4 files changed, 172 insertions, 0 deletions

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..eea0a9b
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "ci"
+
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore(crates)"
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..b2d5df4
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,76 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "**.lock"
+      - "**.rs"
+      - "**.nix"
+      - "Cargo.toml"
+      - ".github/workflows/ci.yaml"
+  pull_request:
+    paths:
+      - "**.lock"
+      - "**.rs"
+      - "**.nix"
+      - "Cargo.toml"
+      - ".github/workflows/ci.yaml"
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v14
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v8
+
+      - name: Run build
+        run: |
+          nix build --print-build-logs .#check-version-test
+
+  format:
+    name: Formatting
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v14
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v8
+
+      - name: Run flake checks
+        run: |
+          nix build --print-build-logs .#check-formatting
+
+  release-gate:
+    name: CI Release gate
+    needs: [build, format]
+
+    if: ${{ always() }}
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Exit with error
+        if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
+        run: exit 1
diff --git a/.github/workflows/clippy.yaml b/.github/workflows/clippy.yaml
new file mode 100644
index 0000000..32668a8
--- /dev/null
+++ b/.github/workflows/clippy.yaml
@@ -0,0 +1,51 @@
+name: Clippy
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "**.lock"
+      - "**.rs"
+      - "**.nix"
+      - "Cargo.toml"
+      - ".github/workflows/clippy.yaml"
+  pull_request:
+    paths:
+      - "**.lock"
+      - "**.rs"
+      - "**.nix"
+      - "Cargo.toml"
+      - ".github/workflows/clippy.yaml"
+  workflow_dispatch:
+
+jobs:
+  clippy:
+    name: Run scan
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v14
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v8
+
+      - name: Run clippy
+        id: clippy-run
+        run: |
+          nix build --print-build-logs .#check-clippy
+          [ -L result ] || exit 1
+          echo "sarif-file=$(readlink -f result)" >> "$GITHUB_OUTPUT"
+
+      - name: Upload results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.clippy-run.outputs.sarif-file }}
+          wait-for-processing: true
diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-flake.yaml
new file mode 100644
index 0000000..02e4d3b
--- /dev/null
+++ b/.github/workflows/update-flake.yaml
@@ -0,0 +1,30 @@
+name: flake.lock
+
+on:
+  schedule:
+    # run every saturday
+    - cron: "0 0 * * 6"
+  workflow_dispatch:
+
+jobs:
+  update:
+    name: Update & make PR
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v14
+
+      - uses: DeterminateSystems/update-flake-lock@v24
+        with:
+          commit-msg: "chore(nix): update flake.lock"
+          pr-title: "chore(nix): update flake.lock"
+          token: ${{ github.token }}