Rewrite action in Rust using octocrab

.dockerignore

@@ -0,0 +1,5 @@
+target
+node_modules
+.git
+.github
+*.md

.github/workflows/build.yml

@@ -1,19 +1,84 @@
 name: Build
 
-on: [push]
+on: [push, pull_request]
+
+permissions:
+    contents: read
 
 jobs:
-    lint-node:
+    test:
+        name: Rust test & lint
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v3
-            - uses: actions/setup-node@v3
-              with:
-                  node-version: 12
-            - name: Cache module
-              uses: actions/cache@v3
+            - uses: actions/checkout@v6
+            - name: Install Rust toolchain
+              uses: dtolnay/rust-toolchain@stable
               with:
-                  path: ~/.npm/
-                  key: npm-cache
-            - name: Install modules
-              run: npm ci
+                  components: clippy, rustfmt
+            - name: Cache cargo artifacts
+              uses: Swatinem/rust-cache@v2
+            - name: Check formatting
+              run: cargo fmt --all -- --check
+            - name: Clippy
+              run: cargo clippy --all-targets --locked -- -D warnings
+            - name: Run tests
+              run: cargo test --locked --all-targets
+
+    docker:
+        name: Build Docker image
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v6
+            - uses: docker/setup-qemu-action@v3
+            - uses: docker/setup-buildx-action@v4
+            - name: Build action image
+              run: make docker-build
+              env:
+                  PLATFORM: linux/amd64
+                  ACTION: load
+                  PROGRESS_MODE: plain
+                  IMAGE_TAG: action-pull-request-merge:ci
+
+            # ---- Smoke tests on the freshly-built image ------------------
+            # The image is FROM scratch (no shell), so we invoke the binary
+            # via `docker run` and only check exit code + stdout. No network
+            # calls are needed: the actor-mismatch path short-circuits
+            # before any API request.
+            #
+            # Each test captures exit code AND output, prints both to the
+            # CI log, then asserts. If anything is off the log shows
+            # exactly what the binary produced.
+            - name: Smoke test — image inspection
+              run: docker image inspect action-pull-request-merge:ci --format '{{.Os}}/{{.Architecture}} entrypoint={{.Config.Entrypoint}}'
+
+            - name: Smoke test — missing input fails with exit 1
+              run: |
+                  set +e
+                  docker run --rm action-pull-request-merge:ci >/tmp/out 2>&1
+                  code=$?
+                  set -e
+                  echo "=== exit: $code ==="
+                  echo "=== output: ==="
+                  cat /tmp/out
+                  echo "=== end ==="
+                  test "$code" -ne 0
+                  grep -q "Input required and not supplied: github-token" /tmp/out
+
+            - name: Smoke test — actor mismatch skips cleanly with exit 0
+              run: |
+                  set +e
+                  docker run --rm \
+                      -e "INPUT_GITHUB-TOKEN=dummy" \
+                      -e "INPUT_NUMBER=1" \
+                      -e "INPUT_ALLOWED-USERNAMES-REGEX=^nobody$" \
+                      -e "GITHUB_REPOSITORY=octo/widget" \
+                      -e "GITHUB_ACTOR=alice" \
+                      action-pull-request-merge:ci >/tmp/out 2>&1
+                  code=$?
+                  set -e
+                  echo "=== exit: $code ==="
+                  echo "=== output: ==="
+                  cat /tmp/out
+                  echo "=== end ==="
+                  test "$code" -eq 0
+                  grep -q "Ignored, the username does not match" /tmp/out

.github/workflows/lock.yml

@@ -3,6 +3,11 @@ on:
     pull_request:
         types:
             - closed
+
+permissions:
+    issues: write
+    pull-requests: write
+
 jobs:
     lock:
         runs-on: ubuntu-latest

.github/workflows/merge.yml

@@ -3,6 +3,11 @@ on:
     pull_request:
         types:
             - labeled
+
+permissions:
+    contents: write
+    pull-requests: write
+
 jobs:
     merge:
         runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -0,0 +1,39 @@
+name: Build and publish the docker image
+
+# `contents: read` to check out the code, `packages: write` so GITHUB_TOKEN
+# can push to ghcr.io/<owner>/<repo> without any extra secrets.
+permissions:
+  contents: read
+  packages: write
+
+on:
+  push:
+    tags:
+      - "latest"
+
+jobs:
+    build-and-publish-action:
+        name: Build and publish the docker image
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v6
+            # https://github.com/docker/setup-qemu-action
+            - name: Set up QEMU
+              uses: docker/setup-qemu-action@v3
+            # https://github.com/docker/setup-buildx-action
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+            - name: Login to GitHub Container Registry
+              uses: docker/login-action@v3
+              with:
+                  registry: ghcr.io
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+            - name: Build action image
+              run: make docker-build
+              env:
+                PLATFORM: linux/amd64
+                ACTION: push
+                PROGRESS_MODE: plain
+                IMAGE_TAG: ghcr.io/${{ github.repository }}

.gitignore

@@ -1,16 +1,3 @@
 /.env
-/node_modules/**/*.md
-!/node_modules/**/LICENSE.*
-/node_modules/**/.github
-/node_modules/**/.idea
-/node_modules/**/.DS_Store
-/node_modules/**/*.png
-/node_modules/**/*.jpg
-/node_modules/**/.travis.yml
-/node_modules/**/.npm*
-/node_modules/**/*.map
-/node_modules/**/*.d.ts
-/node_modules/**/test
-/node_modules/@types
-/node_modules/@octokit/types
-/node_modules/pump/test-*
+/target
+/Cargo.lock.bak