1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
CARGO_TERM_COLOR: always
RUSTFLAGS: "-D warnings"
jobs:
# โโ Rust library crates (all 3 platforms) โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
check:
name: Check / ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
with:
key: check-${{ matrix.os }}
- name: Install Tauri system deps (Linux)
if: runner.os == 'Linux'
run: |
sudo apt-get update
sudo apt-get install -y \
libwebkit2gtk-4.1-dev \
libgtk-3-dev \
libayatana-appindicator3-dev \
librsvg2-dev \
patchelf
- run: cargo check --workspace
test:
name: Test / ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
with:
key: test-${{ matrix.os }}
- name: Install Tauri system deps (Linux)
if: runner.os == 'Linux'
run: |
sudo apt-get update
sudo apt-get install -y \
libwebkit2gtk-4.1-dev \
libgtk-3-dev \
libayatana-appindicator3-dev \
librsvg2-dev \
patchelf
# Tests that need a display (Tauri) are skipped in headless CI via cfg
- run: cargo test --workspace
clippy:
name: Clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- uses: Swatinem/rust-cache@v2
- name: Install Tauri system deps
run: |
sudo apt-get update
sudo apt-get install -y \
libwebkit2gtk-4.1-dev \
libgtk-3-dev \
libayatana-appindicator3-dev \
librsvg2-dev \
patchelf
- run: cargo clippy --workspace -- -D warnings
fmt:
name: Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt
- run: cargo fmt --check
audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- run: cargo audit
# โโ Secrets scanning (prevent accidental credential commits) โโโโโโโโโโโโโโ
secrets:
name: Secrets Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install trufflehog
run: |
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
- name: Scan for secrets
run: |
trufflehog filesystem . \
--no-update \
--fail \
--only-verified \
--exclude-paths=<(echo -e "target/\n.git/\nCargo.lock")
# โโ Installer smoke test (verify install.sh works) โโโโโโโโโโโโโโโโโโโโโโโโ
install-smoke:
name: Install Script Smoke Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Syntax check install.sh
run: bash -n scripts/install.sh
- name: Syntax check install.ps1
run: |
# Verify PowerShell script parses without errors
pwsh -NoProfile -Command "Get-Content scripts/install.ps1 | Out-Null" 2>&1 || true
- name: Shellcheck install.sh
run: |
sudo apt-get update && sudo apt-get install -y shellcheck
shellcheck scripts/install.sh
- name: Docker smoke test
run: |
docker build -f scripts/docker/install-smoke.Dockerfile .