ci(deps): bump obi1kenobi/cargo-semver-checks-action from 2.8 to 2.9 … #6901
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| permissions: | |
| contents: read | |
| security-events: write | |
| concurrency: | |
| group: ci-${{ (github.ref == 'refs/heads/master' && github.sha) || (github.event_name == 'pull_request' && github.head_ref) || github.ref }} | |
| cancel-in-progress: false | |
| on: | |
| pull_request: | |
| branches: | |
| - "master" | |
| push: | |
| branches: | |
| - "master" | |
| workflow_dispatch: | |
| merge_group: | |
| types: [checks_requested] | |
| env: | |
| RUSTFLAGS: -Dwarnings | |
| MACOSX_DEPLOYMENT_TARGET: "14.5" | |
| jobs: | |
| dependency_review: | |
| name: 'Dependency Review' | |
| if: github.event_name == 'pull_request' || github.event_name == 'merge_group' | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| index.crates.io:443 | |
| static.crates.io:443 | |
| static.rust-lang.org:443 | |
| api.deps.dev:443 | |
| - name: 'Checkout Repository' | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: 'Dependency Review' | |
| uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 | |
| build_and_test: | |
| needs: | |
| - cargo_fmt | |
| - style_and_docs | |
| - miri | |
| - check_minimal_versions | |
| - cargo_semver | |
| - dependency_review | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macOS-latest, windows-latest] | |
| rustalias: [stable, nightly, msrv] | |
| workspace: ["Cargo.toml", "fuzz/Cargo.toml"] | |
| feature_flag: | |
| - "--all-features" | |
| - "--no-default-features" | |
| - "--no-default-features --features zip/deflate-flate2-zlib-rs" | |
| - "--no-default-features --features zip/deflate-zopfli" | |
| - "" | |
| include: | |
| - rustalias: stable | |
| rust: stable | |
| - rustalias: msrv | |
| rust: "1.88.0" | |
| - rustalias: nightly | |
| rust: nightly | |
| exclude: | |
| - rustalias: msrv | |
| workspace: "fuzz/Cargo.toml" | |
| name: "Build and test ${{ matrix.feature_flag }} ${{ matrix.workspace }}: ${{ matrix.os }}, ${{ matrix.rustalias }}" | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - run: rustup toolchain add ${{ matrix.rust }} && rustup default ${{ matrix.rust }} | |
| - name: Check that the benches can be built | |
| run: cargo build --benches | |
| - run: cargo check --manifest-path ${{ github.workspace }}/${{ matrix.workspace }} --all ${{ matrix.feature_flag }} --bins --examples | |
| - run: cargo test --manifest-path ${{ github.workspace }}/${{ matrix.workspace }} --all ${{ matrix.feature_flag }} | |
| wasm: | |
| needs: build_and_test | |
| strategy: | |
| matrix: | |
| browser_flags: ["--headless --chrome", "--headless --firefox", "--node"] | |
| rustalias: [stable, nightly] | |
| manifest: ["Cargo.toml"] | |
| feature_flag: | |
| - "" # default features | |
| - "--no-default-features" | |
| - "--features chrono,jiff-02,nt-time,legacy-zip" | |
| include: | |
| - rustalias: stable | |
| rust: stable | |
| - rustalias: nightly | |
| rust: nightly | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - name: Conditionally set env | |
| if: matrix.browser_flags != '--node' # if browser testing | |
| run: echo "WASM_BINDGEN_USE_BROWSER=1" >> $GITHUB_ENV | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: target | |
| key: ${{ runner.os }}-rust-${{ hashFiles('Cargo.toml') }} | |
| - run: rustup toolchain add ${{ matrix.rust }} && rustup default ${{ matrix.rust }} | |
| - run: rustup target add wasm32-unknown-unknown | |
| - run: cargo install wasm-pack --locked | |
| - run: wasm-pack test ${{ matrix.browser_flags }} --manifest-path ${{ github.workspace }}/${{ matrix.manifest }} ${{ matrix.feature_flag }} | |
| endianness_miri: | |
| name: "Test endianness platform" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: target | |
| key: ${{ runner.os }}-rust-${{ hashFiles('Cargo.toml') }} | |
| - run: sudo apt update | |
| - run: rustup toolchain add nightly-x86_64-unknown-linux-gnu | |
| - run: rustup component add --toolchain nightly-x86_64-unknown-linux-gnu miri | |
| - run: cargo +nightly miri test --target aarch64_be-unknown-linux-gnu --all --no-default-features | |
| miri: | |
| strategy: | |
| matrix: | |
| workspace: ["Cargo.toml", "fuzz/Cargo.toml"] | |
| feature_flag: | |
| - "--all-features" | |
| - "--no-default-features" | |
| - "" | |
| - "--no-default-features --features zip/deflate-flate2-zlib-rs" | |
| - "--no-default-features --features zip/deflate-zopfli" | |
| name: "Miri ${{ matrix.feature_flag }} ${{ matrix.workspace }}" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: target | |
| key: ${{ runner.os }}-rust-${{ hashFiles('Cargo.toml') }} | |
| - run: sudo apt update | |
| - run: sudo apt install crossbuild-essential-s390x | |
| - run: rustup toolchain add nightly-x86_64-unknown-linux-gnu | |
| - run: rustup toolchain add --force-non-host stable-s390x-unknown-linux-gnu | |
| - run: rustup target add s390x-unknown-linux-gnu --toolchain stable-s390x-unknown-linux-gnu | |
| - run: rustup component add --toolchain nightly-x86_64-unknown-linux-gnu miri | |
| - run: cargo +nightly miri test --manifest-path ${{ github.workspace }}/${{ matrix.workspace }} --target s390x-unknown-linux-gnu --all ${{ matrix.feature_flag }} --bins --examples | |
| cargo_semver: | |
| strategy: | |
| matrix: | |
| # Only do semver checks on the released library. | |
| workspace: ["Cargo.toml"] | |
| feature_group: | |
| ["all-features", "default-features", "only-explicit-features"] | |
| name: "Semver checks: ${{ matrix.feature_group }}" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: obi1kenobi/cargo-semver-checks-action@6b69fcf40e9b5fb17adeb57e4b6ecd020649a239 # v2.9 | |
| with: | |
| manifest-path: ${{ github.workspace }}/${{ matrix.workspace }} | |
| feature-group: ${{ matrix.feature_group }} | |
| cargo_fmt: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 | |
| with: | |
| path: target | |
| key: ${{ runner.os }}-rust-${{ hashFiles('Cargo.toml') }} | |
| - run: rustup toolchain add nightly && rustup default nightly && rustup component add rustfmt | |
| - name: fmt | |
| run: cargo fmt --all -- --check | |
| - name: fmt fuzz | |
| run: cargo fmt --all --manifest-path ${{ github.workspace }}/fuzz/Cargo.toml -- --check | |
| check_minimal_versions: | |
| strategy: | |
| matrix: | |
| # Only check minimal versions for the released library. | |
| workspace: ["Cargo.toml"] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - run: rustup toolchain add nightly && rustup default nightly | |
| - name: resolve minimal versions | |
| run: cargo -Z minimal-versions update --manifest-path ${{ github.workspace }}/${{ matrix.workspace }} | |
| - name: check | |
| run: cargo check --all-features --manifest-path ${{ github.workspace }}/${{ matrix.workspace }} | |
| - name: test | |
| run: cargo test --all-features --manifest-path ${{ github.workspace }}/${{ matrix.workspace }} | |
| style_and_docs: | |
| strategy: | |
| matrix: | |
| workspace: ["Cargo.toml", "fuzz/Cargo.toml"] | |
| feature_flag: ["--all-features", "--no-default-features", ""] | |
| name: "Style and docs ${{ matrix.feature_flag }} ${{ matrix.workspace }}" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - run: rustup toolchain add nightly && rustup default nightly && rustup component add clippy | |
| - name: Install required cargo | |
| run: cargo install clippy-sarif sarif-fmt | |
| - name: Run clippy - inside bash for pipefail | |
| shell: bash | |
| # allow warnings but not errors | |
| run: cargo clippy --workspace ${{ matrix.feature_flag }} --manifest-path ${{ github.workspace }}/${{ matrix.workspace }} --message-format=json -- -D warnings | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt | |
| - name: Upload analysis results to GitHub | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| sarif_file: rust-clippy-results.sarif | |
| wait-for-processing: true | |
| - run: cargo doc --no-deps --workspace ${{ matrix.feature_flag }} --manifest-path ${{ github.workspace }}/${{ matrix.workspace }} | |
| fuzz_read: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build_and_test | |
| - wasm | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - run: rustup toolchain add nightly && rustup default nightly && rustup component add clippy | |
| - run: cargo install cargo-afl --version 0.15.19 | |
| - name: cargo afl system-config | |
| run: cargo afl system-config | |
| - name: clippy | |
| run: cargo afl clippy --all-features -p fuzz_read --manifest-path ${{ github.workspace }}/fuzz/Cargo.toml -- -D warnings | |
| - name: compile fuzz | |
| run: cargo afl build --all-features -p fuzz_read --manifest-path ${{ github.workspace }}/fuzz/Cargo.toml | |
| - name: run fuzz | |
| timeout-minutes: 130 | |
| run: cargo afl fuzz -i ${{ github.workspace }}/fuzz/read/in -o out -V 7200 -- ${{ github.workspace }}/fuzz/target/debug/fuzz_read | |
| - name: Minimize corpus | |
| run: cargo afl cmin -i out/default/queue -o out_cmin -- ${{ github.workspace }}/fuzz/target/debug/fuzz_read | |
| - name: Report coverage | |
| run: cargo afl showmap -C -i out -o map -- ${{ github.workspace }}/fuzz/target/debug/fuzz_read | |
| - run: sudo apt install rename | |
| if: always() | |
| - name: Rename files | |
| if: always() | |
| run: | | |
| find out -type f -name '*:*' -exec rename 's/:/-/g' {} \+ | |
| find out_cmin -type f -name '*:*' -exec rename 's/:/-/g' {} \+ | |
| find map -type f -name '*:*' -exec rename 's/:/-/g' {} \+ | |
| - name: Upload updated corpus | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: fuzz_read_corpus | |
| path: out_cmin/* | |
| - name: Upload any failure inputs | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: fuzz_read_bad_inputs | |
| path: out/default/crashes/* | |
| if-no-files-found: ignore | |
| - name: Upload coverage report | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: fuzz_read_coverage | |
| path: map | |
| fuzz_read_with_no_features: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build_and_test | |
| - wasm | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - run: rustup toolchain add nightly && rustup default nightly && rustup component add clippy | |
| - run: cargo install cargo-afl --version 0.15.19 | |
| - name: cargo afl system-config | |
| run: cargo afl system-config | |
| - name: clippy | |
| run: cargo afl clippy --no-default-features -p fuzz_read --manifest-path ${{ github.workspace }}/fuzz/Cargo.toml -- -D warnings | |
| - name: compile fuzz | |
| run: cargo afl build -p fuzz_read --manifest-path ${{ github.workspace }}/fuzz/Cargo.toml | |
| - name: run fuzz | |
| timeout-minutes: 130 | |
| run: cargo afl fuzz -i ${{ github.workspace }}/fuzz/read/in -o out -V 7200 -- ${{ github.workspace }}/fuzz/target/debug/fuzz_read | |
| - name: Report coverage | |
| run: cargo afl showmap -C -i out -o map -- ${{ github.workspace }}/fuzz/target/debug/fuzz_read | |
| - run: sudo apt install rename | |
| if: always() | |
| - name: Rename files | |
| if: always() | |
| run: | | |
| find out -type f -name '*:*' -exec rename 's/:/-/g' {} \+ | |
| find map -type f -name '*:*' -exec rename 's/:/-/g' {} \+ | |
| - name: Upload any failure inputs | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: fuzz_read_bad_inputs_no_features | |
| path: out/default/crashes/* | |
| if-no-files-found: ignore | |
| - name: Upload coverage report | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: fuzz_read_coverage_no_features | |
| path: map | |
| fuzz_write: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build_and_test | |
| - wasm | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - run: rustup toolchain add nightly && rustup default nightly && rustup component add clippy | |
| - run: cargo install cargo-afl --version 0.15.19 | |
| - name: cargo afl system-config | |
| run: cargo afl system-config | |
| - name: clippy | |
| run: cargo afl clippy --all-features -p fuzz_write --manifest-path ${{ github.workspace }}/fuzz/Cargo.toml -- -D warnings | |
| - name: compile fuzz | |
| run: cargo afl build --all-features -p fuzz_write --manifest-path ${{ github.workspace }}/fuzz/Cargo.toml | |
| - name: run fuzz | |
| timeout-minutes: 130 | |
| run: cargo afl fuzz -i ${{ github.workspace }}/fuzz/write/in -o out -V 7200 -x ${{ github.workspace }}/fuzz/write/fuzz.dict -- ${{ github.workspace }}/fuzz/target/debug/fuzz_write | |
| - name: Minimize corpus | |
| run: cargo afl cmin -i out/default/queue -o out_cmin -- ${{ github.workspace }}/fuzz/target/debug/fuzz_write | |
| - name: Report coverage | |
| run: cargo afl showmap -C -i out -o map -- ${{ github.workspace }}/fuzz/target/debug/fuzz_write | |
| - run: sudo apt install rename | |
| if: always() | |
| - name: Rename files | |
| if: always() | |
| run: | | |
| find out -type f -name '*:*' -exec rename 's/:/-/g' {} \+ | |
| find out_cmin -type f -name '*:*' -exec rename 's/:/-/g' {} \+ | |
| find map -type f -name '*:*' -exec rename 's/:/-/g' {} \+ | |
| - name: Upload updated corpus | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: fuzz_write_corpus | |
| path: out_cmin/* | |
| - name: Upload any failure inputs | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: fuzz_write_bad_inputs | |
| path: out/default/crashes/* | |
| if-no-files-found: ignore | |
| - name: Upload coverage report | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: fuzz_write_coverage | |
| path: map | |
| fuzz_write_with_no_features: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build_and_test | |
| - wasm | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - run: rustup toolchain add nightly && rustup default nightly && rustup component add clippy | |
| - run: cargo install cargo-afl --version 0.15.19 | |
| - name: cargo afl system-config | |
| run: cargo afl system-config | |
| - name: clippy | |
| run: cargo afl clippy --no-default-features -p fuzz_write --manifest-path ${{ github.workspace }}/fuzz/Cargo.toml -- -D warnings | |
| - name: compile fuzz | |
| run: cargo afl build --all-features -p fuzz_write --manifest-path ${{ github.workspace }}/fuzz/Cargo.toml | |
| - name: run fuzz | |
| timeout-minutes: 130 | |
| run: cargo afl fuzz -i ${{ github.workspace }}/fuzz/write/in -o out -V 7200 -x ${{ github.workspace }}/fuzz/write/fuzz.dict -- ${{ github.workspace }}/fuzz/target/debug/fuzz_write | |
| - name: Report coverage | |
| run: cargo afl showmap -C -i out -o map -- ${{ github.workspace }}/fuzz/target/debug/fuzz_write | |
| - run: sudo apt install rename | |
| if: always() | |
| - name: Rename files | |
| if: always() | |
| run: | | |
| find out -type f -name '*:*' -exec rename 's/:/-/g' {} \+ | |
| find map -type f -name '*:*' -exec rename 's/:/-/g' {} \+ | |
| - name: Upload any failure inputs | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: fuzz_write_bad_inputs_no_features | |
| path: out/default/crashes/* | |
| if-no-files-found: ignore | |
| - name: Upload coverage report | |
| if: always() | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: fuzz_write_coverage_no_features | |
| path: map |