A typical GitHub Actions workflow for Rust:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install cargo-audit, cargo-deny, tarpaulin, chef
run: cargo install cargo-audit cargo-deny cargo-tarpaulin cargo-chef
- name: Security check
run: cargo audit
- name: Dependency policy check
run: cargo deny check
- name: Test coverage gate
run: cargo tarpaulin --fail-under 80
- name: Build using cargo chef
run: |
cargo chef prepare --recipe-path recipe.json
cargo chef cook --recipe-path recipe.json
cargo build --release
This pipeline:
- performs security validation,
- enforces dependency and license policies,
- ensures test coverage quality,
- and builds your Rust project quickly using dependency caching.
What each step does:
Security check (cargo-audit)
cargo audit
Scans Cargo.lock for vulnerable, deprecated, or compromised dependencies using the RustSec advisory database.
Dependency policy check (cargo-deny)
cargo deny check
Validates your dependency graph: licenses, banned crates, duplicates, and other policy rules.
Test coverage gate (cargo-tarpaulin)
cargo tarpaulin --fail-under 80
Measures test coverage and fails the CI pipeline if coverage is below 80%.
Fast build using cargo-chef
cargo chef prepare --recipe-path recipe.json
cargo chef cook --recipe-path recipe.json
cargo build --release
- prepare: generates a dependency recipe.
- cook: builds and caches dependencies separately.
- cargo build --release: final build using a warmed dependency cache.
via @Let's Get Rusty
Top comments (0)