ci-code-review-rust.yml

name: Code Review - Rust
on:
  push:
    branches: ['main']
  pull_request:
    branches: ['main']
    paths:
      [
        'programs/**',
        'lib',
        'Cargo.toml',
        'Cargo.lock',
      ]
  workflow_dispatch:

env:
  CARGO_TERM_COLOR: always
  SOLANA_VERSION: '1.18.22'
  RUST_TOOLCHAIN: '1.78.0'

jobs:
  format:
    name: Format
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set Rust version
        run: rustup toolchain install ${{ env.RUST_TOOLCHAIN }} --component rustfmt

      - name: Run fmt
        run: cargo fmt -- --check

  clippy:
    name: Clippy
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Cache dependencies
        uses: Swatinem/rust-cache@v2

      - name: Set Rust version
        run: rustup toolchain install ${{ env.RUST_TOOLCHAIN }} --component clippy

      - name: Run clippy
        run: cargo clippy --workspace --exclude fixed --exclude checked_math -- --no-deps --deny=warnings --allow=clippy::style --allow=clippy::complexity --allow=clippy::manual-retain --allow=clippy::crate-in-macro-def --allow=clippy::result-large-err --allow=clippy::derive_partial_eq_without_eq --allow=clippy::multiple-bound-locations

  test:
    name: Test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Cache dependencies
        uses: Swatinem/rust-cache@v2

      - name: Set Rust version
        run: rustup toolchain install ${{ env.RUST_TOOLCHAIN }}

      - name: Install Solana
        run: |
          sh -c "$(curl -sSfL https://release.solana.com/v${{ env.SOLANA_VERSION }}/install)"
          echo "$HOME/.local/share/solana/install/active_release/bin" >> $GITHUB_PATH
          export PATH="/home/runner/.local/share/solana/install/active_release/bin:$PATH"
          solana --version
          echo "Generating keypair..."
          solana-keygen new -o "$HOME/.config/solana/id.json" --no-passphrase --silent

      - name: Build all deps
        run: |
          cargo build-sbf

      - name: Run sbf tests
        run: cargo test-sbf

  coverage:
    name: Coverage
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Cache dependencies
        uses: Swatinem/rust-cache@v2

      - name: Set Rust version
        run: rustup toolchain install ${{ env.RUST_TOOLCHAIN }}

      - name: Install Solana
        run: |
          sh -c "$(curl -sSfL https://release.solana.com/v${{ env.SOLANA_VERSION }}/install)"
          echo "$HOME/.local/share/solana/install/active_release/bin" >> $GITHUB_PATH
          export PATH="/home/runner/.local/share/solana/install/active_release/bin:$PATH"
          solana --version
          echo "Generating keypair..."
          solana-keygen new -o "$HOME/.config/solana/id.json" --no-passphrase --silent

      - name: Install cargo-llvm-cov
        uses: taiki-e/install-action@cargo-llvm-cov

      - name: Build all deps
        run: |
          cargo build-sbf --verbose

      - name: Generate code coverage
        run: cargo llvm-cov --lcov --output-path lcov.info --workspace -- --nocapture
      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v3
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: lcov.info
          verbose: true
          fail_ci_if_error: true
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

  sca:
    name: Dependency Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      # Fail the job on critical vulnerabilities with fix available
      - name: Fail on critical vulnerabilities
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: 'Cargo.lock'
          ignore-unfixed: true
          hide-progress: true
          format: 'table'
          severity: 'CRITICAL'
          exit-code: '1'