Extract shared Rust setup into composite action, merge zizmor into CI
Assisted-by: GLM-5 via pi
diff --git a/.gitea/actions/setup-rust/action.yml b/.gitea/actions/setup-rust/action.yml
new file mode 100644
index 0000000..58279f2
--- /dev/null
+++ b/.gitea/actions/setup-rust/action.yml
@@ -0,0 +1,27 @@
+name: Setup Rust
+description: Install rustup, add cargo to PATH, and restore cargo cache
+
+inputs:
+ cache-key-suffix:
+ description: Suffix for the cache key (bump to force bust)
+ required: false
+ default: v1
+
+runs:
+ using: composite
+ steps:
+ - run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+ shell: bash
+ - run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
+ shell: bash
+ - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
+ with:
+ path: |
+ ~/.cargo/bin/
+ ~/.cargo/registry/index/
+ ~/.cargo/registry/cache/
+ ~/.cargo/git/db/
+ target/
+ # Bump suffix to force cache bust after upgrading installed tools.
+ key: cargo-${{ runner.os }}-${{ inputs.cache-key-suffix }}-${{ hashFiles('Cargo.lock') }}
+ restore-keys: cargo-${{ runner.os }}-${{ inputs.cache-key-suffix }}-
diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index f8b9f98..7ac1f4d 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -14,25 +14,21 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
-
- - run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
- - run: echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
-
- - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
- with:
- path: |
- ~/.cargo/bin/
- ~/.cargo/registry/index/
- ~/.cargo/registry/cache/
- ~/.cargo/git/db/
- target/
- # Cache key is Cargo.lock, which means cargo install'ed tools (grcov, just)
- # may be stale after a cache hit. Bump the suffix to force a cache bust.
- key: cargo-${{ runner.os }}-v1-${{ hashFiles('Cargo.lock') }}
- restore-keys: cargo-${{ runner.os }}-
-
+ - uses: ./.gitea/actions/setup-rust
- run: rustup component add clippy rustfmt llvm-tools
- run: cargo install grcov
- run: cargo install just
- run: cargo fmt --check
- run: just clippy coverage
+
+ zizmor:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+ with:
+ persist-credentials: false
+ - uses: ./.gitea/actions/setup-rust
+ # Can't use zizmorcore/zizmor-action because it doesn't support
+ # auditing .gitea/workflows/ — it rejects them as invalid inputs.
+ - run: cargo install --locked zizmor
+ - run: zizmor .gitea/workflows/* .github
diff --git a/.gitea/workflows/zizmor.yml b/.gitea/workflows/zizmor.yml
deleted file mode 100644
index 5b178f3..0000000
--- a/.gitea/workflows/zizmor.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-name: Zizmor
-
-on:
- push:
- branches: [main]
- pull_request:
-
-permissions: {}
-
-jobs:
- zizmor:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- with:
- persist-credentials: false
- - uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
- with:
- inputs: .gitea/workflows/* .github
- advanced-security: false
- annotations: true