1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
name: CI

on:
  push:
    branches: [main]
  pull_request:

permissions: {}

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          persist-credentials: false

      # Can't use facebook/install-dotslash action because it queries the
      # GitHub API using $GITHUB_TOKEN, which is a Gitea token on this runner.
      - run: |
          curl -sL https://github.com/facebook/dotslash/releases/download/v0.5.9/dotslash-linux-musl.x86_64.tar.gz |
            tar xz -C /usr/local/bin
      - run: |
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
          echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
          echo "$PWD/bin" >> "$GITHUB_PATH"

      - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
        with:
          path: ~/.rustup/
          # Bump suffix to force cache bust after upgrading rustup.
          key: rustup-${{ runner.os }}-v1

      - run: rustup component add clippy rustfmt llvm-tools
      - run: cargo fmt --check
      - run: just clippy coverage

  zizmor:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          persist-credentials: false

      - run: |
          curl -sL https://github.com/facebook/dotslash/releases/download/v0.5.9/dotslash-linux-musl.x86_64.tar.gz |
            tar xz -C /usr/local/bin
      - run: echo "$PWD/bin" >> "$GITHUB_PATH"

      # Can't use zizmorcore/zizmor-action because it doesn't support
      # auditing .gitea/workflows/ — it rejects them as invalid inputs.
      - run: zizmor .gitea/workflows/* .github

  tag:
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    needs: [ci]
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 # zizmor: ignore[artipacked] -- needs credentials to push tag
        with:
          fetch-depth: 0

      - name: Calculate version
        id: version
        run: |
          CALVER=$(date -u +"%Y-%m-%d")
          SHORT_SHA=$(git rev-parse --short HEAD)
          VERSION="${CALVER}+${SHORT_SHA}"
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"

      - name: Push tag
        env:
          VERSION: ${{ steps.version.outputs.version }}
        run: |
          TAG="v${VERSION}"

          # Skip if this tag already exists
          if git tag -l "$TAG" | grep -q .; then
            echo "Tag ${TAG} already exists, skipping"
            exit 0
          fi

          git tag "$TAG"
          git push origin "$TAG"