Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bootstrap repository setup #1

Merged
merged 10 commits into from
Jul 17, 2024
Merged
Show file tree
Hide file tree
Changes from 9 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions .cargo-deny-config.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
# This is the config file for `cargo-deny` used in CI

# This section is considered when running `cargo deny check licenses`
# More documentation for the licenses section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
[licenses]
default = "deny"
unlicensed = "deny"
copyleft = "deny"
allow-osi-fsf-free = "neither"
allow = [
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
"Apache-2.0 WITH LLVM-exception",
"Apache-2.0",
"BSD-3-Clause",
"ISC",
"MIT",
"MPL-2.0",
"Unicode-DFS-2016",
"Unicode-3.0",
]
confidence-threshold = 1.0
exceptions = [
{ allow = ["OpenSSL"], name = "ring", version = "*" },
{ allow = ["OpenSSL"], name = "aws-lc-sys", version = "*" },
{ allow = ["OpenSSL"], name = "aws-lc-fips-sys", version = "*" },
]

[[licenses.clarify]]
name = "webpki"
version = "*"
expression = "MIT AND ISC"
license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]

[[licenses.clarify]]
name = "ring"
expression = "MIT AND ISC AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]

[[licenses.clarify]]
name = "webpki"
expression = "ISC"
license-files = [
{ path = "LICENSE", hash = 0x001c7e6c },
]

[[licenses.clarify]]
name = "rustls-webpki"
expression = "ISC"
license-files = [
{ path = "LICENSE", hash = 0x001c7e6c },
]

# This section is considered when running `cargo deny check bans`.
# More documentation about the 'bans' section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
[bans]
multiple-versions = "allow"
wildcards = "deny" # Don't allow wildcard dependencies
highlight = "all"
deny = []

# This section is considered when running `cargo deny check sources`.
# More documentation about the 'sources' section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []
3 changes: 3 additions & 0 deletions .cargo/config.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[build]
# Share one `target` directory at the project root for all Cargo projects and workspaces in aws-s3-transfer-manager-rs
target-dir = "target"
30 changes: 30 additions & 0 deletions .github/workflows/audit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Security Audit

on:
push:
branches:
- main
paths:
- '**/Cargo.toml'
schedule:
- cron: '0 2 * * *' # run at 2 AM UTC

permissions:
contents: read

jobs:
security-audit:
permissions:
checks: write # for rustsec/audit-check to create check
contents: read # for actions/checkout to fetch code
issues: write # for rustsec/audit-check to create issues
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'ci skip')"
steps:
- uses: actions/checkout@v4

- name: Audit Check
# https://github.com/rustsec/audit-check/issues/2
uses: rustsec/audit-check@master
with:
token: ${{ secrets.GITHUB_TOKEN }}
270 changes: 270 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,270 @@
on:
pull_request:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this means CI won't run unless we've OK'd every single commit from external forks, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a setting at the repository level not in individual workflows but yes that is under our control.


name: CI

# Allow one instance of this workflow per pull request, and cancel older runs when new changes are pushed
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true


env:
RUSTFLAGS: -Dwarnings
RUST_BACKTRACE: 1
# Change to specific Rust release to pin
rust_stable: stable
rust_nightly: nightly-2024-07-07
rust_clippy: '1.77'
# When updating this, also update relevant docs
rust_min: '1.76'


defaults:
run:
shell: bash

permissions:
contents: read

jobs:
# depens on all actions required for a "successful" CI run
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# depens on all actions required for a "successful" CI run
# depends on all actions required for a "successful" CI run

ci-required-checks:
name: Required checks pass
runs-on: ubuntu-latest
needs:
- test-hll
- fmt
- clippy
- docs
- minrust
- check-external-types
- check-deny
- sanitizers
- features
steps:
- run: exit 0

# Basic actions that must pass before we kick off more expensive tests.
basics:
name: basic checks
runs-on: ubuntu-latest
needs:
- fmt
- clippy
- docs
- minrust
steps:
- run: exit 0

test-hll:
name: Test S3 transfer manager HLL
runs-on: ${{ matrix.os }}
strategy:
matrix:
os:
- ubuntu-latest
- windows-latest
- macos-latest
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To avoid CI unexpectedly breaking, I prefer to use specific versions of the runners (example: awslabs/aws-crt-ruby#61). I don't know a good short comment to indicate "this was latest when I authored this, feel free to update"

Suggested change
- ubuntu-latest
- windows-latest
- macos-latest
runs-on: ubuntu-24.04

I'm fine using "latest" for stuff where you really want to know when your stuff breaks against latest (e.g. Rust version). But a new version of ubuntu isn't usually that kind of thing

needs: basics
steps:
- uses: actions/checkout@v4
- name: Install Rust ${{ env.rust_nightly }}
uses: dtolnay/rust-toolchain@stable
with:
toolchain: ${{ env.rust_stable }}
- name: Install cargo-nextest
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

uses: taiki-e/install-action@v2
with:
tool: cargo-nextest

- uses: Swatinem/rust-cache@v2

- name: test s3-transfer-manager HLL
run: |
set -euxo pipefail
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought these settings happened by default in github workflows?

cargo nextest run --workspace --all-features
cargo test --doc --workspace --all-features

fmt:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it help lead to better dev experience if we eventually catch complaints from fmt or clippy prior to opening a PR, e.g. pre-commit-hooks?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah we can add those precommit hooks in a follow up PR, I just wanted to be sure we get them checked and this was easy to add with the rest of CI.

name: fmt
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust ${{ env.rust_stable }}
uses: dtolnay/rust-toolchain@stable
with:
toolchain: ${{ env.rust_stable }}
components: rustfmt
- uses: Swatinem/rust-cache@v2
# Check fmt
- name: "cargo fmt --check"
# Workaround for rust-lang/cargo#7732
run: |
if ! cargo fmt --check; then
printf "Please run \`cargo fmt\` to fix rustfmt errors.\nSee CONTRIBUTING.md for more details.\n" >&2
exit 1
fi

clippy:
name: clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust ${{ env.rust_clippy }}
uses: dtolnay/rust-toolchain@stable
with:
toolchain: ${{ env.rust_clippy }}
components: clippy
- uses: Swatinem/rust-cache@v2
- name: "clippy --all"
run: cargo clippy --all --tests --all-features --no-deps

docs:
name: docs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust ${{ env.rust_nightly }}
uses: dtolnay/rust-toolchain@stable
with:
toolchain: ${{ env.rust_nightly }}
- uses: Swatinem/rust-cache@v2
- name: "doc --lib --all-features"
run: |
cargo doc --lib --no-deps --all-features --document-private-items
env:
RUSTFLAGS: --cfg docsrs
RUSTDOCFLAGS: --cfg docsrs

minrust:
name: minrust
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust ${{ env.rust_min }}
uses: dtolnay/rust-toolchain@stable
with:
toolchain: ${{ env.rust_min }}
- uses: Swatinem/rust-cache@v2
- name: "check --workspace --all-features"
run: cargo check --workspace --all-features
env:
RUSTFLAGS: "" # remove -Dwarnings

check-external-types:
name: check-external-types (${{ matrix.os }})
needs: basics
runs-on: ${{ matrix.os }}
strategy:
matrix:
os:
- windows-latest
- ubuntu-latest
rust:
# `check-external-types` requires a specific Rust nightly version. See
# the README for details: https://github.com/awslabs/cargo-check-external-types
- nightly-2024-05-01
steps:
- uses: actions/checkout@v4
- name: Install Rust ${{ matrix.rust }}
uses: dtolnay/rust-toolchain@stable
with:
toolchain: ${{ matrix.rust }}
- uses: Swatinem/rust-cache@v2
- name: Install cargo-check-external-types
uses: taiki-e/cache-cargo-install-action@v2
with:
tool: [email protected]
- name: check-external-types
run: cargo check-external-types --all-features --config external-types.toml
working-directory: aws-s3-transfer-manager

check-deny:
name: check deps with cargo-deny
needs: basics
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust ${{ matrix.rust }}
uses: dtolnay/rust-toolchain@stable
with:
toolchain: ${{ env.rust_stable }}
- uses: Swatinem/rust-cache@v2
- name: Install cargo-deny
uses: taiki-e/install-action@v2
with:
tool: cargo-deny
- name: cargo-deny
run: cargo deny --all-features check --hide-inclusion-graph --config .cargo-deny-config.toml licenses bans sources

sanitizers:
name: saniters
needs: basics
runs-on: ubuntu-latest
# TODO - add additional sanitizers like leak via matrix or other jobs
steps:
- uses: actions/checkout@v4
- name: Install llvm
# Required to resolve symbols in sanitizer output
run: sudo apt-get install -y llvm
- name: Install Rust ${{ env.rust_nightly }}
uses: dtolnay/rust-toolchain@stable
with:
toolchain: ${{ env.rust_nightly }}
- uses: Swatinem/rust-cache@v2
- name: asan
run: cargo test --workspace --all-features --target x86_64-unknown-linux-gnu --tests -- --test-threads 1 --nocapture
env:
RUSTFLAGS: -Z sanitizer=address
# Ignore `trybuild` errors as they are irrelevant and flaky on nightly
TRYBUILD: overwrite

semver:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may want to disable/remove this until we actually publish as it will fail until then (it's not marked as a required check currently though)

name: semver
needs: basics
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check semver
uses: obi1kenobi/cargo-semver-checks-action@v2
with:
rust-toolchain: ${{ env.rust_stable }}
release-type: minor

features:
name: features
needs: basics
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust ${{ env.rust_nightly }}
uses: dtolnay/rust-toolchain@stable
with:
toolchain: ${{ env.rust_nightly }}
- name: Install cargo-hack
uses: taiki-e/install-action@cargo-hack
- uses: Swatinem/rust-cache@v2
- name: check --feature-powerset
run: cargo hack check --all --feature-powerset

# TODO - get cross check working
# cross-check:
# name: cross-check
# needs: basics
# runs-on: ubuntu-latest
# strategy:
# matrix:
# target:
# - powerpc-unknown-linux-gnu
# - powerpc64-unknown-linux-gnu
# - arm-linux-androideabi
# steps:
# - uses: actions/checkout@v4
# - name: Install Rust ${{ env.rust_stable }}
# uses: dtolnay/rust-toolchain@stable
# with:
# toolchain: ${{ env.rust_stable }}
# target: ${{ matrix.target }}
# - uses: Swatinem/rust-cache@v2
# - run: cargo check --workspace --all-features --target ${{ matrix.target }}
Loading
Loading