1 files changed, 114 insertions, 0 deletions

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..67371c0
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,114 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: stable
+          components: clippy
+
+      - name: Setup Rust cache
+        uses: Swatinem/rust-cache@v2
+
+      - name: Run build
+        run: cargo build --locked --release
+
+  clippy:
+    name: Run Clippy scan
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v10
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v4
+
+      - name: Setup Rust cache
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install SARIF tools
+        run: |
+          nix profile install \
+            --inputs-from ./nix/dev \
+            github:getchoo/nix-exprs#{clippy-sarif,sarif-fmt}
+
+      - name: Fetch Cargo deps
+        run: |
+          nix develop ./nix/dev#ci --command \
+            cargo fetch --locked
+
+      - name: Run Clippy
+        continue-on-error: true
+        run: |
+          nix develop ./nix/dev#ci --command \
+            cargo clippy \
+            --all-features \
+            --all-targets \
+            --message-format=json \
+          | clippy-sarif | tee /tmp/clippy.sarif | sarif-fmt
+
+      - name: Upload results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: /tmp/clippy.sarif
+          wait-for-processing: true
+
+  format:
+    name: Check formatting
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v10
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v4
+
+      - name: Run treefmt
+        run: |
+          pushd nix/dev
+          nix fmt
+          popd
+          git diff --color=always --exit-code
+
+  release-gate:
+    name: CI Release Gate
+    needs: [build, format]
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Exit with result
+        run: echo "We're good to go!"