Add workflow stuff

Author: bleggett

.github/dependabot.yaml

@@ -0,0 +1,30 @@
+version: 2
+updates:
+
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "daily"
+  cooldown:
+    default-days: 7
+  groups:
+    actions-updates:
+      dependency-type: "production"
+      applies-to: "version-updates"
+    actions-dev-updates:
+      dependency-type: "development"
+      applies-to: "version-updates"
+
+- package-ecosystem: "cargo"
+  directory: "/"
+  schedule:
+    interval: "daily"
+  cooldown:
+    default-days: 7
+  groups:
+    cargo-updates:
+      dependency-type: "production"
+      applies-to: "version-updates"
+    cargo-dev-updates:
+      dependency-type: "development"
+      applies-to: "version-updates"

.github/workflows/ci-actions.yaml

@@ -0,0 +1,43 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions:
+  contents: read # Default token to read
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Needed to write security events to github
+      contents: read         # Needed to read clone repo
+      actions: read          # Needed to read actions
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
+
+      - name: Run zizmor
+        run: uvx zizmor --pedantic --format sarif . > results.sarif 
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
+        with:
+          sarif_file: results.sarif
+          category: zizmor

.github/workflows/ci-code.yaml

@@ -0,0 +1,81 @@
+name: Lint and Test Code
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - src/**
+      - Cargo.*
+      - rust-toolchain.toml
+      - .github/workflows/ci-code.yaml
+
+permissions:
+  contents: read # Default token to read
+
+jobs:
+  rustfmt:
+    name: rustfmt
+    runs-on: ubuntu-latest
+    steps:
+      - name: harden runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          submodules: recursive
+          persist-credentials: false
+
+      - name: 'cargo fmt'
+        run: cargo fmt --all -- --check
+
+  full-build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+        - x86_64
+    env:
+      TARGET_ARCH: "${{ matrix.arch }}"
+    name: 'Full build linux-${{ matrix.arch }}'
+    steps:
+      - name: harden runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          submodules: recursive
+          persist-credentials: false
+
+      - name: cargo build
+        run: cargo build
+
+  clippy:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch:
+        - x86_64
+    env:
+      TARGET_ARCH: "${{ matrix.arch }}"
+    name: 'Full clippy linux-${{ matrix.arch }}'
+    steps:
+      - name: harden runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          submodules: recursive
+          persist-credentials: false
+      - name: 'cargo clippy'
+        run: cargo clippy

.github/workflows/release.yaml

@@ -0,0 +1,90 @@
+name: Release libscap-bindings
+
+on:
+  # This workflow runs on every push to main to either open
+  # a PR or publish the release.
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read # Default token to read
+
+jobs:
+  release-plz-release:
+    if: ${{ github.repository_owner == 'edera-dev' }}
+    name: Release-plz release
+    runs-on: ubuntu-latest
+    environment: release  # Environment for trusted publishing
+    permissions:
+      contents: write # Needed to write release artifacts
+      id-token: write # Needed for trusted publishing
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 # zizmor: ignore[stale-action-refs] -- pinned to stable branch
+
+      - name: generate cultivator token
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: generate-token
+        with:
+          app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"
+          private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}"
+
+      - name: Run release-plz
+        uses: release-plz/action@d529f731ae3e89610ada96eda34e5c6ba3b12214 # v0.5
+        with:
+          command: release
+        env:
+          GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
+
+  release-plz-pr:
+    if: ${{ github.repository_owner == 'edera-dev' }}
+    name: Release-plz PR
+    runs-on: ubuntu-latest
+    environment: release  # Environment for trusted publishing
+    permissions:
+      contents: write      # Needed to write release artifacts
+      id-token: write      # Needed for trusted publishing
+      pull-requests: write # Needed to create pull requests
+    concurrency:
+      group: release-plz-${{ github.ref }}
+      cancel-in-progress: false
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 # zizmor: ignore[stale-action-refs] -- pinned to stable branch
+
+      - name: generate cultivator token
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: generate-token
+        with:
+          app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"
+          private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}"
+
+      - name: Run release-plz
+        uses: release-plz/action@d529f731ae3e89610ada96eda34e5c6ba3b12214 # v0.5
+        with:
+          command: release-pr
+        env:
+          GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"

.gitignore

@@ -0,0 +1,2 @@
+/target
+/local

.release-plz.toml

@@ -0,0 +1,14 @@
+[workspace]
+pr_branch_prefix = "release/"
+pr_labels = ["release"]
+release_always = true
+git_release_enable = false
+git_tag_enable = false
+changelog_update = false
+
+[[package]]
+name = "libscap-bindings"
+git_release_name = "v{{ version }}"
+git_tag_name = "v{{ version }}"
+git_tag_enable = true
+git_release_enable = true

rust-toolchain.toml

@@ -0,0 +1,3 @@
+[toolchain]
+channel = "1.89.0"
+components = ["rustfmt", "rust-std", "clippy"]