Refactor CI pipelines

.github/actions/setup-ci/action.yaml

@@ -0,0 +1,19 @@
+name: Setup CI environment
+inputs:
+  rust-cache-key:
+    description: "An additional cache key that is added alongside the automatic `job`-based cache key and can be used to further differentiate jobs."
+    required: false
+  rust-cache-shared-key:
+    description: "A cache key that is used instead of the automatic `job`-based key, and is stable over multiple jobs."
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - name: Install rust toolchain
+      shell: bash
+      run: rustup show
+
+    - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2
+      with:
+        key: "${{ inputs.rust-cache-key }}"
+        shared-key: "${{ inputs.rust-cache-shared-key }}"

.github/renovate.json5

@@ -11,6 +11,18 @@
         enabled: true,
         automerge: true
     },
+    "customManagers": [
+      {
+        "customType": "regex",
+        "fileMatch": ["^rust-toolchain\\.toml?$"],
+        "matchStrings": [
+          "channel\\s*=\\s*\"(?<currentValue>\\d+\\.\\d+(\\.\\d+)?)\""
+        ],
+        "depNameTemplate": "rust",
+        "packageNameTemplate": "rust-lang/rust",
+        "datasourceTemplate": "github-releases"
+      },
+    ],
     packageRules: [
         {
             matchCategories: ["rust"],

.github/workflows/ci.yml

@@ -0,0 +1,93 @@
+name: CI tests
+on: [push]
+
+jobs:
+  populate-rust-cache:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: ./.github/actions/setup-ci
+        with:
+          rust-cache-shared-key: "base"
+      - run: cargo check --all-targets --all-features
+        continue-on-error: true
+
+  matrix-jobs:
+    name: ${{ matrix.job }}
+    runs-on: ubuntu-latest
+    needs: populate-rust-cache
+    strategy:
+      matrix:
+        job:
+          - cargo fmt --all -- --check
+          - cargo test
+          - cargo clippy -- -D warnings
+          - cargo deny --all-features check advisories
+          - cargo deny --all-features check bans licenses sources
+      fail-fast: false
+    # Prevent sudden announcement of a new advisory from failing CI:
+    continue-on-error: ${{ endsWith(matrix.job, 'check advisories') }}
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: ./.github/actions/setup-ci
+        with:
+          rust-cache-shared-key: "base"
+      - run: ${{ matrix.job }}
+
+  pre-commit:
+    name: Run pre-commit
+    runs-on: ubuntu-latest
+    needs: build
+    env:
+      # These hooks are expensive and already run as dedicated jobs above
+      SKIP: "tests,clippy"
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      - uses: ./.github/actions/setup-ci
+        with:
+          rust-cache-shared-key: "base"
+
+      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5
+      - name: set PYVERSION
+        run: echo "PYVERSION=$(python --version | tr ' ' '-')" >> $GITHUB_ENV
+
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
+        with:
+          path: ~/.cache/pre-commit
+          # Changes to pre-commit-config.yaml may require the installation of
+          # new binaries/scripts. When a cache hit occurs, changes to the cache
+          # aren't persisted at the end of the run, so making the key dependent
+          # on the configuration file ensures we always persist a complete cache.
+          key: pre-commit-${{ env.PYVERSION }}-${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - run: pip install pre-commit
+      - run: pre-commit run --all --color=always --show-diff-on-failure
+
+  test-windows:
+    name: Test on Windows
+    runs-on: windows-latest
+    needs: build
+    steps:
+      - run: git config --system core.autocrlf false && git config --system core.eol lf
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: ./.github/actions/setup-ci
+      - run: cargo test
+
+  coverage:
+    name: Code coverage
+    runs-on: ubuntu-latest
+    needs: populate-rust-cache
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - uses: ./.github/actions/setup-ci
+      - uses: actions-rs/tarpaulin@044a1e5bdace8dd2f727b1af63c1d9a1d3572068 # v0.1
+        with:
+          # Constrained by https://github.com/actions-rs/tarpaulin/pull/23
+          version: "0.22.0"
+          args: "--ignore-tests"
+          out-type: "Html"
+      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
+        with:
+          name: tarpaulin-report
+          path: tarpaulin-report.html

deny.toml

@@ -0,0 +1,73 @@
+[output]
+# When outputting inclusion graphs in diagnostics that include features, this
+# option can be used to specify the depth at which feature edges will be added.
+# This option is included since the graphs can be quite large and the addition
+# of features from the crate(s) to all of the graph roots can be far too verbose.
+# This option can be overridden via `--feature-depth` on the cmd line
+feature-depth = 1
+
+[advisories]
+# Opt-in to new config format - https://github.com/EmbarkStudios/cargo-deny/pull/611
+version = 2
+
+# The path where the advisory databases are cloned/fetched into
+db-path = "$CARGO_HOME/advisory-dbs"
+# The url(s) of the advisory databases to use
+db-urls = ["https://github.com/rustsec/advisory-db"]
+# A list of advisory IDs to ignore. Note that ignored advisories will still
+# output a note when they are encountered.
+ignore = []
+
+[licenses]
+# Opt-in to new config format - https://github.com/EmbarkStudios/cargo-deny/pull/611
+version = 2
+
+# Licenses we accept, identified by their SPDX short identifier (+ optional
+# exception) from https://spdx.org/licenses/
+allow = [
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-2-Clause-Patent",
+    "BSD-3-Clause",
+    "MIT",
+    "MPL-2.0",
+]
+unused-allowed-license = "allow"
+exceptions = [
+    { allow = ["Unicode-DFS-2016"], crate = "unicode-ident" },
+]
+# Default confidence is 0.8, let's require a higher confidence level for now.
+# We can lower this later if it's too pedantic.
+confidence-threshold = 0.95
+
+[bans]
+# Lint level for when multiple versions of the same crate are detected. Deny
+# for now to make this super obvious, though we might wish to change this back
+# to the default of warn if that gets too disruptive.
+#
+# Background reading about the use of this check is at:
+# https://embarkstudios.github.io/cargo-deny/checks/bans/index.html#use-case---duplicate-version-detection
+multiple-versions = "deny"
+skip = [
+    # When encountering multiple versions of crates that we wish to tolerate,
+    # specify a `<=1.2.3` for the OLDEST version in use. That way, as soon as
+    # whichever dependency holding us back is updated, one of two things can
+    # happen:
+    #
+    # 1. The dependency is updated to a version that is compatible with the
+    #    other dependencies, resolving the duplication. At this point a WARNING
+    #    will be generated that the `<=1.2.3` version no longer matches anything.
+    # 2. The dependency is updated to a version that is still not compatible
+    #    with the other dependencies, at which point the ban action will FAIL the
+    #    result. We can then choose to again skip that version, or decide more
+    #    drastic action is needed.
+    "syn:<=1.0.109",
+]
+wildcards = "deny"
+allow-wildcard-paths = false
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = []

rust-toolchain.toml

@@ -0,0 +1,3 @@
+[toolchain]
+channel = "1.79.0"
+profile = "default"