diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index e3d34f96..397f7c93 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -1,5 +1,9 @@ name: Audit +# Performs a security audit of Rust dependencies using cargo-audit through the actions-rust-lang/audit action. +# Runs nightly on schedule and when Cargo.toml, Cargo.lock, or audit.toml files are modified. +# Helps identify known security vulnerabilities in the dependency tree. + on: push: paths: @@ -23,7 +27,8 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v5 with: persist-credentials: false - uses: actions-rust-lang/audit@v1 diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml index a1858120..8191d498 100644 --- a/.github/workflows/code_coverage.yml +++ b/.github/workflows/code_coverage.yml @@ -1,7 +1,11 @@ -on: [push, pull_request] - name: Code Coverage +# Generates code coverage reports using grcov and uploads results to Coveralls. +# Runs on every push and pull request to track test coverage metrics. +# Uploads coverage data to Coveralls for tracking and produces an HTML report artifact for download. + +on: [push, pull_request] + permissions: {} jobs: @@ -15,18 +19,17 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: persist-credentials: false - name: Install lcov tools run: sudo apt-get install lcov -y + # This action automatically reads and applies rust-toolchain.toml - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@v1 + uses: actions-rust-lang/setup-rust-toolchain@v1 with: - toolchain: stable - components: llvm-tools-preview - - name: Rust Cache - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 + components: llvm-tools-preview + cache: true - name: Install grcov run: if [[ ! -e ~/.cargo/bin/grcov ]]; then cargo install grcov; fi - name: Test @@ -34,13 +37,16 @@ jobs: - name: Make coverage directory run: mkdir coverage - name: Run grcov - run: grcov . --binary-path ./target/debug/ -s . -t lcov --branch --ignore-not-existing --keep-only '**/wallet/**' --ignore '**/tests/**' --ignore '**/examples/**' -o ./coverage/lcov.info + run: grcov . --binary-path ./target/debug/ -s . -t lcov --branch --ignore-not-existing --keep-only 'src/**' --ignore 'tests/**' --ignore 'examples/**' -o ./coverage/lcov.info - name: Generate HTML coverage report run: genhtml -o coverage-report.html --ignore-errors unmapped ./coverage/lcov.info - name: Coveralls upload - uses: coverallsapp/github-action@master + # Action pinned at tag 2.3.6 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b with: github-token: ${{ secrets.GITHUB_TOKEN }} + file: ./coverage/lcov.info + format: lcov - name: Upload artifact uses: actions/upload-artifact@v4 with: diff --git a/.github/workflows/cont_integration.yml b/.github/workflows/cont_integration.yml index d09a2a82..bc467cd4 100644 --- a/.github/workflows/cont_integration.yml +++ b/.github/workflows/cont_integration.yml @@ -1,5 +1,9 @@ on: [push, pull_request] +# Main continuous integration workflow that runs build, test, and code quality checks. +# Runs on every push and pull request, testing against both MSRV (1.85) and stable Rust. +# Includes no_std and WASM compatibility checks, formatting validation, and clippy linting. + name: CI permissions: {} @@ -8,77 +12,81 @@ env: CARGO_TERM_COLOR: always jobs: - prepare: - runs-on: ubuntu-latest - outputs: - rust_version: ${{ steps.read_toolchain.outputs.rust_version }} + build-test-msrv: + name: Build & Test MSRV + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: + - ubuntu-latest + - ubuntu-24.04-arm + features: + - --no-default-features --features miniscript/no-std,bdk_chain/hashbrown + - --all-features steps: - - name: "Checkout repo" - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v5 with: persist-credentials: false - - name: "Read rust version" - id: read_toolchain - run: echo "rust_version=$(cat rust-version)" >> $GITHUB_OUTPUT + # The 'toolchain' argument on this action overrides the Rust compiler version set in rust-toolchain.toml + # in order to test our MSRV. + - name: Install Rust toolchain + uses: actions-rust-lang/setup-rust-toolchain@v1 + with: + toolchain: 1.85 # MSRV + cache: true + - name: Pin dependencies for MSRV + run: ./ci/pin-msrv.sh + - name: Build + Test + run: | + cargo build --workspace --all-targets ${{ matrix.features }} + cargo test --workspace ${{ matrix.features }} - build-test: - needs: prepare - name: Build & Test + build-test-stable: + name: Build & Test Rust Stable runs-on: ${{ matrix.os }} strategy: matrix: os: - ubuntu-latest - ubuntu-24.04-arm - rust: - - version: ${{ needs.prepare.outputs.rust_version }} - - version: 1.85.0 # MSRV features: - --no-default-features --features miniscript/no-std,bdk_chain/hashbrown - --all-features steps: - - name: checkout - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v5 with: persist-credentials: false + # This action will honor the Rust compiler version set in rust-toolchain.toml. We aim to keep it in sync with + # Rust stable. - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@v1 + uses: actions-rust-lang/setup-rust-toolchain@v1 with: - toolchain: ${{ matrix.rust.version }} - - name: Rust Cache - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 - - name: Pin dependencies for MSRV - if: matrix.rust.version == '1.85.0' - run: ./ci/pin-msrv.sh + cache: true - name: Build + Test - env: - MATRIX_RUST_VERSION: ${{ matrix.rust.version }} run: | cargo build --workspace --all-targets ${{ matrix.features }} cargo test --workspace ${{ matrix.features }} check-no-std: - needs: prepare name: Check no_std runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: persist-credentials: false + # This action automatically reads and applies rust-toolchain.toml - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@v1 + uses: actions-rust-lang/setup-rust-toolchain@v1 with: - toolchain: ${{ needs.prepare.outputs.rust_version }} - # target: "thumbv6m-none-eabi" - - name: Rust Cache - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 + cache: true - name: Check no-std # TODO "--target thumbv6m-none-eabi" should work but currently does not run: cargo check --no-default-features --features miniscript/no-std,bdk_chain/hashbrown check-wasm: - needs: prepare name: Check WASM runs-on: ubuntu-latest env: @@ -86,55 +94,55 @@ jobs: CFLAGS: -I/usr/include steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: persist-credentials: false # Install a recent version of clang that supports wasm32 - run: wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add - || exit 1 - run: sudo apt-get update || exit 1 - run: sudo apt-get install -y libclang-common-14-dev clang-14 libc6-dev-i386 || exit 1 + # This action automatically reads and applies rust-toolchain.toml - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@v1 + uses: actions-rust-lang/setup-rust-toolchain@v1 with: - toolchain: ${{ needs.prepare.outputs.rust_version }} - targets: "wasm32-unknown-unknown" - - name: Rust Cache - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 + cache: true + target: wasm32-unknown-unknown - name: Check WASM - run: cargo check --target wasm32-unknown-unknown --no-default-features --features miniscript/no-std,bdk_chain/hashbrown + run: | + rustup target add wasm32-unknown-unknown + cargo check --target wasm32-unknown-unknown --no-default-features --features miniscript/no-std,bdk_chain/hashbrown fmt: name: Rust fmt runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: persist-credentials: false + # This action automatically reads and applies rust-toolchain.toml - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@v1 + uses: actions-rust-lang/setup-rust-toolchain@v1 with: - toolchain: nightly - components: rustfmt + cache: true - name: Check fmt run: cargo fmt --all --check clippy_check: - needs: prepare name: Rust clippy runs-on: ubuntu-latest permissions: checks: write steps: - - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v5 with: persist-credentials: false - - uses: dtolnay/rust-toolchain@v1 + # This action automatically reads and applies rust-toolchain.toml + - name: Install Rust toolchain + uses: actions-rust-lang/setup-rust-toolchain@v1 with: - toolchain: ${{ needs.prepare.outputs.rust_version }} - components: clippy - - name: Rust Cache - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 + cache: true - name: Clippy run: cargo clippy --all-features --all-targets -- -D warnings diff --git a/.github/workflows/cron-update-rust.yml b/.github/workflows/cron-update-rust.yml deleted file mode 100644 index 1264203d..00000000 --- a/.github/workflows/cron-update-rust.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Update rust version - -permissions: {} - -on: - schedule: - - cron: "0 0 15 * *" # At 00:00 on day-of-month 15. - workflow_dispatch: # allows manual triggering -jobs: - format: - name: Update rustc - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - persist-credentials: false - - uses: dtolnay/rust-toolchain@stable - - uses: tibdex/github-app-token@v2 - id: generate-token - with: - app_id: ${{ secrets.APP_ID }} - private_key: ${{ secrets.APP_PRIVATE_KEY }} - - uses: crazy-max/ghaction-import-gpg@v6 - with: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - git_user_signingkey: true - git_commit_gpgsign: true - - name: Update rust-version to use latest stable - run: | - set -x - # Extract the version from whatever version of the compiler dtolnay/rust-toolchain gives us. - RUST_VERSION=$(rustc --verbose --version | sed -ne 's/^release: //p') - # Update the version in the reference file. - echo "${RUST_VERSION}" > rust-version - echo "rust_version=${RUST_VERSION}" >> $GITHUB_ENV - # In case of no new version don't make an empty PR. - if ! git diff --exit-code > /dev/null; then - echo "Updated rustc. Opening PR." - echo "changes_made=true" >> $GITHUB_ENV - else - echo "Attempted to update rustc but the latest stable date did not change. Not opening any PR." - echo "changes_made=false" >> $GITHUB_ENV - fi - - name: Create Pull Request - if: env.changes_made == 'true' - uses: peter-evans/create-pull-request@v7 - with: - token: ${{ steps.generate-token.outputs.token }} - author: Github Action - committer: Github Action - branch: create-pull-request/update-rust-version - title: | - ci: automated update to rustc ${{ env.rust_version }} - commit-message: | - ci: automated update to rustc ${{ env.rust_version }} - body: | - Automated update to Github CI workflow `cont_integration.yml` by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 0c2aa080..306b4b38 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -1,5 +1,10 @@ name: Zizmor Actions Analysis +# Analyzes GitHub Actions workflows for security vulnerabilities using zizmor. +# Runs on pushes to master and all pull requests to detect potential security issues +# in workflow configurations. Results are uploaded to GitHub's security dashboard. +# The .github/zizmor.yml file configures the rules this action will check against. + on: push: branches: ["master"] @@ -12,8 +17,8 @@ jobs: permissions: security-events: write steps: - - name: Checkout repository - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v5 with: persist-credentials: false diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 640c8719..667e912a 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -4,4 +4,5 @@ rules: config: policies: # Allow pin by ref/tag - dtolnay/rust-toolchain: ref-pin + actions-rust-lang/setup-rust-toolchain: ref-pin + actions/*: ref-pin diff --git a/rust-toolchain.toml b/rust-toolchain.toml new file mode 100644 index 00000000..f35f369c --- /dev/null +++ b/rust-toolchain.toml @@ -0,0 +1,3 @@ +[toolchain] +channel = "1.90.0" +components = ["clippy", "rustfmt"] diff --git a/rust-version b/rust-version deleted file mode 100644 index 636ea711..00000000 --- a/rust-version +++ /dev/null @@ -1 +0,0 @@ -1.89.0