CI: Fix zizmor anonymous-definition by naming every job #7079
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| merge_group: | |
| workflow_dispatch: | |
| schedule: | |
| # Run at 4 AM UTC daily to make sure that all changes are up-to-date. | |
| # We run the cron job at a time where merges don't usually happen, in order to avoid race | |
| # conditions with the `merge_group` workflow execution. | |
| - cron: 0 4 * * * | |
| concurrency: | |
| # We want to make sure that parallel executions (merge queue, cron, manual) of this workflow | |
| # do not perform the `deploy` job in parallel. | |
| # At the same time, we want to avoid this workflow running in parallel for multiple PRs | |
| # (where it only runs tests, without deploy). | |
| # If we're in a PR, `head_ref` is set, so we allow parallel runs for different PR HEAD refs. | |
| # If we're elsewhere, we use a constant string to use the same concurrency group. | |
| group: ${{ github.workflow }}-${{ github.head_ref || 'deploy' }} | |
| cancel-in-progress: false | |
| permissions: {} | |
| jobs: | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| if: github.repository == 'rust-lang/team' | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 50 | |
| - name: Install Rust Stable | |
| env: | |
| RUST_VERSION: "1.94.1" | |
| run: | | |
| rustc -vV | |
| rustup toolchain install $RUST_VERSION | |
| rustup default $RUST_VERSION | |
| rustup component add rustfmt clippy | |
| rustc -vV | |
| - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 | |
| - name: Build the team binary | |
| run: RUSTFLAGS="--deny warnings" cargo build | |
| - name: Validate the repository contents | |
| run: cargo run -- check --strict | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.github_token }} | |
| - name: Run rustfmt | |
| run: cargo fmt -- --check | |
| - name: Run clippy | |
| run: cargo clippy --workspace --all-targets --all-features -- -D warnings | |
| - name: Run tests | |
| run: cargo test --workspace --all-features | |
| - name: Check CODEOWNERS | |
| run: cargo run ci check-codeowners | |
| - name: Build the contents of the static API | |
| run: | | |
| cargo run -- static-api build | |
| echo "team-api.infra.rust-lang.org" > build/CNAME | |
| - name: Write PR number into the uploaded archive | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: echo "${{ github.event.pull_request.number }}" > build/pr.txt | |
| - name: Upload the built JSON as a GitHub artifact | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: team-api-output | |
| path: build | |
| deploy: | |
| name: Deploy | |
| needs: [ test ] | |
| runs-on: ubuntu-latest | |
| environment: deploy | |
| permissions: | |
| contents: read | |
| id-token: write # Needed for GitHub Pages OIDC authentication in `actions/deploy-pages` | |
| pages: write # Needed to deploy the built static API to GitHub Pages | |
| if: github.event_name != 'pull_request' | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Download built JSON API and sync-team | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: team-api-output | |
| path: build | |
| - name: Sync changes | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.WRITE_GITHUB_TOKEN }} | |
| MAILGUN_API_TOKEN: ${{ secrets.MAILGUN_API_TOKEN }} | |
| EMAIL_PRIVATE_KEY: ${{ secrets.EMAIL_PRIVATE_KEY }} | |
| ZULIP_API_TOKEN: ${{ secrets.ZULIP_API_TOKEN }} | |
| ZULIP_USERNAME: ${{ secrets.ZULIP_USERNAME }} | |
| CRATES_IO_TOKEN: ${{ secrets.CRATES_IO_TOKEN }} | |
| CRATES_IO_USERNAME: "rust-lang-owner" | |
| run: | | |
| cargo run sync apply --src build | |
| - name: Disable Jekyll | |
| run: touch build/.nojekyll | |
| - name: Upload GitHub pages artifact | |
| uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 | |
| with: | |
| path: build | |
| # Upload the pages only if the sync succeeded, to always keep the | |
| # most up-to-date state in the web endpoint. | |
| - name: Deploy to GitHub Pages | |
| uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 | |
| # Summary job for the merge queue. | |
| # ALL THE PREVIOUS JOBS NEED TO BE ADDED TO THE `needs` SECTION OF THIS JOB! | |
| CI: | |
| # Keep `name: CI` matching the job key. The merge queue's required status | |
| # check is `CI / CI`, so renaming would silently break it. | |
| name: CI | |
| needs: [ test, deploy ] | |
| # We need to ensure this job does *not* get skipped if its dependencies fail, | |
| # because a skipped job is considered a success by GitHub. So we have to | |
| # overwrite `if:`. We use `!cancelled()` to ensure the job does still not get run | |
| # when the workflow is canceled manually. | |
| if: ${{ !cancelled() }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Manually check the status of all dependencies. `if: failure()` does not work. | |
| - name: Conclusion | |
| run: | | |
| # Print the dependent jobs to see them in the CI log | |
| jq -C <<< '${{ toJson(needs) }}' | |
| # Check if all jobs that we depend on (in the needs array) were successful. | |
| jq --exit-status 'all(.result == "success" or .result == "skipped")' <<< '${{ toJson(needs) }}' |