👷(gh): Add github action workflows

.deny.toml

@@ -0,0 +1,17 @@
+# Copyright (C) 2024 Alexandre Nicolaie ([email protected])
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+
+[licenses]
+allow = ["Apache-2.0", "MIT", "Unicode-DFS-2016"]

.github/workflows/merge_group,pull_request.all.lint.yaml

@@ -0,0 +1,35 @@
+# Copyright 2024
+#
+# Everyone is permitted to copy, distribute, modify, merge, sell, publish,
+# sublicense or whatever the fuck they want with this software but at their
+# OWN RISK.
+# The author has absolutely no fucking clue what the code in this project
+# does. It might just fucking work or not, there is no third option.
+#
+# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+---
+name: 🚨 Lint Everything
+
+on:
+  merge_group: {}
+  pull_request: {}
+
+permissions: {}
+
+jobs:
+  trunk:
+    name: ✅ Validate code quality
+    permissions:
+      contents: read
+      checks: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      # - name: ✏️ Overrides Trunk configuration for Github Action
+      #   run: mv .trunk/gha.yaml .trunk/user.yaml
+      - name: ⚡️ Run `trunk check`
+        uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16

.github/workflows/merge_group,pull_request.rust.yaml

@@ -0,0 +1,41 @@
+# Copyright (C) 2024 Alexandre Nicolaie ([email protected])
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+---
+name: 🦀 Lint & Build kubevault
+
+on:
+  merge_group: {}
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - Cargo.{lock,toml}
+      - src/**
+      - tests/**
+      - .github/workflows/merge_group,pull_request.rust.yaml
+      - .github/workflows/workflow_call.rust.*.yaml
+
+permissions: {}
+
+jobs:
+  rust-lint:
+    name: 🦀
+    permissions:
+      contents: read
+      pull-requests: write
+    uses: ./.github/workflows/workflow_call.rust.lint.yaml
+  rust-test:
+    name: 🧪
+    uses: ./.github/workflows/workflow_call.rust.test.yaml
+    secrets: inherit

.github/workflows/push.trunk-cache.yaml

@@ -0,0 +1,37 @@
+# Copyright 2024
+#
+# Everyone is permitted to copy, distribute, modify, merge, sell, publish,
+# sublicense or whatever the fuck they want with this software but at their
+# OWN RISK.
+# The author has absolutely no fucking clue what the code in this project
+# does. It might just fucking work or not, there is no third option.
+#
+# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+---
+name: ♻️ Refresh Trunk cache
+
+on:
+  push:
+    branches: [main]
+    paths: [.trunk/trunk.yaml]
+
+permissions: {}
+
+jobs:
+  trunk-cache:
+    name: ♻️ Refresh Trunk cache
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write
+
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: 📦️ Populate cache with Trunk
+        uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16
+        with:
+          check-mode: populate_cache_only

.github/workflows/security.workflows.yaml

@@ -0,0 +1,43 @@
+# Copyright 2024
+#
+# Everyone is permitted to copy, distribute, modify, merge, sell, publish,
+# sublicense or whatever the fuck they want with this software but at their
+# OWN RISK.
+# The author has absolutely no fucking clue what the code in this project
+# does. It might just fucking work or not, there is no third option.
+#
+# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+# DEALINGS IN THE SOFTWARE.
+---
+name: 🔒️ Security hardening (Github Actions workflows)
+
+on:
+  merge_group: {}
+  pull_request:
+    types: [opened, synchronize]
+    paths: [.github/workflows/**]
+
+permissions: {}
+
+jobs:
+  ci_harden_security:
+    name: 🔒️ Github Action security hardening
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: 📄 Lint Github Actions
+        run: |
+          curl -O https://raw.githubusercontent.com/rhysd/actionlint/4f6274a8e0f4f4d2057aa9ae07660f61aa29c5f3/.github/actionlint-matcher.json
+
+          echo "::add-matcher::actionlint-matcher.json"
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/4f6274a8e0f4f4d2057aa9ae07660f61aa29c5f3/scripts/download-actionlint.bash)
+          ./actionlint -color
+
+      - name: ✅ Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@40e45e738b3cad2729f599d8afc6ed02184e1dbd # v3.0.5

.github/workflows/workflow_call.rust.lint.yaml

@@ -0,0 +1,116 @@
+# Copyright (C) 2024 Alexandre Nicolaie ([email protected])
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+---
+name: 🦀 Lint Rust source code
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  rustfmt:
+    name: 🎨 Rustfmt
+    runs-on: ubuntu-latest
+    steps:
+      - run: rustup --version
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+      - name: 🧐 Check if all files are formatted
+        run: cargo fmt --all --check
+
+  clippy:
+    name: 🧹 Clippy
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - run: rustup --version
+      - name: 📦 Install reviewdog
+        uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0
+        with:
+          reviewdog_version: latest
+      - name: 🚧 Setup cache for Rust
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        id: restore-rust
+        with:
+          path: |
+            ~/.cargo/bin
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: ${{ runner.os }}-rust-${{ hashFiles('**/Cargo.lock') }}
+      - name: 📦 Install clippy-reviewdog filter
+        run: cargo install clippy-reviewdog-filter || true
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+      - name: 🧐 Check for clippy warnings
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cargo clippy --all-targets --all-features --message-format json 2>&1 -- --deny missing_docs --deny unused_qualifications --deny warnings \
+            | clippy-reviewdog-filter \
+            | reviewdog -f=checkstyle -name=clippy -reporter=github-pr-check -filter-mode=nofilter -fail-on-error
+
+  audit:
+    name: 🛡️ Audit
+    runs-on: ubuntu-latest
+    steps:
+      - run: rustup --version
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+      - name: 🚧 Setup cache for Rust
+        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        id: restore-rust
+        with:
+          path: |
+            ~/.cargo/bin
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+          key: ${{ runner.os }}-rust-${{ hashFiles('**/Cargo.lock') }}
+      - name: 📦 Install cargo-audit
+        run: cargo install cargo-audit || true
+      - name: 📦 Generate lockfile
+        run: cargo generate-lockfile
+      - name: 🧐 Check for security vulnerabilities
+        run: cargo audit --deny warnings
+
+  deny:
+    name: 🚫 Deny
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+      - name: 🧐 Check for license compliance
+        uses: EmbarkStudios/cargo-deny-action@10d8902cf9225c404574ce39c45d5d26c3047464 # v2.0.0
+        with:
+          command: check ${{ matrix.checks }}