name: CI on: push: branches: [master] tags: ['v*'] pull_request: branches: [master] env: CARGO_TERM_COLOR: always permissions: contents: write jobs: rust-format: name: Rust Format runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable with: components: rustfmt - uses: Swatinem/rust-cache@v2 - run: cargo fmt --check --all clippy: name: Clippy runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable with: components: clippy - uses: Swatinem/rust-cache@v2 - name: Install system dependencies run: sudo apt-get update && sudo apt-get install -y pkg-config libssl-dev libfontconfig1-dev - run: cargo clippy --all-targets --all-features rust-test: name: Rust Tests runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable - uses: Swatinem/rust-cache@v2 - name: Install system dependencies run: sudo apt-get update && sudo apt-get install -y pkg-config libssl-dev libfontconfig1-dev - run: cargo test --workspace --all-features --lib --bins --tests security-audit: name: Security Audit runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable - run: cargo install cargo-audit && cargo audit gitleaks: name: Secret scanning runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Gitleaks uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} frontend-lint: name: Frontend Lint runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '20' - name: Install & Lint run: cd frontend && npm ci && npx eslint src/ --ext .ts,.tsx --max-warnings 0 && npx tsc --noEmit build-and-release: name: Build & Release needs: [rust-format, clippy, rust-test, security-audit, frontend-lint] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Free disk space run: | sudo rm -rf /usr/local/lib/android /usr/share/dotnet /opt/ghc df -h - uses: dtolnay/rust-toolchain@stable - uses: Swatinem/rust-cache@v2 - name: Install system dependencies run: sudo apt-get update && sudo apt-get install -y pkg-config libssl-dev libfontconfig1-dev dpkg-dev - name: Build Rust release run: cargo build --release - name: Strip binaries run: strip target/release/pm-web target/release/pm-worker - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '20' - name: Build frontend run: cd frontend && npm ci && npm run build - name: Build .deb package run: chmod +x scripts/build-package.sh && scripts/build-package.sh - name: Generate release notes if: startsWith(github.ref, 'refs/tags/v') id: release_notes run: | PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "") if [ -n "$PREV_TAG" ]; then NOTES=$(git log ${PREV_TAG}..HEAD --pretty=format:"- %s (%h)" --no-merges) else NOTES=$(git log --pretty=format:"- %s (%h)" --no-merges) fi echo "notes<> $GITHUB_OUTPUT echo "$NOTES" >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT - name: Upload to GitHub Release if: startsWith(github.ref, 'refs/tags/v') uses: softprops/action-gh-release@v2 with: body: ${{ steps.release_notes.outputs.notes }} files: linux-patch-manager_*.deb