ci.yml

name: CI

on:
  merge_group:
  pull_request:
  schedule:
    - cron: "0 3 * * 0" # 0 = Sunday
  workflow_dispatch:

concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

env:
  CARGO_TERM_COLOR: always

jobs:
  test:
    strategy:
      fail-fast: ${{ github.event_name == 'merge_group' }}
      matrix:
        environment: [ubuntu-latest, macos-latest, windows-latest]

    runs-on: ${{ matrix.environment }}

    defaults:
      run:
        shell: bash

    env:
      RUST_BACKTRACE: 1
      GROUP_RUNNER: target.'cfg(all())'.runner = 'group-runner'

    steps:
      - name: Log github refs
        run: |
          echo '```' >> "$GITHUB_STEP_SUMMARY"
          echo 'github.ref: ${{ github.ref }}' >> "$GITHUB_STEP_SUMMARY"
          echo 'github.sha: ${{ github.sha }}' >> "$GITHUB_STEP_SUMMARY"
          echo '```' >> "$GITHUB_STEP_SUMMARY"

      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
          key: ${{ runner.os }}-cargo-${{ hashFiles('.github/workflows/ci.yml', 'tests/ci.rs') }}

      - name: Enable verbose logging
        if: ${{ runner.debug == 1 }}
        run: echo 'VERBOSE=1' >> "$GITHUB_ENV"

      - name: Check if merging and up to date
        id: expedite
        if: ${{ github.action == 'merge_group' }}
        run: |
          if git merge-base --is-ancestor origin/master ${{ github.event.pull_request.head.sha }}; then
            echo "value=1" >> "$GITHUB_OUTPUT"
          fi

      - name: Install tools
        if: ${{ ! steps.expedite.outputs.value }}
        run: |
          rm -f "$HOME"/.cargo/bin/cargo-fmt
          rm -f "$HOME"/.cargo/bin/rustfmt
          rustup update --no-self-update
          rustup install nightly
          rustup component add rustfmt --toolchain nightly
          export CARGO_TARGET_DIR="$(mktemp -d)"
          cargo install cargo-dylint --git=https://github.com/trailofbits/dylint --no-default-features --features=metadata-cli || true
          cargo install dylint-link              || true
          cargo install cargo-hack               || true
          cargo install cargo-license            || true
          cargo install cargo-sort               || true
          cargo install cargo-udeps --locked     || true
          cargo install group-runner             || true

      - name: Build
        if: ${{ ! steps.expedite.outputs.value }}
        run: cargo test --no-run

      - name: Test
        if: ${{ ! steps.expedite.outputs.value }}
        run: cargo test --config "$GROUP_RUNNER" -- --nocapture
        env:
          GIT_LFS_SKIP_SMUDGE: 1

      - name: Test with token
        if: ${{ ! steps.expedite.outputs.value }}
        run: |
          export GITHUB_TOKEN_PATH="$(mktemp)"
          echo '${{ secrets.GITHUB_TOKEN }}' > "$GITHUB_TOKEN_PATH"
          cargo test --config "$GROUP_RUNNER" \
            --test dogfood \
            --test rustsec_advisories \
            --test rustsec_issues \
            --test snapbox \
            -- --nocapture
        env:
          GIT_LFS_SKIP_SMUDGE: 1

  all-checks:
    needs: [test]

    runs-on: ubuntu-latest

    # smoelius: From "Defining prerequisite jobs"
    # (https://docs.github.com/en/actions/using-jobs/using-jobs-in-a-workflow#defining-prerequisite-jobs):
    # > If you would like a job to run even if a job it is dependent on did not succeed, use the
    # > `always()` conditional expression in `jobs.<job_id>.if`.
    if: ${{ always() }}

    steps:
      - name: Check results
        if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
        run: exit 1