SearchBox/.github/workflows/ci.yml at master · SourceBox-LLC/SearchBox · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Fast-feedback CI: fmt, clippy, tests. Runs on every push + PR.
# Release packaging lives in release.yml (tag-triggered).

name: ci

# Run JavaScript actions on Node 24; Node 20 is deprecated on GitHub-hosted
# runners (forced to Node 24 from 2026-06-16).
env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'

on:
  push:
    branches: [master, main]
  pull_request:
    branches: [master, main]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  check:
    name: fmt + clippy + test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt, clippy

      - uses: Swatinem/rust-cache@v2

      - name: cargo fmt
        run: cargo fmt --all -- --check

      - name: cargo clippy
        run: cargo clippy --all-targets -- -D warnings

      - name: cargo test
        run: cargo test --all-targets

  audit:
    name: cargo audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      # Prebuilt binary — far faster than `cargo install cargo-audit`.
      - uses: taiki-e/install-action@v2
        with:
          tool: cargo-audit

      # Scans Cargo.lock against the RustSec advisory DB. Fails on security
      # vulnerabilities; "unmaintained"/"unsound" advisories are warnings.
      # Known-unreachable advisories are documented + ignored in .cargo/audit.toml.
      - name: cargo audit
        run: cargo audit