syncable-cli/.github/workflows/ci.yml at main · syncable-dev/syncable-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: CI

on:
  pull_request:
    branches: [main]

env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1
  # Override target-cpu=native from .cargo/config.toml (breaks CI runners)
  RUSTFLAGS: ""

jobs:
  # Detect what changed to decide which jobs to run
  changes:
    name: Detect Changes
    runs-on: ubuntu-latest
    outputs:
      rust: ${{ steps.filter.outputs.rust }}
      installer: ${{ steps.filter.outputs.installer }}
    steps:
      - uses: actions/checkout@v4
      - uses: dorny/paths-filter@v3
        id: filter
        with:
          filters: |
            rust:
              - 'src/**'
              - 'Cargo.toml'
              - 'Cargo.lock'
              - 'tests/**/*.rs'
              - '.github/workflows/ci.yml'
            installer:
              - 'installer/**'
              - 'skills/**'

  # Rust build, test, lint — only when Rust code changes
  build:
    name: Build & Test
    needs: changes
    if: needs.changes.outputs.rust == 'true'
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
        # MSRV 1.88 - AWS SDK requires Rust 1.88
        rust: ["1.88"]

    steps:
      - uses: actions/checkout@v4

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@master
        with:
          toolchain: ${{ matrix.rust }}
          components: clippy, rustfmt

      - name: Cache cargo registry
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            target
          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cargo-

      - name: Check formatting
        if: matrix.os == 'ubuntu-latest'
        run: cargo fmt --all -- --check

      - name: Build
        run: cargo build --verbose

      - name: Run tests
        run: cargo test --verbose

      - name: Clippy
        if: matrix.os == 'ubuntu-latest'
        # Focus on correctness lints, not style (too many legacy style warnings)
        # Allow structural lints that require significant refactoring
        run: |
          cargo clippy -- \
            -D clippy::correctness -D clippy::suspicious -D clippy::complexity \
            -A clippy::collapsible_if -A clippy::collapsible_else_if \
            -A clippy::needless_borrows_for_generic_args -A clippy::single_match \
            -A clippy::too_many_arguments -A clippy::type_complexity \
            -A clippy::only_used_in_recursion -A clippy::manual_is_multiple_of \
            -A clippy::derivable_impls -A clippy::wildcard_in_or_patterns \
            -A clippy::manual_strip -A clippy::manual_div_ceil \
            -A dead_code -A unused_assignments

  # Installer tests — only when installer or skills change
  installer:
    name: Installer Tests
    needs: changes
    if: needs.changes.outputs.installer == 'true'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install dependencies
        working-directory: installer
        run: npm ci

      - name: Build
        working-directory: installer
        run: npm run build

      - name: Run tests
        working-directory: installer
        run: npm test

  # Security audit — only when Rust deps change
  security:
    name: Security Audit
    needs: changes
    if: needs.changes.outputs.rust == 'true'
    runs-on: ubuntu-latest
    permissions:
      checks: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: rustsec/audit-check@v2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # Ignore advisories in transitive dependencies we cannot control:
          # - gix-date (RUSTSEC-2025-0140): via rustsec crate, awaiting upstream fix
          # - bincode (RUSTSEC-2025-0141): via syntect, marked "complete" by maintainer
          # - aws-lc-sys (RUSTSEC-2026-0044..0048): via aws-sdk, awaiting upstream bump to >=0.39.0
          # - rustls-webpki (RUSTSEC-2026-0049): via rustls, awaiting upstream bump to >=0.103.10
          # - Other transitive deps from rustsec, aws-sdk, kube, etc.
          ignore: RUSTSEC-2020-0163,RUSTSEC-2024-0320,RUSTSEC-2025-0057,RUSTSEC-2025-0074,RUSTSEC-2025-0075,RUSTSEC-2025-0080,RUSTSEC-2025-0081,RUSTSEC-2025-0098,RUSTSEC-2025-0104,RUSTSEC-2025-0134,RUSTSEC-2025-0140,RUSTSEC-2025-0141,RUSTSEC-2026-0044,RUSTSEC-2026-0045,RUSTSEC-2026-0046,RUSTSEC-2026-0047,RUSTSEC-2026-0048,RUSTSEC-2026-0049