jesus/secretumvault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
secretumvault/.woodpecker/ci-advanced.yml

169 lines
4.1 KiB
YAML
Raw Normal View History

chore: add CI/CD files and .typedialog for ci settings
2025-12-29 04:19:26 +00:00
# Woodpecker CI - Advanced Pipeline
# Multi-platform builds, coverage, benchmarks, and security scanning
when:
event: [push, pull_request, manual]
branch:
- main
- develop
matrix:
PLATFORM:
- linux/amd64
- linux/arm64
steps:
# === LINTING (Parallel) ===
lint-rust:
image: rust:latest
commands:
- curl --proto '=https' --tlsv1.2 -sSf https://just.systems/install.sh | bash -s -- --to /usr/local/bin
- rustup component add clippy rustfmt
- cargo fmt --all -- --check
- cargo clippy --all-targets --all-features -- -D warnings
environment:
CARGO_TERM_COLOR: always
lint-bash:
image: koalaman/shellcheck-alpine:stable
commands:
- apk add --no-cache curl bash
- find . -name '*.sh' -type f ! -path './target/*' -exec shellcheck {} +
lint-nickel:
image: rust:latest
commands:
- cargo install nickel-lang-cli --locked
- find . -name '*.ncl' -type f ! -path './target/*' -exec nickel typecheck {} \;
lint-nushell:
image: rust:latest
commands:
- cargo install nu --locked
- find . -name '*.nu' -type f ! -path './target/*' -exec nu --ide-check 100 {} \;
lint-markdown:
image: node:alpine
commands:
- npm install -g markdownlint-cli2
- markdownlint-cli2 '**/*.md' '#node_modules' '#target'
# === TESTING ===
test:
image: rust:latest
commands:
- cargo test --workspace --all-features --no-fail-fast
depends_on:
- lint-rust
- lint-bash
- lint-nickel
- lint-nushell
- lint-markdown
environment:
RUST_BACKTRACE: 1
# === CODE COVERAGE ===
coverage:
image: rust:latest
commands:
- cargo install cargo-tarpaulin --locked
- cargo tarpaulin --workspace --all-features --out Xml --output-dir coverage
- |
if [ -f coverage/cobertura.xml ]; then
echo "Coverage report generated successfully"
fi
depends_on:
- test
when:
event: [push, pull_request]
branch: [main, develop]
# === BUILD (Multi-platform) ===
build-native:
image: rust:latest
commands:
- cargo build --release --workspace
- ls -lh target/release/
depends_on:
- test
build-cross:
image: rust:latest
commands:
- cargo install cross --locked
- cross build --target x86_64-unknown-linux-musl --release
- cross build --target aarch64-unknown-linux-musl --release
depends_on:
- test
when:
matrix:
PLATFORM: linux/amd64
# === BENCHMARKS ===
benchmark:
image: rust:latest
commands:
- rustup toolchain install nightly
- cargo +nightly bench --workspace --no-fail-fast
- |
if [ -d target/criterion ]; then
echo "Benchmark results available in target/criterion"
fi
depends_on:
- build-native
when:
event: pull_request
# === SECURITY AUDITS ===
security-audit:
image: rust:latest
commands:
- cargo install cargo-audit --locked
- cargo audit --deny warnings --deny unmaintained --deny unsound
depends_on:
- lint-rust
license-check:
image: rust:latest
commands:
- cargo install cargo-deny --locked
- cargo deny check licenses advisories sources bans
depends_on:
- lint-rust
dependency-check:
image: rust:latest
commands:
- cargo install cargo-outdated --locked
- cargo outdated --exit-code 1 --root-deps-only
depends_on:
- lint-rust
when:
event: manual
# === SONARQUBE ANALYSIS ===
sonarqube:
image: sonarsource/sonar-scanner-cli:latest
commands:
- |
sonar-scanner \
-Dsonar.projectKey=${CI_REPO_NAME} \
-Dsonar.sources=. \
-Dsonar.host.url=${SONAR_HOST_URL} \
-Dsonar.token=${SONAR_TOKEN} \
-Dsonar.rust.clippy.reportPaths=clippy-report.json \
-Dsonar.coverageReportPaths=coverage/cobertura.xml
depends_on:
- coverage
secrets: [sonar_host_url, sonar_token]
when:
event: [push, pull_request]
branch: [main, develop]
Reference in New Issue Copy Permalink