WIP: Add Rust CI

And remove the Python CI. We still need to set up cargo-audit and cargo-vet jobs.
freedomofpress · Dec 5, 2023 · a3da0af · a3da0af
1 parent 10c80ac
commit a3da0af
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 135 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,66 +1,12 @@
 ---
 common-steps:
-  - &install_poetry
-    run:
-      name: Install Poetry
-      command: |
-        set -e
-        source /etc/os-release
-        if [[ "$VERSION_CODENAME" == "bullseye" ]]; then
-            # Install Poetry via PyPI
-            apt-get update && apt-get install --yes --no-install-recommends python3-pip
-            pip install poetry==1.6.1
-        elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then
-            # Install Poetry via system package
-            apt-get update && apt-get install --yes --no-install-recommends python3-poetry
-        else
-            echo "Unsupported Debian version: $VERSION_CODENAME"
-            exit 1
-        fi
-
-  - &install_testing_dependencies
-    run:
-      name: Install testing dependencies
-      command: |
-        apt-get install --yes --no-install-recommends git gnupg make
-        poetry install --no-ansi
-
   - &install_build_dependencies
     run:
       name: Install build dependencies
       command: |
         set -e
         apt-get update && apt-get install --yes git make sudo
 
-  - &run_unit_tests
-    run:
-      name: Install requirements and run unit tests
-      command: |
-        export PYTHONPATH=$PYTHONPATH:.  # so alembic can get to Base metadata
-        make test
-
-  - &run_lint
-    run:
-      name: Run lint, type checking, code formatting
-      command: |
-        make lint
-
-  - &check_security
-    run:
-      name: Run static analysis on source code to find security issues
-      command: |
-        set -e
-        poetry update bandit
-        make bandit
-
-  - &check_python_dependencies_for_vulnerabilities
-    run:
-      name: Check Python dependencies for known vulnerabilities
-      command: |
-        set -e
-        poetry update safety
-        make safety
-
   - &install_packaging_dependencies
     run:
       name: Install Debian packaging dependencies and download Python wheels
@@ -111,62 +57,16 @@ jobs:
       - *verify_requirements
       - *build_debian_package
 
-  unit-test:
-    parameters: *parameters
-    docker: *docker
-    steps:
-      - checkout
-      - *install_poetry
-      - *install_testing_dependencies
-      - *run_unit_tests
-      - store_test_results:
-          path: test-results
-
-  lint:
-    parameters: *parameters
-    docker: *docker
-    steps:
-      - checkout
-      - *install_poetry
-      - *install_testing_dependencies
-      - *run_lint
-
-  check-security:
-    parameters: *parameters
-    docker: *docker
-    steps:
-      - checkout
-      - *install_poetry
-      - *install_testing_dependencies
-      - *check_security
-
-  check-python-security:
-    parameters: *parameters
-    docker: *docker
-    steps:
-      - checkout
-      - *install_poetry
-      - *install_testing_dependencies
-      - *check_python_dependencies_for_vulnerabilities
-
 
 workflows:
   securedrop_proxy_ci:
     jobs: &jobs
-      - unit-test:
+      - build:
           matrix: &matrix
             parameters:
               image:
                 - bullseye
                 - bookworm
-      - lint:
-          matrix: *matrix
-      - check-security:
-          matrix: *matrix
-      - check-python-security:
-          matrix: *matrix
-      - build:
-          matrix: *matrix
 
   nightly:
     triggers:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,24 @@
+name: CI
+on: [push, pull_request]
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    # Keep version in sync with rust-toolchain.toml
+    container: rust:1.74.0
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install dependencies
+        run: |
+          rustup component add rustfmt
+          rustup component add clippy
+          apt-get update && apt-get install python3-poetry --yes
+          poetry install --no-ansi
+      - name: Lint and test code
+        run: |
+          make rust-lint
+          make rust-test
diff --git a/Makefile b/Makefile
@@ -3,23 +3,8 @@
 .PHONY: all
 all: help
 
-.PHONY: bandit
-bandit: ## Run bandit with medium level excluding test-related folders
-	@echo "Running bandit security checks…"
-	@poetry run bandit -ll --recursive securedrop_proxy
-
-.PHONY: safety
-safety: ## Runs `safety check` to check python dependencies for vulnerabilities
-	@echo "Running safety against build requirements…"
-	@poetry run safety check --full-report -r build-requirements.txt
-
 .PHONY: lint
-lint: check-isort check-black mypy ## Run isort, black and flake8 and mypy
-	@poetry run flake8 securedrop_proxy tests
-
-.PHONY: mypy
-mypy: ## Run mypy static type checker
-	@poetry run mypy --ignore-missing-imports securedrop_proxy
+lint: rust-lint check-isort check-black ## Run Rust and Python linters/formatters
 
 .PHONY: black
 black: ## Run black for file formatting
@@ -42,26 +27,23 @@ check-isort: ## Check isort for file formatting
 	@poetry run isort --check-only --diff securedrop_proxy/*.py tests/*.py
 
 .PHONY: test
-test: clean .coverage ## Runs tests with coverage
-
-.coverage:
-	@poetry run coverage run --source securedrop_proxy -m unittest
-
-.PHONY: browse-coverage
-browse-coverage: .coverage ## Generates and opens HTML coverage report
-	@poetry run coverage html
-	@xdg-open htmlcov/index.html 2>/dev/null || open htmlcov/index.html 2>/dev/null
+test: ## Runs integration tests
+	@cargo build
+	@poetry run pytest
 
 .PHONY: check
-check: clean lint test mypy safety bandit  ## Runs all tests and code checkers
-
-.PHONY: clean
-clean:  ## Clean the workspace of generated resources
-	@rm -rf .mypy_cache build dist *.egg-info .coverage .eggs docs/_build .pytest_cache lib htmlcov .cache && \
-		find . \( -name '*.py[co]' -o -name dropin.cache \) -delete && \
-		find . \( -name '*.bak' -o -name dropin.cache \) -delete && \
-		find . \( -name '*.tgz' -o -name dropin.cache \) -delete && \
-		find . -name __pycache__ -print0 | xargs -0 rm -rf
+check: lint rust-test test  ## Runs all tests and code checkers
+
+.PHONY: rust-lint
+rust-lint: ## Lint Rust code
+	@echo "Linting Rust code..."
+	cargo fmt --check
+	cargo clippy
+
+.PHONY: rust-test
+rust-test: ## Run Rust tests
+	@echo "Running Rust tests..."
+	cargo test
 
 # Explanation of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" and any make targets that might appear between : and ##

diff --git a/rust-toolchain.toml b/rust-toolchain.toml
@@ -0,0 +1,2 @@
+[toolchain]
+channel = "1.74.0"
diff --git a/src/main.rs b/src/main.rs
@@ -1,3 +1,5 @@
+#![deny(clippy::all)]
+
 use anyhow::{bail, Result};
 use reqwest::blocking::{Client, Response};
 use reqwest::header::HeaderMap;