alpine` |
| 51 | + |
| 52 | +8 jobs total, `fail-fast: false`. Distros run via `container:`. |
| 53 | + |
| 54 | +### Bump and release |
| 55 | + |
| 56 | +Manual trigger from any branch (selected via "Use workflow from"). Inputs: |
| 57 | + |
| 58 | +| Input | Type | Default | Effect | |
| 59 | +|-----------------|---------|---------|---------------------------------------------------------| |
| 60 | +| `version` | choice | patch | bump level: patch / minor / major | |
| 61 | +| `beta` | boolean | false | append `-beta.N` suffix; N is auto-incremented per base | |
| 62 | +| `force_release` | boolean | false | create GitHub Release even for a beta tag | |
| 63 | +| `commit_note` | string | "" | optional text appended to the bump commit message | |
| 64 | + |
| 65 | +The job updates `Cargo.toml`, commits, tags `vX.Y.Z[-beta.N]`, pushes to the |
| 66 | +selected branch. A second job creates a GitHub Release unless the tag is beta |
| 67 | +and `force_release` is false. Beta releases are marked `--prerelease`. |
| 68 | + |
| 69 | +### Publish |
| 70 | + |
| 71 | +Each publish workflow is triggered manually with "Use workflow from: |
| 72 | +tags/vX.Y.Z". A guard rejects runs from a branch. Docker tags are derived from |
| 73 | +the tag name; `latest` is set only for non-beta tags. |
| 74 | + |
| 75 | +## Dependabot |
| 76 | + |
| 77 | +Two ecosystems, both targeting `dependencies`: |
| 78 | + |
| 79 | +- `cargo` - weekly, max 5 open PRs, minor+patch grouped, major opens its own PR |
| 80 | +- `github-actions` - weekly, max 5 open PRs, same grouping |
| 81 | + |
| 82 | +## Secrets |
| 83 | + |
| 84 | +Add these in repository settings before using the relevant workflow: |
| 85 | + |
| 86 | +| Secret | Used by | Notes | |
| 87 | +|------------------------|--------------------------|------------------------------------------------------------------------------| |
| 88 | +| `RELEASE_TOKEN` | bump, sync, release | PAT with `contents: write`, `pull-requests: write`. Required so tag pushes trigger downstream workflows; the default `GITHUB_TOKEN` does not. | |
| 89 | +| `CARGO_REGISTRY_TOKEN` | publish-crates | crates.io API token | |
| 90 | +| `DOCKERHUB_USERNAME` | publish-docker-hub | Docker Hub login | |
| 91 | +| `DOCKERHUB_TOKEN` | publish-docker-hub | Docker Hub access token | |
| 92 | + |
| 93 | +GHCR uses the built-in `GITHUB_TOKEN` with `packages: write`. No extra secret. |
| 94 | + |
| 95 | +## Dockerfile |
| 96 | + |
| 97 | +Minimal alpine multi-stage. The binary path in the runtime stage is |
| 98 | +`target/release/rust-template`. Rename it together with the package name in |
| 99 | +`Cargo.toml`, otherwise the `COPY --from=builder` step fails. |
| 100 | + |
| 101 | +Crates with C dependencies under musl need extra apk packages in the builder |
| 102 | +stage (for example `openssl-dev pkgconfig`). |
0 commit comments