diff options
| -rw-r--r-- | .github/workflows/audit.yaml | 20 | ||||
| -rw-r--r-- | .github/workflows/clippy.yaml | 5 | ||||
| -rw-r--r-- | .github/workflows/update-lock.yaml (renamed from .github/workflows/update-flake.yaml) | 17 | ||||
| -rw-r--r-- | garnix.yaml | 3 | ||||
| -rw-r--r-- | parts/dev.nix | 33 |
5 files changed, 20 insertions, 58 deletions
diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml deleted file mode 100644 index ebf88d0..0000000 --- a/.github/workflows/audit.yaml +++ /dev/null @@ -1,20 +0,0 @@ -name: audit crates -# this checks our dependencies for -# security advisories every saturday - -on: - schedule: - - cron: "0 0 * * 6" - workflow_dispatch: - -jobs: - audit: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - - - name: run audit - run: | - nix build --accept-flake-config -L .#checks.x86_64-linux.audit diff --git a/.github/workflows/clippy.yaml b/.github/workflows/clippy.yaml index 48b1bd6..cb35d14 100644 --- a/.github/workflows/clippy.yaml +++ b/.github/workflows/clippy.yaml @@ -11,6 +11,10 @@ jobs: clippy: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: - uses: actions/checkout@v4 - uses: DeterminateSystems/nix-installer-action@main @@ -23,6 +27,7 @@ jobs: - name: run clippy run: | + mkdir -p /tmp cargo clippy --all --all-targets --message-format=json | clippy-sarif > /tmp/clippy.sarif - name: upload results diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-lock.yaml index 7e0d992..9e3301d 100644 --- a/.github/workflows/update-flake.yaml +++ b/.github/workflows/update-lock.yaml @@ -1,9 +1,8 @@ -name: update nix flake -# this is to make sure we can build against a -# recent version of nixos-unstable +name: update flake lock on: schedule: + # run every saturday - cron: "0 0 * * 6" workflow_dispatch: @@ -12,20 +11,22 @@ permissions: pull-requests: write jobs: - update-flake: + update: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: DeterminateSystems/nix-installer-action@main - - uses: DeterminateSystems/update-flake-lock@v20 + - name: update lockfile + uses: DeterminateSystems/update-flake-lock@v20 id: update with: - commit-msg: "deps(flake): update inputs" - pr-title: "deps(flake): update inputs" + commit-msg: "flake: update inputs" + pr-title: "flake: update inputs" + token: ${{ github.token }} - - name: auto-merge pull request + - name: enable auto-merge shell: bash run: gh pr merge --auto --rebase "$PR_ID" env: diff --git a/garnix.yaml b/garnix.yaml index 9458456..64bee81 100644 --- a/garnix.yaml +++ b/garnix.yaml @@ -1,6 +1,5 @@ builds: - exclude: - - "packages.x86_64-linux.container" + exclude: [] include: - "checks.x86_64-linux.*" - "packages.x86_64-linux.*" diff --git a/parts/dev.nix b/parts/dev.nix index fbd319b..556e3b6 100644 --- a/parts/dev.nix +++ b/parts/dev.nix @@ -1,14 +1,7 @@ { - inputs, - self, - ... -}: { perSystem = { config, - craneLib, pkgs, - system, - toolchain, ... }: { pre-commit = { @@ -17,30 +10,11 @@ alejandra.enable = true; deadnix.enable = true; nil.enable = true; + rustfmt.enable = true; statix.enable = true; }; }; - checks = let - inherit (craneLib) cargoAudit cargoClippy cleanCargoSource cargoFmt; - - commonArgs = { - src = cleanCargoSource self; - }; - in { - inherit (self.packages.${system}) teawiebot; - - audit = cargoAudit (commonArgs // {inherit (inputs) advisory-db;}); - - clippy = cargoClippy (commonArgs - // { - inherit (self.packages.${system}) cargoArtifacts; - cargoClippyExtraArgs = "--all-targets"; - }); - - fmt = cargoFmt commonArgs; - }; - devShells = { default = pkgs.mkShell { shellHook = config.pre-commit.installationScript; @@ -51,7 +25,10 @@ nil statix - toolchain + rustc + cargo + rustfmt + clippy ]; }; }; |