Merge pull request #165 from NotAShelf/ci-refactor

ci: order nix workflows; add cargo audit

.github/workflows/audit.yml

@@ -0,0 +1,29 @@
+name: Security audit
+on:
+  workflow_call:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *"
+  push:
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+  pull_request:
+    branches: ["master"]
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+
+jobs:
+  audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install cargo-deny
+        uses: taiki-e/install-action@cargo-deny
+
+      - name: Scan for vulnerabilities
+        run: cargo deny check advisories

.github/workflows/build.yml

@@ -0,0 +1,43 @@
+name: Build Cargo Workspace
+
+on:
+  workflow_call:
+  workflow_dispatch:
+  pull_request:
+    branches: ["master"]
+  push:
+    branches:
+      - "*"
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build:
+    name: Build Cargo Workspace
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+     - name: Install Nix
+       uses: DeterminateSystems/nix-installer-action@main
+        with:
+          logger: pretty
+
+     - name: Get build dependencies
+       run: "nix develop .#"
+
+      - uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+          override: true
+
+      - uses: Swatinem/rust-cache@v2
+        name: Cache dependencies
+
+      - uses: actions-rs/cargo@v1
+        name: Build crate
+        with:
+          command: build
+          args: --verbose --all-features

.github/workflows/check.yml

@@ -1,19 +0,0 @@
-name: Flake Check
-
-on: [push, pull_request, workflow_dispatch]
-
-jobs:
-  check-flake:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@main
-        with:
-          logger: pretty
-
-      - name: Check Flake
-        run: nix flake check --accept-flake-config

.github/workflows/nix.yml

@@ -16,9 +16,26 @@ on:
       - README.md
 
 jobs:
+  check-flake:
+    name: "Check flake validity"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+        with:
+          logger: pretty
+
+      - name: Check Flake
+        run: nix flake check --accept-flake-config
+
   cachix:
     name: "Build Exposed Packages"
     runs-on: ubuntu-latest
+    needs: check-flake
     strategy:
       matrix:
         package:

.github/workflows/update.yml

@@ -0,0 +1,42 @@
+name: "Update repository dependencies"
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 4 1 * *"
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Bump nix
+        run: nix flake update
+
+      - name: Install dependencies
+        run: nix profile install --inputs-from . nixpkgs#cargo-bump nixpkgs#cargo
+
+      - name: Bump rust
+        run: |
+          cargo bump patch
+          cargo update
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v4
+        with:
+          token: "${{ secrets.github_token }}"
+          title: "ci: update inputs"
+          author: GitHub <noreply@github.com>
+          branch: update
+          branch-suffix: timestamp
+          delete-branch: true
+          commit-message: |
+            Update all inputs
+
+            Co-authored-by: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>