# Woodpecker CI - Advanced Pipeline # Multi-platform builds, coverage, benchmarks, and security scanning when: event: [push, pull_request, manual] branch: - main - develop matrix: PLATFORM: - linux/amd64 - linux/arm64 steps: # === LINTING (Parallel) === lint-rust: image: rust:latest commands: - curl --proto '=https' --tlsv1.2 -sSf https://just.systems/install.sh | bash -s -- --to /usr/local/bin - rustup component add clippy rustfmt - cargo fmt --all -- --check - cargo clippy --all-targets --all-features -- -D warnings environment: CARGO_TERM_COLOR: always lint-bash: image: koalaman/shellcheck-alpine:stable commands: - apk add --no-cache curl bash - find . -name '*.sh' -type f ! -path './target/*' -exec shellcheck {} + lint-nickel: image: rust:latest commands: - cargo install nickel-lang-cli --locked - find . -name '*.ncl' -type f ! -path './target/*' -exec nickel typecheck {} \; lint-nushell: image: rust:latest commands: - cargo install nu --locked - find . -name '*.nu' -type f ! -path './target/*' -exec nu --ide-check 100 {} \; lint-markdown: image: node:alpine commands: - npm install -g markdownlint-cli2 - markdownlint-cli2 '**/*.md' '#node_modules' '#target' # === TESTING === test: image: rust:latest commands: - cargo test --workspace --all-features --no-fail-fast depends_on: - lint-rust - lint-bash - lint-nickel - lint-nushell - lint-markdown environment: RUST_BACKTRACE: 1 # === CODE COVERAGE === coverage: image: rust:latest commands: - cargo install cargo-tarpaulin --locked - cargo tarpaulin --workspace --all-features --out Xml --output-dir coverage - | if [ -f coverage/cobertura.xml ]; then echo "Coverage report generated successfully" fi depends_on: - test when: event: [push, pull_request] branch: [main, develop] # === BUILD (Multi-platform) === build-native: image: rust:latest commands: - cargo build --release --workspace - ls -lh target/release/ depends_on: - test build-cross: image: rust:latest commands: - cargo install cross --locked - cross build --target x86_64-unknown-linux-musl --release - cross build --target aarch64-unknown-linux-musl --release depends_on: - test when: matrix: PLATFORM: linux/amd64 # === BENCHMARKS === benchmark: image: rust:latest commands: - rustup toolchain install nightly - cargo +nightly bench --workspace --no-fail-fast - | if [ -d target/criterion ]; then echo "Benchmark results available in target/criterion" fi depends_on: - build-native when: event: pull_request # === SECURITY AUDITS === security-audit: image: rust:latest commands: - cargo install cargo-audit --locked - cargo audit --deny warnings --deny unmaintained --deny unsound depends_on: - lint-rust license-check: image: rust:latest commands: - cargo install cargo-deny --locked - cargo deny check licenses advisories sources bans depends_on: - lint-rust dependency-check: image: rust:latest commands: - cargo install cargo-outdated --locked - cargo outdated --exit-code 1 --root-deps-only depends_on: - lint-rust when: event: manual # === SONARQUBE ANALYSIS === sonarqube: image: sonarsource/sonar-scanner-cli:latest commands: - | sonar-scanner \ -Dsonar.projectKey=${CI_REPO_NAME} \ -Dsonar.sources=. \ -Dsonar.host.url=${SONAR_HOST_URL} \ -Dsonar.token=${SONAR_TOKEN} \ -Dsonar.rust.clippy.reportPaths=clippy-report.json \ -Dsonar.coverageReportPaths=coverage/cobertura.xml depends_on: - coverage secrets: [sonar_host_url, sonar_token] when: event: [push, pull_request] branch: [main, develop]