Merge ci-testing: publish to GJD registry on tag push

commit d6fa2986ec Author: jutty <j@jutty.dev> Date: Sun Mar 1 03:18:50 2026 -0300 Add tag and push-unsafe recipes to justfile commit 6a239e1708 Author: jutty <j@jutty.dev> Date: Sun Mar 1 03:18:21 2026 -0300 Update roadmap commit a3da368573 Author: jutty <j@jutty.dev> Date: Thu Feb 26 20:56:48 2026 -0300 Cleanup CI testing files commit b56f53bdc2 Author: jutty <j@jutty.dev> Date: Thu Feb 26 20:17:10 2026 -0300 CI: Adjust curl logging, add a job for internal networking tests commit 435e478b01 Author: jutty <j@jutty.dev> Date: Wed Feb 25 02:35:20 2026 -0300 CI: Move sha256sum calculation before registry upload commit 727ea16769 Author: jutty <j@jutty.dev> Date: Wed Feb 25 01:51:05 2026 -0300 CI: Add curl -f fail flag to extra tools binary fetching commit 2ff7a6cf1b Author: jutty <j@jutty.dev> Date: Wed Feb 25 01:48:00 2026 -0300 CI: Make additional tooling move to /usr/local/bin verbose commit bf88f86bce Author: jutty <j@jutty.dev> Date: Wed Feb 25 01:40:32 2026 -0300 CI: Adapt to cargo-audit outlier URL structure commit 291081359e Author: jutty <j@jutty.dev> Date: Wed Feb 25 01:29:13 2026 -0300 CI: Deduplicate additional tool fetching While this moves the source of truth for CI tooling versions to somewhere outside the workflow definitions, it also avoids duplication and keeps debug (check.yaml) and production (publish.yaml) verifications fully independent. commit 7d2a234fc3 Author: jutty <j@jutty.dev> Date: Wed Feb 25 00:32:51 2026 -0300 Add cargo-audit security assessment commit ed30ee7b75 Author: jutty <j@jutty.dev> Date: Thu Feb 19 02:06:42 2026 -0300 CI: Add wildcard branch to check workflow
2026-03-01 04:02:09 -03:00 · 2026-03-01 04:02:09 -03:00 · b794de4f93
commit b794de4f93
parent 0649cfd94e
7 changed files with 126 additions and 94 deletions
--- a/.forgejo/workflows/check.yaml
+++ b/.forgejo/workflows/check.yaml
@ -1,5 +1,7 @@
 on:
  push:
+    branches:
+      - '*'
    paths:
      - src/**
      - tests/**
@ -7,11 +9,6 @@ on:
      - .forgejo/**
      - Cargo.toml
      - Cargo.lock
-env:
-  JUST_VERSION: 1.45.0
-  JUST_SHA256SUM: dc3f958aaf8c6506dd90426e9b03f86dd15e74a6467ee0e54929f750af3d9e49
-  CARGO_LLVM_COV_VERSION: 0.6.21
-  CARGO_LLVM_COV_SHA256SUM: 57f491aedf7cdb261538ceb49cbb1ee9d27df7ca205a5e1a009caaf5cb911afb
 jobs:
  verify:
    runs-on: docker
@ -20,8 +17,7 @@ jobs:
      image: rust:slim
    steps:
      - name: Install action dependencies
-        run: |
-          apt-get install --no-install-recommends --update -y nodejs curl
+        run: apt-get install --no-install-recommends --update -y nodejs curl

      - name: Checkout code
        uses: actions/checkout@v6
@ -32,27 +28,7 @@ jobs:
          rustup component add --toolchain nightly rustfmt clippy

      - name: Setup additional tooling
-        run: |
-          fetch() {
-            repo="$1"; tag="$2"; filename="$3"; digest="$4"
-
-            curl -sSLO -w '%{stderr}HTTP %{response_code} %{url}\n' \
-                "https://github.com/$repo/releases/download/$tag/$filename"
-
-            printf '%s  %s\n' "$digest" "$filename" > digest
-            sha256sum --check digest && tar xf "$filename" -C tools
-          }
-
-          mkdir tools
-
-          fetch casey/just ${{ env.JUST_VERSION }} \
-            just-${{ env.JUST_VERSION }}-x86_64-unknown-linux-musl.tar.gz \
-            ${{ env.JUST_SHA256SUM }}
-          fetch taiki-e/cargo-llvm-cov v${{ env.CARGO_LLVM_COV_VERSION }} \
-            cargo-llvm-cov-x86_64-unknown-linux-gnu.tar.gz \
-            ${{ env.CARGO_LLVM_COV_SHA256SUM }}
-
-          mv -v tools/just tools/cargo-llvm-cov /usr/local/bin
+        run: .forgejo/workflows/setup-tools.sh

      - name: Build
        run: just build
--- a/.forgejo/workflows/publish.yaml
+++ b/.forgejo/workflows/publish.yaml
@ -2,11 +2,6 @@ on:
  push:
    tags:
      - 'v*'
-env:
-  JUST_VERSION: 1.45.0
-  JUST_SHA256SUM: dc3f958aaf8c6506dd90426e9b03f86dd15e74a6467ee0e54929f750af3d9e49
-  CARGO_LLVM_COV_VERSION: 0.6.21
-  CARGO_LLVM_COV_SHA256SUM: 57f491aedf7cdb261538ceb49cbb1ee9d27df7ca205a5e1a009caaf5cb911afb
 jobs:
  publish:
    runs-on: docker
@ -27,41 +22,19 @@ jobs:
          rustup component add --toolchain nightly rustfmt clippy

      - name: Setup additional tooling
-        run: |
-          fetch() {
-            repo="$1"; tag="$2"; filename="$3"; digest="$4"
-
-            curl -sSLO --output-dir /tmp \
-                -w '%{stderr}HTTP %{response_code} %{url}\n' \
-                "https://github.com/$repo/releases/download/$tag/$filename"
-
-            printf '%s  %s\n' "$digest" "/tmp/$filename" > /tmp/digest
-            sha256sum --check /tmp/digest
-            tar xf "/tmp/$filename" -C /tmp/tools
-          }
-
-          mkdir /tmp/tools
-
-          fetch casey/just ${{ env.JUST_VERSION }} \
-            just-${{ env.JUST_VERSION }}-x86_64-unknown-linux-musl.tar.gz \
-            ${{ env.JUST_SHA256SUM }}
-          fetch taiki-e/cargo-llvm-cov v${{ env.CARGO_LLVM_COV_VERSION }} \
-            cargo-llvm-cov-x86_64-unknown-linux-gnu.tar.gz \
-            ${{ env.CARGO_LLVM_COV_SHA256SUM }}
-
-          mv -v /tmp/tools/just /tmp/tools/cargo-llvm-cov /usr/local/bin
+        run: .forgejo/workflows/setup-tools.sh

      - name: Build release binary
        run: just full-build
+      - name: Calculate SHA-256 hash
+        run: just shasum
+
      - name: Publish to git.jutty.dev package registry
        run: |
          version=$(./target/release/en --version)
-          api_root=https://git.jutty.dev/api/
+          api_root=https://git.jutty.dev/api
          url=$api_root/packages/jutty/generic/en/$version/en-x86_64-linux-gnu

          curl -fsSL \
          --user jutty:${{ secrets.GJD_REGISTRY_TOKEN }} \
          --upload-file target/release/en $url
-
-      - name: Print sha256sum
-        run: just shasum
--- a/.forgejo/workflows/setup-tools.sh
+++ b/.forgejo/workflows/setup-tools.sh
@ -0,0 +1,42 @@
+#!/usr/bin/env sh
+
+set -eu
+
+JUST_VERSION="1.45.0"
+JUST_SHA256SUM="dc3f958aaf8c6506dd90426e9b03f86dd15e74a6467ee0e54929f750af3d9e49"
+CARGO_LLVM_COV_VERSION="0.6.21"
+CARGO_LLVM_COV_SHA256SUM="57f491aedf7cdb261538ceb49cbb1ee9d27df7ca205a5e1a009caaf5cb911afb"
+CARGO_AUDIT_VERSION="0.22.1"
+CARGO_AUDIT_TAG="cargo-audit%2Fv$CARGO_AUDIT_VERSION"
+CARGO_AUDIT_SHA256SUM="1890badd5f15831a9af4b074399fcd21e6f7c0fe42c84e9254cdffc9f813765c"
+
+TRIPLE="x86_64-unknown-linux-gnu"
+TRIPLE_MUSL="x86_64-unknown-linux-musl"
+
+fetch() {
+    repo="$1"; tag="$2"; filename="$3"; digest="$4"; binary="$5"
+
+    [ -d /tmp/tools ] || mkdir -p /tmp/tools
+
+    curl -fsSLO --output-dir /tmp \
+        -w '%{stderr}HTTP %{response_code} %{url}\n' \
+        "https://github.com/$repo/releases/download/$tag/$filename"
+
+    printf '%s  %s\n' "$digest" "/tmp/$filename" > /tmp/digest
+    sha256sum --check /tmp/digest
+    tar xf "/tmp/$filename" -C /tmp/tools
+    find /tmp/tools -type f -executable -name "$binary" \
+        -exec mv -v '{}' /usr/local/bin ';'
+}
+
+fetch casey/just "$JUST_VERSION" \
+    "just-$JUST_VERSION-$TRIPLE_MUSL.tar.gz" \
+    "$JUST_SHA256SUM" just
+
+fetch taiki-e/cargo-llvm-cov "v$CARGO_LLVM_COV_VERSION" \
+    "cargo-llvm-cov-$TRIPLE.tar.gz" \
+    "$CARGO_LLVM_COV_SHA256SUM" cargo-llvm-cov
+
+fetch rustsec/rustsec "$CARGO_AUDIT_TAG" \
+    "cargo-audit-$TRIPLE-v$CARGO_AUDIT_VERSION.tgz" \
+    "$CARGO_AUDIT_SHA256SUM" cargo-audit