feat(security): Spring Security parity — Tier 3 method-security depth… #89
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| permissions: | |
| contents: read | |
| # Cancel superseded runs on the same ref. | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| # The framework targets the latest stable Rust. | |
| RUST_TOOLCHAIN: "stable" | |
| jobs: | |
| # --------------------------------------------------------------------------- | |
| # Formatting + lints — mirrors `make fmt-check` + `make clippy`. | |
| # --------------------------------------------------------------------------- | |
| lint: | |
| name: fmt + clippy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: ${{ env.RUST_TOOLCHAIN }} | |
| components: rustfmt, clippy | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: System libraries (librdkafka native build + TLS/SASL) | |
| run: sudo apt-get update && sudo apt-get install -y cmake pkg-config libssl-dev libsasl2-dev zlib1g-dev libzstd-dev libcurl4-openssl-dev | |
| - name: rustfmt | |
| run: cargo fmt --all --check | |
| - name: clippy (deny warnings) | |
| run: cargo clippy --workspace --all-targets -- -D warnings | |
| # --------------------------------------------------------------------------- | |
| # Build + unit/integration tests that need no external infra — `make test`. | |
| # --------------------------------------------------------------------------- | |
| test: | |
| name: build + test (workspace) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: ${{ env.RUST_TOOLCHAIN }} | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: System libraries (librdkafka native build + TLS/SASL) | |
| run: sudo apt-get update && sudo apt-get install -y cmake pkg-config libssl-dev libsasl2-dev zlib1g-dev libzstd-dev libcurl4-openssl-dev | |
| - name: build | |
| run: cargo build --workspace --all-targets | |
| - name: test | |
| run: cargo test --workspace --all-targets | |
| # --------------------------------------------------------------------------- | |
| # Real-infra integration — the env-gated adapter suite against live services | |
| # (the CI equivalent of `make infra-up && make test-integration`). Adapters | |
| # whose service env is unset (kafka/keycloak/s3/azurite/smtp) skip cleanly. | |
| # --------------------------------------------------------------------------- | |
| integration: | |
| name: real-infra integration | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: postgres:16-alpine | |
| env: | |
| POSTGRES_USER: firefly | |
| POSTGRES_PASSWORD: firefly | |
| POSTGRES_DB: firefly | |
| ports: ["5442:5432"] | |
| options: >- | |
| --health-cmd "pg_isready -U firefly" | |
| --health-interval 5s --health-timeout 5s --health-retries 20 | |
| mysql: | |
| image: mysql:8 | |
| env: | |
| MYSQL_ROOT_PASSWORD: firefly | |
| MYSQL_DATABASE: firefly | |
| MYSQL_USER: firefly | |
| MYSQL_PASSWORD: firefly | |
| ports: ["3307:3306"] | |
| options: >- | |
| --health-cmd "mysqladmin ping -h localhost -pfirefly" | |
| --health-interval 5s --health-timeout 5s --health-retries 20 | |
| redis: | |
| image: redis:7-alpine | |
| ports: ["6379:6379"] | |
| options: >- | |
| --health-cmd "redis-cli ping" | |
| --health-interval 5s --health-timeout 5s --health-retries 20 | |
| rabbitmq: | |
| image: rabbitmq:3-management-alpine | |
| ports: ["5672:5672"] | |
| options: >- | |
| --health-cmd "rabbitmq-diagnostics -q ping" | |
| --health-interval 10s --health-timeout 5s --health-retries 20 | |
| mongodb: | |
| image: mongo:7 | |
| ports: ["27018:27017"] | |
| options: >- | |
| --health-cmd "mongosh --quiet --eval 'db.runCommand({ ping: 1 }).ok'" | |
| --health-interval 5s --health-timeout 5s --health-retries 20 | |
| env: | |
| FIREFLY_TEST_POSTGRES_URL: postgres://firefly:firefly@localhost:5442/firefly | |
| FIREFLY_TEST_MYSQL_URL: mysql://firefly:firefly@localhost:3307/firefly | |
| FIREFLY_TEST_MONGODB_URL: mongodb://localhost:27018 | |
| FIREFLY_TEST_REDIS_URL: redis://localhost:6379 | |
| FIREFLY_TEST_RABBITMQ_URL: amqp://guest:guest@localhost:5672/%2f | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: ${{ env.RUST_TOOLCHAIN }} | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: System libraries (librdkafka native build + TLS/SASL) | |
| run: sudo apt-get update && sudo apt-get install -y cmake pkg-config libssl-dev libsasl2-dev zlib1g-dev libzstd-dev libcurl4-openssl-dev | |
| - name: integration tests (relational, document, cache, eda, session) | |
| run: | | |
| cargo test --no-fail-fast \ | |
| -p firefly-data-sqlx -p firefly-data-mongodb \ | |
| -p firefly-cache-postgres -p firefly-cache-redis \ | |
| -p firefly-eda-postgres -p firefly-eda-redis -p firefly-eda-rabbitmq \ | |
| -p firefly-session-postgres -p firefly-session-redis -p firefly-session-mongodb \ | |
| -- --include-ignored | |
| # --------------------------------------------------------------------------- | |
| # The designed book must still build (catches broken book source / manifest). | |
| # --------------------------------------------------------------------------- | |
| book: | |
| name: book build (PDF + EPUB) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: WeasyPrint system libraries | |
| run: sudo apt-get update && sudo apt-get install -y libpango-1.0-0 libpangocairo-1.0-0 libcairo2 libgdk-pixbuf-2.0-0 libffi-dev | |
| - name: book toolchain (venv) | |
| run: | | |
| python3 -m venv docs/book/.venv | |
| docs/book/.venv/bin/pip install --quiet weasyprint markdown pygments pyyaml | |
| - name: build PDF + EPUB | |
| run: docs/book/build-book.sh |