.github/workflows/ci.yml

name: Continuous integration

on:
  pull_request:
  push:
    branches:
      - main

jobs:
  rust_actions:
    name: Rust Actions (Check/Fmt/Clippy)
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest]
        include:
          - tool: check
            protobuf: true
            fuse: true
            components: ""
            command: cargo check
          - tool: fmt
            protobuf: true
            fuse: true
            components: "rustfmt"
            command: cargo fmt --all -- --check
          - tool: clippy
            protobuf: true
            fuse: true
            components: "clippy"
            command: cargo clippy --all-features
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions-rust-lang/setup-rust-toolchain@11df97af8e8102fd60b60a77dfbf58d40cd843b8 # v1.10
        with:
          components: ${{matrix.components}}
      - name: Install Protobuf
        if: matrix.protobuf
        uses: ./.github/actions/install-protobuf
      - name: Install FUSE
        if: matrix.fuse
        uses: ./.github/actions/install-fuse
      - name: Run ${{ matrix.tool }}
        run: ${{ matrix.command }}

  cargo-deny: # only runs on Linux
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: EmbarkStudios/cargo-deny-action@8371184bd11e21dcf8ac82ebf8c9c9f74ebf7268 # v2.0.1

  test:
    name: Test Suite
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions-rust-lang/setup-rust-toolchain@11df97af8e8102fd60b60a77dfbf58d40cd843b8 # v1.10
      - name: Install Protobuf
        uses: ./.github/actions/install-protobuf
      - name: Install FUSE
        uses: ./.github/actions/install-fuse
      - name: Install nextest
        uses: taiki-e/install-action@49be99c627fae102cb8c86414e9605869641782a # nextest
      - run: cargo nextest run

  integration-test:
    name: Integration Tests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions-rust-lang/setup-rust-toolchain@11df97af8e8102fd60b60a77dfbf58d40cd843b8 # v1.10
      - name: Install Protobuf
        uses: ./.github/actions/install-protobuf
      - name: Install FUSE
        uses: ./.github/actions/install-fuse
      - run: cargo test -p sheepdog
        timeout-minutes: 30


  kani:
    name: Kani Proofs
    runs-on: ubuntu-latest
    strategy:
      matrix:
        crate: [lading_throttle, lading_payload]
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions-rust-lang/setup-rust-toolchain@11df97af8e8102fd60b60a77dfbf58d40cd843b8 # v1.10
      - name: Install Protobuf
        uses: ./.github/actions/install-protobuf
      - name: Install FUSE
        uses: ./.github/actions/install-fuse
      - name: Install kani
        run: cargo install kani-verifier
      - run: cargo kani --solver cadical
        working-directory: ${{ matrix.crate }}
        timeout-minutes: 30

  loom:
    name: Loom Proofs
    runs-on: ubuntu-latest
    strategy:
      matrix:
        crate: [lading_signal]
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions-rust-lang/setup-rust-toolchain@11df97af8e8102fd60b60a77dfbf58d40cd843b8 # v1.10
      - name: Install Protobuf
        uses: ./.github/actions/install-protobuf
      - name: Install FUSE
        uses: ./.github/actions/install-fuse
      - name: Install nextest
        uses: taiki-e/install-action@49be99c627fae102cb8c86414e9605869641782a # nextest
      - run: RUSTFLAGS="--cfg loom" cargo nextest run --release
        working-directory: ${{ matrix.crate }}
        timeout-minutes: 30

  buf:
    runs-on: ubuntu-latest
    steps:
      # Check our protobufs for lint cleanliness and for lack of breaking
      # changes
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: buf-setup
        uses: bufbuild/buf-setup-action@2211e06e8cf26d628cda2eea15c95f8c42b080b3 # v1.45.0
      - name: buf-lint
        uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325 # v1.1.1
      - name: buf-breaking
        uses: bufbuild/buf-breaking-action@c57b3d842a5c3f3b454756ef65305a50a587c5ba # v1.1.4
        with:
          against: 'https://github.com/datadog/lading.git#branch=main'

  actionlint:
    runs-on: ubuntu-latest
    steps:
      - name: set actionlint version & checksum
        id: version
        run: |
          export ACTIONLINT="1.7.3"
          export ACTIONLINT_CHECKSUM="37252b4d440b56374b0fc1726e05fd7452d30d6d774f6e9b52e65bb64475f9db"

          echo "actionlint version: ${ACTIONLINT}"
          echo "actionlint checksum: ${ACTIONLINT_CHECKSUM}"

          echo "ACTIONLINT=${ACTIONLINT}" >> $GITHUB_OUTPUT
          echo "ACTIONLINT_CHECKSUM=${ACTIONLINT_CHECKSUM}" >> $GITHUB_OUTPUT

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Download actionlint
        shell: bash
        run: |
          wget https://github.com/rhysd/actionlint/releases/download/v${{ steps.version.outputs.ACTIONLINT }}/actionlint_${{ steps.version.outputs.ACTIONLINT }}_linux_amd64.tar.gz

          echo "${{ steps.version.outputs.ACTIONLINT_CHECKSUM }}  actionlint_${{ steps.version.outputs.ACTIONLINT }}_linux_amd64.tar.gz" >> CHECKSUMS
          sha256sum -c CHECKSUMS

          tar -xvf actionlint_${{ steps.version.outputs.ACTIONLINT }}_linux_amd64.tar.gz
      - name: Check workflow files
        shell: bash
        run: |
          ./actionlint -color \
            -ignore 'Double quote to prevent globbing and word splitting' \
            -ignore 'Consider using { cmd1; cmd2; } >> file instead of individual redirects' \
            -ignore 'Declare and assign separately to avoid masking return values'

  action-sha-pin-check:
    runs-on: ubuntu-latest
    steps:
      - name: Check out branch
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Check all GitHub Actions in ".github/workflows" are pinned to SHAs
        uses: stacklok/frizbee-action@a0f3391cbe93a54e2a68cfaca2283f8cf3fd72ea # v0.0.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          actions: ".github/workflows"
          dockerfiles: ""
          fail_on_unpinned: true
          open_pr: false
      - name: Check all GitHub Actions in ".github/actions" are pinned to SHAs
        uses: stacklok/frizbee-action@a0f3391cbe93a54e2a68cfaca2283f8cf3fd72ea # v0.0.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          actions: ".github/actions"
          dockerfiles: ""
          fail_on_unpinned: true
          open_pr: false