anthony/dredge
1
0
Fork 0
mirror of https://github.com/anthonyoteri/dredge.git synced 2026-06-05 15:26:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

ci: overhaul CI/CD pipeline and add tooling configs

Browse Source 
- Add ci.yml: test matrix (ubuntu/macos/windows), lint, conventional
  commits check (cocogitto), cargo-deny, MSRV, and semver jobs
- Add release.yml: tag-triggered publish to crates.io + GitHub release
- Remove stale rust.yml and rust-clippy.yml workflows
- Add deny.toml for cargo-deny license/advisory/ban/source checks
- Add cog.toml for cocogitto conventional commits and changelog generation
- Add Justfile with test, check, fmt, commits, release, push-tag targets
- Add CHANGELOG.md seed file
- Add PULL_REQUEST_TEMPLATE.md with conventional commits checklist
- Update dependabot.yml: weekly schedule with grouped patch/minor updates
This commit is contained in:
Anthony Oteri
2026-05-13 14:16:08 -04:00
parent c5f4cc2f9e
commit 4fdc0d43ab
10 changed files with 521 additions and 192 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/PULL_REQUEST_TEMPLATE.md
+18
View File
@@ -0,0 +1,18 @@
## Summary
<!-- Briefly describe what this PR does and why. -->
## Checklist
- [ ] Commits follow the [Conventional Commits](https://www.conventionalcommits.org/) spec
- `feat:` new feature
- `fix:` bug fix
- `docs:` documentation only
- `chore:` maintenance / tooling
- `ci:` CI/CD changes
- `refactor:` code change that neither fixes a bug nor adds a feature
- `test:` adding or correcting tests
- `perf:` performance improvement
- [ ] `cargo test` passes locally
- [ ] `cargo clippy --all-targets -- -W clippy::pedantic` passes with no warnings
- [ ] `cargo fmt --check` passes
.github/dependabot.yml
+16 -2
View File
@@ -3,9 +3,23 @@ updates:
- package-ecosystem: "cargo" - package-ecosystem: "cargo"
directory: "/" directory: "/"
schedule: schedule:
interval: "daily" interval: "weekly"
groups:
patch-updates:
update-types:
- "patch"
minor-updates:
update-types:
- "minor"
- package-ecosystem: "github-actions" - package-ecosystem: "github-actions"
directory: "/" directory: "/"
schedule: schedule:
interval: "daily" interval: "weekly"
groups:
patch-updates:
update-types:
- "patch"
minor-updates:
update-types:
- "minor"
.github/workflows/ci.yml
+121
View File
@@ -0,0 +1,121 @@
name: CI
on:
push:
branches: ["master"]
pull_request:
workflow_call:
env:
CARGO_TERM_COLOR: always
RUSTFLAGS: "-D warnings"
jobs:
test:
name: Test (${{ matrix.os }})
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
steps:
- uses: actions/checkout@v4
- name: Install stable toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache dependencies
uses: Swatinem/rust-cache@v2
- name: Build
run: cargo build --all-targets
- name: Run tests
run: cargo test
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install stable toolchain with clippy and rustfmt
uses: dtolnay/rust-toolchain@stable
with:
components: clippy, rustfmt
- name: Cache dependencies
uses: Swatinem/rust-cache@v2
- name: Check formatting
run: cargo fmt --check --all
- name: Clippy
run: cargo clippy --all-targets -- -W clippy::pedantic
commits:
name: Conventional commits
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# Full history is required for cog check to validate all commits.
fetch-depth: 0
- name: Check conventional commits
uses: cocogitto/cocogitto-action@v3
with:
check: true
# On PRs check only the commits introduced by the PR.
# On pushes to master check only commits since the previous HEAD.
from: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
deny:
name: Cargo deny
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check licenses, advisories, and bans
uses: EmbarkStudios/cargo-deny-action@v2
msrv:
name: MSRV (1.80)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust 1.80
uses: dtolnay/rust-toolchain@1.80
- name: Cache dependencies
uses: Swatinem/rust-cache@v2
- name: Check MSRV builds
run: cargo check
semver:
name: Semver compatibility
runs-on: ubuntu-latest
# Only meaningful on PRs — compares the PR branch against the published
# crate version to catch accidental breaking API changes.
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
- name: Install stable toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache dependencies
uses: Swatinem/rust-cache@v2
- name: Check semver compatibility
uses: obi1kenobi/cargo-semver-checks-action@v2
with:
package: dredge-tool
.github/workflows/release.yml
+117 -83
View File
@@ -3,113 +3,147 @@ name: Release
on: on:
push: push:
tags: tags:
- "v[0-9]+.[0-9]+.[0-9]+*" - "v[0-9]*.[0-9]*.[0-9]*"
env:
CARGO_TERM_COLOR: always
RUSTFLAGS: "-D warnings"
jobs: jobs:
create_release: # ---------------------------------------------------------------------------
name: Create release # Gate: all CI checks must pass before we publish anything.
# ---------------------------------------------------------------------------
ci:
name: CI checks
uses: ./.github/workflows/ci.yml
# ---------------------------------------------------------------------------
# Publish to crates.io and create a GitHub release.
# ---------------------------------------------------------------------------
publish:
name: Publish
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: ci
permissions: permissions:
contents: write contents: write
outputs:
upload_url: ${{ steps.create_release.outputs.upload_url }}
steps:
- name: Create release
id: create_release
uses: ncipollo/release-action@v1.21.0
build-docs:
name: Build documentation
needs: create_release
runs-on: ubuntu-latest
permissions:
contents: write
steps: steps:
- name: Checkout code - uses: actions/checkout@v4
uses: actions/checkout@v4
- name: Install Rust Toolchain
uses: dtolnay/rust-toolchain@stable
with: with:
toolchain: stable fetch-depth: 0
components: rust-docs
- name: Cache build dependencies - name: Install stable toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache dependencies
uses: Swatinem/rust-cache@v2 uses: Swatinem/rust-cache@v2
- name: Run cargo doc - name: Install cocogitto
run: uses: cocogitto/cocogitto-action@v3
cargo doc
--bin=dredge
--no-deps
--all-features
--document-private-items
--release
- name: Archive the Docs
run:
tar --directory target/doc -czf
dredge-${{ github.ref_name}}-docs.tar.gz
dredge
- name: Upload documentation assets
uses: shogo82148/actions-upload-release-asset@v1.10.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with: with:
upload_url: ${{ needs.create_release.outputs.upload_url }} check: false
asset_name: dredge-${{ github.ref_name }}-docs.tar.gz
asset_path: dredge-${{ github.ref_name }}-docs.tar.gz
asset_content_type: application/gzip
release_assets: - name: Generate release notes for this tag
name: Release assets id: changelog
needs: create_release run: |
runs-on: ${{ matrix.config.os }} VERSION="${GITHUB_REF_NAME#v}"
# Write release notes outside the repo so cargo publish does not
# see an untracked file and refuse to run.
cog changelog --at "$GITHUB_REF_NAME" > /tmp/release_notes.md || \
echo "No structured changelog available for $GITHUB_REF_NAME." > /tmp/release_notes.md
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Publish dredge-tool to crates.io
run: cargo publish
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
- name: Create GitHub release
run: |
gh release create "$GITHUB_REF_NAME" \
--title "$GITHUB_REF_NAME" \
--notes-file /tmp/release_notes.md
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# ---------------------------------------------------------------------------
# Build release binaries and attach them to the GitHub release.
# Runs in parallel across platforms after the release is created.
# ---------------------------------------------------------------------------
build-binaries:
name: Build binary (${{ matrix.upload_name }})
needs: publish
runs-on: ${{ matrix.os }}
permissions: permissions:
contents: write contents: write
strategy: strategy:
fail-fast: false
matrix: matrix:
config: include:
- os: ubuntu-latest - os: ubuntu-latest
platform: linux artifact: dredge
arch: x86_64 upload_name: dredge-linux-x86_64.tar.gz
ext: '' target: x86_64-unknown-linux-musl
- os: macos-latest artifact_dir: target/x86_64-unknown-linux-musl/release
platform: macos
arch: x86_64
ext: ''
- os: windows-latest
platform: win
arch: x86_64
ext: .exe
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust Toolchain - os: macos-latest
artifact: dredge
upload_name: dredge-macos-aarch64.tar.gz
target: ""
artifact_dir: target/release
- os: macos-latest
artifact: dredge
upload_name: dredge-macos-x86_64.tar.gz
target: x86_64-apple-darwin
artifact_dir: target/x86_64-apple-darwin/release
- os: windows-latest
artifact: dredge.exe
upload_name: dredge-windows-x86_64.exe
target: ""
artifact_dir: target/release
steps:
- uses: actions/checkout@v4
- name: Install stable toolchain
uses: dtolnay/rust-toolchain@stable uses: dtolnay/rust-toolchain@stable
with: with:
toolchain: stable targets: ${{ matrix.target }}
- name: Cache build dependencies - name: Install musl tools (Linux only)
if: matrix.target == 'x86_64-unknown-linux-musl'
run: sudo apt-get install -y musl-tools
- name: Cache dependencies
uses: Swatinem/rust-cache@v2 uses: Swatinem/rust-cache@v2
- name: Run cargo build - name: Build release binary
run: cargo build --release run: >
cargo build --release
${{ matrix.target != '' && format('--target {0}', matrix.target) || '' }}
- name: Create release assets - name: Strip binary (Unix only)
run: if: runner.os != 'Windows'
tar --directory target/release -czf run: strip ${{ matrix.artifact_dir }}/${{ matrix.artifact }}
dredge-${{ github.ref_name }}-${{ matrix.config.platform }}.${{ matrix.config.arch }}.tar.gz
dredge${{ matrix.config.ext }}
- name: Upload release assets - name: Ad-hoc sign binary (macOS only)
uses: shogo82148/actions-upload-release-asset@v1.10.1 if: runner.os == 'macOS'
run: codesign --sign - --force --preserve-metadata=entitlements,requirements,flags,runtime ${{ matrix.artifact_dir }}/${{ matrix.artifact }}
- name: Package binary (Unix)
if: runner.os != 'Windows'
shell: bash
run: tar -czf "${{ matrix.upload_name }}" -C "${{ matrix.artifact_dir }}" "${{ matrix.artifact }}"
- name: Copy binary (Windows)
if: runner.os == 'Windows'
shell: bash
run: cp "${{ matrix.artifact_dir }}/${{ matrix.artifact }}" "${{ matrix.upload_name }}"
- name: Upload to GitHub release
run: gh release upload "${{ github.ref_name }}" "${{ matrix.upload_name }}" --clobber
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create_release.outputs.upload_url }}
asset_name: dredge-${{ github.ref_name }}-${{ matrix.config.platform }}.${{ matrix.config.arch }}.tar.gz
asset_path: dredge-${{ github.ref_name }}-${{ matrix.config.platform }}.${{ matrix.config.arch }}.tar.gz
asset_content_type: application/gzip
.github/workflows/rust-clippy.yml
-51
View File
@@ -1,51 +0,0 @@
name: Rust Clippy Analysis
on:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
schedule:
- cron: "18 21 * * 6"
env:
CARGO_TERM_COLOR: always
jobs:
rust-clippy:
name: Run rust-clippy analysis
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust Toolchain
uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
components: clippy
- name: Cache build dependencies
uses: Swatinem/rust-cache@v2
- name: Install clippy-sarif
run: cargo install clippy-sarif sarif-fmt
- name: Run rust-clippy
run:
cargo clippy
--all-features
--tests
--message-format=json
| clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt
continue-on-error: true
- name: Upload analysis results ot GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: rust-clippy-results.sarif
wait-for-processing: true
.github/workflows/rust.yml
-56
View File
@@ -1,56 +0,0 @@
name: Rust
on:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
env:
CARGO_TERM_COLOR: always
jobs:
rust-fmt-check:
name: Run Rust-fmt check
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust Toolchain
uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
components: rustfmt
- name: Cache build dependencies
uses: Swatinem/rust-cache@v2
- name: Run rust-fmt --check
run: cargo fmt --check --all
test:
name: Run unit and integration tests
strategy:
matrix:
platform: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.platform }}
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust Toolchain
uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
components: rustfmt
- name: Cache build dependencies
uses: Swatinem/rust-cache@v2
- name: Run cargo-test
run: cargo test
CHANGELOG.md
+5
View File
@@ -0,0 +1,5 @@
# Changelog
All notable changes to this project will be documented in this file.
This changelog is generated by [cocogitto](https://github.com/oknozor/cocogitto).
Justfile
+168
View File
@@ -0,0 +1,168 @@
# Justfile for dredge
# Install just: https://just.systems
# Default: list available recipes
default:
@just --list
# Run the full test suite
test:
cargo test
# Check formatting and lints (mirrors CI)
check:
cargo fmt --check
cargo clippy --all-targets -- -W clippy::pedantic
# Auto-format the source
fmt:
cargo fmt
# Validate conventional commit history
commits:
cog check
# ---------------------------------------------------------------------------
# Release
# ---------------------------------------------------------------------------
#
# Two-step process to work with branch protection on master:
#
# Step 1 — just release
# Runs pre-flight checks, calls `cog bump --auto` on a local release
# branch, opens a PR. Review and merge the PR normally.
#
# Step 2 — just push-tag
# After the PR is merged, pulls master, tags the merge commit with the
# version from Cargo.toml, and pushes the tag.
# The tag push triggers release.yml which publishes to crates.io.
#
# Prerequisites:
# - `cocogitto` installed: cargo install cocogitto
# - `gh` CLI installed and authenticated: https://cli.github.com
# ---------------------------------------------------------------------------
# Step 1: open a release PR.
#
# Runs pre-flight checks, bumps the version on a release branch,
# generates CHANGELOG.md, and opens a pull request against master.
# After the PR is merged, run `just push-tag` to trigger the publish.
release:
#!/usr/bin/env bash
set -euo pipefail
# Guard: must be on master.
branch=$(git rev-parse --abbrev-ref HEAD)
if [[ "$branch" != "master" ]]; then
echo "error: releases must be cut from master (currently on '$branch')" >&2
exit 1
fi
# Guard: working tree must be clean.
if ! git diff --quiet || ! git diff --cached --quiet; then
echo "error: working tree has uncommitted changes; commit or stash them first" >&2
exit 1
fi
# Guard: local master must not be behind origin.
git fetch --quiet origin master
if [[ $(git rev-list --count HEAD..origin/master) -gt 0 ]]; then
echo "error: local master is behind origin/master; run 'git pull' first" >&2
exit 1
fi
# Run the full test suite before touching anything.
echo "==> Running tests..."
cargo test
# Check formatting and lints.
echo "==> Checking formatting and lints..."
cargo fmt --check
cargo clippy --all-targets -- -W clippy::pedantic
# Determine the next version without making any changes yet.
# cog bump --auto --dry-run prints e.g. "v0.1.0" to stdout.
echo "==> Determining next version..."
next_version=$(cog bump --auto --dry-run)
echo " Next version: ${next_version}"
# Create and switch to a release branch.
release_branch="release/${next_version}"
git checkout -b "${release_branch}"
# Bump version, generate CHANGELOG.md, commit, and create the local tag.
# cog bump --auto:
# - Updates the version field in Cargo.toml
# - Writes CHANGELOG.md
# - Creates a commit "chore(version): bump to vX.Y.Z"
# - Creates an annotated tag vX.Y.Z (local only until push-tag)
echo "==> Bumping version with cog..."
cog bump --auto
# Push the release branch (not the tag — that comes after PR merge).
echo "==> Pushing release branch..."
git push -u origin "${release_branch}"
# Open the pull request.
echo "==> Opening pull request..."
gh pr create \
--title "chore(release): ${next_version}" \
--body "$(cat CHANGELOG.md)" \
--base master \
--head "${release_branch}"
echo ""
echo "==> Release PR opened."
echo " Review and merge the PR, then run:"
echo ""
echo " just push-tag"
echo ""
echo " to push the tag and trigger the crates.io publish."
# Step 2: tag master HEAD and push the tag.
#
# Run this after the release PR has been merged into master.
# Pulls the latest master, reads the version from Cargo.toml, creates an
# annotated tag on the current HEAD, and pushes it to trigger release.yml.
push-tag:
#!/usr/bin/env bash
set -euo pipefail
# Must be on master.
branch=$(git rev-parse --abbrev-ref HEAD)
if [[ "$branch" != "master" ]]; then
echo "error: push-tag must be run from master (currently on '$branch')" >&2
exit 1
fi
# Pull so we are at the merge commit.
echo "==> Pulling latest master..."
git pull --ff-only origin master
# Derive the version from Cargo.toml (set by `cog bump --auto`).
version=$(grep '^version' Cargo.toml | head -1 \
| sed 's/version = "\(.*\)"/\1/')
if [[ -z "$version" ]]; then
echo "error: could not read version from Cargo.toml" >&2
exit 1
fi
tag="v${version}"
echo "==> Tagging HEAD as ${tag}..."
# Guard: tag must not already exist on origin.
if git ls-remote --tags origin "${tag}" | grep -q "refs/tags/${tag}$"; then
echo "error: tag ${tag} already exists on origin" >&2
exit 1
fi
# Delete stale local tag if present (leftover from the release branch).
git tag -d "${tag}" 2>/dev/null || true
# Create a fresh annotated tag on the current (merged) HEAD.
git tag -a "${tag}" -m "chore(release): ${tag}"
echo "==> Pushing tag ${tag}..."
git push origin "${tag}"
echo "==> Done. Monitor the release workflow at:"
echo " https://github.com/anthonyoteri/dredge/actions"
cog.toml
+32
View File
@@ -0,0 +1,32 @@
# Cocogitto configuration
# https://docs.cocogitto.io/config/
ignore_merge_commits = true
tag_prefix = "v"
# Update Cargo.toml version before committing the bump.
# The .bak suffix is needed for macOS compatibility with sed -i.
pre_bump_hooks = [
"sed -i.bak 's/^version = \"[^\"]*\"/version = \"{{version}}\"/' Cargo.toml && rm -f Cargo.toml.bak",
]
[changelog]
path = "CHANGELOG.md"
template = "remote"
remote = "github.com"
repository = "dredge"
owner = "anthonyoteri"
authors = [
{ username = "anthonyoteri", signature = "Anthony Oteri" },
]
[commit_types]
feat = { changelog_title = "Features" }
fix = { changelog_title = "Bug Fixes" }
perf = { changelog_title = "Performance" }
refactor = { changelog_title = "Refactoring" }
docs = { changelog_title = "Documentation" }
test = { changelog_title = "Tests" }
chore = { changelog_title = "Miscellaneous" }
ci = { changelog_title = "CI", omit_from_changelog = true }
style = { changelog_title = "Style", omit_from_changelog = true }
deny.toml
+44
View File
@@ -0,0 +1,44 @@
# cargo-deny configuration
# https://embarkstudios.github.io/cargo-deny/
[graph]
# Check all targets, not just the host.
all-features = true
# ---------------------------------------------------------------------------
# Licenses
# ---------------------------------------------------------------------------
[licenses]
# Minimum confidence threshold for license detection (0.0 1.0).
confidence-threshold = 0.8
# Licenses we explicitly permit across the entire dependency tree.
allow = [
"MIT",
"Apache-2.0",
"Unicode-3.0",
]
# ---------------------------------------------------------------------------
# Security advisories
# ---------------------------------------------------------------------------
[advisories]
# Deny crates with known security vulnerabilities.
version = 2
# ---------------------------------------------------------------------------
# Crate bans
# ---------------------------------------------------------------------------
[bans]
# Deny multiple versions of the same crate (can cause bloat and confusion).
multiple-versions = "warn"
# Deny wildcard dependencies.
wildcards = "deny"
# ---------------------------------------------------------------------------
# Crate sources
# ---------------------------------------------------------------------------
[sources]
# Only allow crates from crates.io.
unknown-registry = "deny"
unknown-git = "deny"