From 8d16cde45c5cb281b46aa64864aae8be6324385f Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Tue, 1 Nov 2022 18:42:04 -0700 Subject: ref: update the template for rust projects Update the workflow to use `nix develop` commands instead of multiple steps (see https://determinate.systems/posts/nix-github-actions). Add a configuration for `cargo deny` to manage the dependencies I take on. --- templates/rust/.github/workflows/build.yml | 86 +++++++++-------------------- templates/rust/deny.toml | 46 +++++++++++++++ templates/rust/flake.nix | 89 ++++++++++++++++++++---------- 3 files changed, 131 insertions(+), 90 deletions(-) create mode 100644 templates/rust/deny.toml diff --git a/templates/rust/.github/workflows/build.yml b/templates/rust/.github/workflows/build.yml index f449190..202cfec 100644 --- a/templates/rust/.github/workflows/build.yml +++ b/templates/rust/.github/workflows/build.yml @@ -1,4 +1,4 @@ -name: gh-ssh-keys CI +name: XXX CI on: push: @@ -8,66 +8,30 @@ jobs: name: Check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - uses: actions-rs/cargo@v1 - with: - command: check - - uses: actions-rs/cargo@v1 - with: - command: check - args: --no-default-features + - name: git checkout + uses: actions/checkout@v3 + - name: install nix + uses: cachix/install-nix-action@v17 + # This is a workaround for https://github.com/oxalica/rust-overlay/issues/54, + # avoiding link errors when running cargo commands with `nix develop`. + - name: Remove existing binaries from ~/.cargo/bin + run: rm --recursive --force --verbose ~/.cargo/bin + - name: check rust formatting + run: nix develop --command cargo fmt --check + - name: audit rust code + run: nix develop --command cargo-deny check + - name: clippy + run: nix develop --command cargo clippy -- -D warnings - test: - name: Test + test_and_build: + name: Test and build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - uses: actions-rs/cargo@v1 - with: - command: test - - uses: actions-rs/cargo@v1 - with: - command: test - args: --no-default-features - - fmt: - name: Rustfmt - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - run: rustup component add rustfmt - - uses: actions-rs/cargo@v1 - with: - command: fmt - args: --all -- --check - - clippy: - name: Clippy - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - run: rustup component add clippy - - uses: actions-rs/cargo@v1 - with: - command: clippy - args: -- -D warnings + - name: git checkout + uses: actions/checkout@v3 + - name: install nix + uses: cachix/install-nix-action@v17 + - name: test + run: nix develop --command cargo test + - name: build + run: nix build . diff --git a/templates/rust/deny.toml b/templates/rust/deny.toml new file mode 100644 index 0000000..fd95cdb --- /dev/null +++ b/templates/rust/deny.toml @@ -0,0 +1,46 @@ +[advisories] +db-path = "~/.cargo/advisory-db" +db-urls = ["https://github.com/rustsec/advisory-db"] +vulnerability = "deny" +unmaintained = "warn" +yanked = "warn" +notice = "warn" +ignore = [] + +[licenses] +unlicensed = "deny" +allow = ["MIT", "Apache-2.0", "ISC", "Unicode-DFS-2016", "OpenSSL"] +deny = [] +copyleft = "allow" +default = "deny" +confidence-threshold = 0.8 +exceptions = [] + +[licenses.private] +ignore = false +registries = [] + +# see https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#example +[[licenses.clarify]] +name = "ring" +expression = "MIT AND ISC AND OpenSSL" +license-files = [ + { path = "LICENSE", hash = 0xbd0eed23 } +] + +[bans] +multiple-versions = "warn" +wildcards = "allow" +highlight = "all" +allow = [] +deny = [] +skip = [] +skip-tree = [] + +[sources] +unknown-registry = "warn" +unknown-git = "warn" +allow-registry = ["https://github.com/rust-lang/crates.io-index"] +allow-git = [] + +[sources.allow-org] diff --git a/templates/rust/flake.nix b/templates/rust/flake.nix index 49c2f76..b6bc262 100644 --- a/templates/rust/flake.nix +++ b/templates/rust/flake.nix @@ -4,63 +4,94 @@ inputs = { flake-utils.url = "github:numtide/flake-utils"; nixpkgs.url = "github:NixOS/nixpkgs"; - rust-overlay.url = "github:oxalica/rust-overlay"; - naersk.url = "github:nmattia/naersk"; + rust-overlay = { + url = "github:oxalica/rust-overlay"; + inputs = { + flake-utils.follows = "flake-utils"; + nixpkgs.follows = "nixpkgs"; + }; + }; + pre-commit-hooks = { + url = "github:cachix/pre-commit-hooks.nix"; + inputs = { + flake-utils.follows = "flake-utils"; + nixpkgs.follows = "nixpkgs"; + }; + }; }; outputs = { self , flake-utils , nixpkgs - , naersk , rust-overlay + , pre-commit-hooks }: + let + # Borrow project metadata from the Rust config + meta = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package; + inherit (meta) name version; + overlays = [ + # Rust helpers + (import rust-overlay) + # Build Rust toolchain using helpers from rust-overlay + (self: super: { + # This supplies cargo, rustc, rustfmt, etc. + rustToolchain = super.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml; + }) + ]; + in flake-utils.lib.eachDefaultSystem (system: let - overlays = [ (import rust-overlay) ]; pkgs = import nixpkgs { inherit system overlays; }; - rust-toolchain = - (pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml).override { - extensions = [ "rust-src" ]; - }; - naersk-lib = naersk.lib."${system}".override { - rustc = rust-toolchain; - }; in - rec { - packages.gh-ssh-keys = naersk-lib.buildPackage { - pname = "gh-ssh-keys"; - root = ./.; - buildInputs = with pkgs; [ - pkg-config - openssl - ]; + packages = rec { + default = XXX; + x509-info = pkgs.rustPlatform.buildRustPackage { + pname = name; + inherit version; + src = ./.; + release = true; + cargoLock.lockFile = ./Cargo.lock; + }; }; - defaultPackage = packages.gh-ssh-keys; + checks = { + pre-commit = pre-commit-hooks.lib.${system}.run { + src = ./.; + hooks = { + clippy = { + enable = true; + entry = pkgs.lib.mkForce "cargo clippy -- -D warnings"; + }; + nixpkgs-fmt = { + enable = true; + }; + rustfmt = { + enable = true; + entry = pkgs.lib.mkForce "cargo fmt -- --check --color always"; + }; + }; + }; + }; devShell = pkgs.mkShell { nativeBuildInputs = with pkgs; [ - rust-toolchain - openssl - pkg-config + rustToolchain cargo-audit cargo-deny - cargo-cross rust-analyzer - ] ++ pkgs.lib.optionals (pkgs.stdenv.isLinux) (with pkgs; [ cargo-watch ]); + ]; - shellHook = '' - cargo --version - ''; + inherit (self.checks.${system}.pre-commit) shellHook; }; }) // { overlay = final: prev: { - gh-ssh-keys = self.defaultPackage.${prev.system}; + XXX = self.defaultPackage.${prev.system}; }; }; } -- cgit 1.4.1