Merge pull request #2 from fcuny/fcuny/rust-template

3 files changed, 131 insertions, 90 deletions

diff --git a/templates/rust/.github/workflows/build.yml b/templates/rust/.github/workflows/build.yml
index f449190..202cfec 100644
--- a/templates/rust/.github/workflows/build.yml
+++ b/templates/rust/.github/workflows/build.yml
@@ -1,4 +1,4 @@
-name: gh-ssh-keys CI
+name: XXX CI
 
 on:
   push:
@@ -8,66 +8,30 @@ jobs:
     name: Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - uses: actions-rs/cargo@v1
-        with:
-          command: check
-      - uses: actions-rs/cargo@v1
-        with:
-          command: check
-          args: --no-default-features
+      - name: git checkout
+        uses: actions/checkout@v3
+      - name: install nix
+        uses: cachix/install-nix-action@v17
+      # This is a workaround for https://github.com/oxalica/rust-overlay/issues/54,
+      # avoiding link errors when running cargo commands with `nix develop`.
+      - name: Remove existing binaries from ~/.cargo/bin
+        run: rm --recursive --force --verbose ~/.cargo/bin
+      - name: check rust formatting
+        run: nix develop --command cargo fmt --check
+      - name: audit rust code
+        run: nix develop --command cargo-deny check
+      - name: clippy
+        run: nix develop --command cargo clippy -- -D warnings
 
-  test:
-    name: Test
+  test_and_build:
+    name: Test and build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - uses: actions-rs/cargo@v1
-        with:
-          command: test
-      - uses: actions-rs/cargo@v1
-        with:
-          command: test
-          args: --no-default-features
-
-  fmt:
-    name: Rustfmt
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - run: rustup component add rustfmt
-      - uses: actions-rs/cargo@v1
-        with:
-          command: fmt
-          args: --all -- --check
-
-  clippy:
-    name: Clippy
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - run: rustup component add clippy
-      - uses: actions-rs/cargo@v1
-        with:
-          command: clippy
-          args: -- -D warnings
+      - name: git checkout
+        uses: actions/checkout@v3
+      - name: install nix
+        uses: cachix/install-nix-action@v17
+      - name: test
+        run: nix develop --command cargo test
+      - name: build
+        run: nix build .
diff --git a/templates/rust/deny.toml b/templates/rust/deny.toml
new file mode 100644
index 0000000..fd95cdb
--- /dev/null
+++ b/templates/rust/deny.toml
@@ -0,0 +1,46 @@
+[advisories]
+db-path = "~/.cargo/advisory-db"
+db-urls = ["https://github.com/rustsec/advisory-db"]
+vulnerability = "deny"
+unmaintained = "warn"
+yanked = "warn"
+notice = "warn"
+ignore = []
+
+[licenses]
+unlicensed = "deny"
+allow = ["MIT", "Apache-2.0", "ISC", "Unicode-DFS-2016", "OpenSSL"]
+deny = []
+copyleft = "allow"
+default = "deny"
+confidence-threshold = 0.8
+exceptions = []
+
+[licenses.private]
+ignore = false
+registries = []
+
+# see https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#example
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 }
+]
+
+[bans]
+multiple-versions = "warn"
+wildcards = "allow"
+highlight = "all"
+allow = []
+deny = []
+skip = []
+skip-tree = []
+
+[sources]
+unknown-registry = "warn"
+unknown-git = "warn"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = []
+
+[sources.allow-org]
diff --git a/templates/rust/flake.nix b/templates/rust/flake.nix
index 49c2f76..b6bc262 100644
--- a/templates/rust/flake.nix
+++ b/templates/rust/flake.nix
@@ -4,63 +4,94 @@
   inputs = {
     flake-utils.url = "github:numtide/flake-utils";
     nixpkgs.url = "github:NixOS/nixpkgs";
-    rust-overlay.url = "github:oxalica/rust-overlay";
-    naersk.url = "github:nmattia/naersk";
+    rust-overlay = {
+      url = "github:oxalica/rust-overlay";
+      inputs = {
+        flake-utils.follows = "flake-utils";
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
+    pre-commit-hooks = {
+      url = "github:cachix/pre-commit-hooks.nix";
+      inputs = {
+        flake-utils.follows = "flake-utils";
+        nixpkgs.follows = "nixpkgs";
+      };
+    };
   };
 
   outputs =
     { self
     , flake-utils
     , nixpkgs
-    , naersk
     , rust-overlay
+    , pre-commit-hooks
     }:
+    let
+      # Borrow project metadata from the Rust config
+      meta = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package;
+      inherit (meta) name version;
 
+      overlays = [
+        # Rust helpers
+        (import rust-overlay)
+        # Build Rust toolchain using helpers from rust-overlay
+        (self: super: {
+          # This supplies cargo, rustc, rustfmt, etc.
+          rustToolchain = super.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml;
+        })
+      ];
+    in
     flake-utils.lib.eachDefaultSystem
       (system:
       let
-        overlays = [ (import rust-overlay) ];
         pkgs = import nixpkgs { inherit system overlays; };
-        rust-toolchain =
-          (pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml).override {
-            extensions = [ "rust-src" ];
-          };
-        naersk-lib = naersk.lib."${system}".override {
-          rustc = rust-toolchain;
-        };
       in
-      rec
       {
-        packages.gh-ssh-keys = naersk-lib.buildPackage {
-          pname = "gh-ssh-keys";
-          root = ./.;
-          buildInputs = with pkgs; [
-            pkg-config
-            openssl
-          ];
+        packages = rec {
+          default = XXX;
+          x509-info = pkgs.rustPlatform.buildRustPackage {
+            pname = name;
+            inherit version;
+            src = ./.;
+            release = true;
+            cargoLock.lockFile = ./Cargo.lock;
+          };
         };
 
-        defaultPackage = packages.gh-ssh-keys;
+        checks = {
+          pre-commit = pre-commit-hooks.lib.${system}.run {
+            src = ./.;
+            hooks = {
+              clippy = {
+                enable = true;
+                entry = pkgs.lib.mkForce "cargo clippy -- -D warnings";
+              };
+              nixpkgs-fmt = {
+                enable = true;
+              };
+              rustfmt = {
+                enable = true;
+                entry = pkgs.lib.mkForce "cargo fmt -- --check --color always";
+              };
+            };
+          };
+        };
 
         devShell = pkgs.mkShell {
           nativeBuildInputs = with pkgs; [
-            rust-toolchain
-            openssl
-            pkg-config
+            rustToolchain
             cargo-audit
             cargo-deny
-            cargo-cross
             rust-analyzer
-          ] ++ pkgs.lib.optionals (pkgs.stdenv.isLinux) (with pkgs; [ cargo-watch ]);
+          ];
 
-          shellHook = ''
-            cargo --version
-          '';
+          inherit (self.checks.${system}.pre-commit) shellHook;
         };
       })
     // {
       overlay = final: prev: {
-        gh-ssh-keys = self.defaultPackage.${prev.system};
+        XXX = self.defaultPackage.${prev.system};
       };
     };
 }