@dougefresh/ci 0.1.11

package/.checkov.yml

@@ -0,0 +1,7 @@
+# See: https://www.checkov.io/1.Welcome/Quick%20Start.html
+
+compact: true
+quiet: true
+skip-path:
+  - coverage
+  - node_modules

package/.env.example

@@ -0,0 +1,61 @@
+# dotenv-linter:off IncorrectDelimiter
+
+# Do not commit your actual .env file to Git! This may contain secrets or other
+# private information.
+
+# Enable/disable step debug logging (default: `false`). For local debugging, it
+# may be useful to set it to `true`.
+ACTIONS_STEP_DEBUG=true
+
+# GitHub Actions inputs should follow `INPUT_<name>` format (case-sensitive).
+# Hyphens should not be converted to underscores!
+INPUT_MILLISECONDS=2400
+
+# GitHub Actions default environment variables. These are set for every run of a
+# workflow and can be used in your actions. Setting the value here will override
+# any value set by the local-action tool.
+# https://docs.github.com/en/actions/learn-github-actions/variables#default-environment-variables
+
+# CI="true"
+# GITHUB_ACTION=""
+# GITHUB_ACTION_PATH=""
+# GITHUB_ACTION_REPOSITORY=""
+# GITHUB_ACTIONS=""
+# GITHUB_ACTOR=""
+# GITHUB_ACTOR_ID=""
+# GITHUB_API_URL=""
+# GITHUB_BASE_REF=""
+# GITHUB_ENV=""
+# GITHUB_EVENT_NAME=""
+# GITHUB_EVENT_PATH=""
+# GITHUB_GRAPHQL_URL=""
+# GITHUB_HEAD_REF=""
+# GITHUB_JOB=""
+# GITHUB_OUTPUT=""
+# GITHUB_PATH=""
+# GITHUB_REF=""
+# GITHUB_REF_NAME=""
+# GITHUB_REF_PROTECTED=""
+# GITHUB_REF_TYPE=""
+# GITHUB_REPOSITORY=""
+# GITHUB_REPOSITORY_ID=""
+# GITHUB_REPOSITORY_OWNER=""
+# GITHUB_REPOSITORY_OWNER_ID=""
+# GITHUB_RETENTION_DAYS=""
+# GITHUB_RUN_ATTEMPT=""
+# GITHUB_RUN_ID=""
+# GITHUB_RUN_NUMBER=""
+# GITHUB_SERVER_URL=""
+# GITHUB_SHA=""
+# GITHUB_STEP_SUMMARY=""
+# GITHUB_TRIGGERING_ACTOR=""
+# GITHUB_WORKFLOW=""
+# GITHUB_WORKFLOW_REF=""
+# GITHUB_WORKFLOW_SHA=""
+# GITHUB_WORKSPACE=""
+# RUNNER_ARCH=""
+# RUNNER_DEBUG=""
+# RUNNER_NAME=""
+# RUNNER_OS=""
+# RUNNER_TEMP=""
+# RUNNER_TOOL_CACHE=""

package/.gitattributes

@@ -0,0 +1,3 @@
+* text=auto eol=lf
+
+dist/** -diff linguist-generated=true

package/.github/actions/install-yq/action.yaml

@@ -0,0 +1,80 @@
+name: Install YQ
+description: |
+  Installs a version of YQ into the job tool cache using simple shell scripts
+
+branding:
+  icon: copy
+  color: orange
+
+inputs:
+  version:
+    required: true
+    description: 'Version of YQ to install'
+    default: 'v4.49.2'
+  download-compressed:
+    required: false
+    description: "If 'true', downloads .tar.gz of binary rather than raw binary.  Save the tubes."
+    default: 'true'
+  force:
+    required: false
+    description: "If 'true', does not check for existing yq installation before continuing."
+    default: 'false'
+
+outputs:
+  found:
+    description: "If 'true', yq was already found on this runner"
+    value: "${{ steps.yq-check-unix.outputs.found == 'true' || steps.yq-check-windows.outputs.found == 'true' }}"
+  installed:
+    description: "If 'true', yq was installed by this action"
+    value:
+      "${{ inputs.force == 'true' || steps.yq-check-unix.outputs.found == 'false' ||
+      steps.yq-check-windows.outputs.found == 'false' }}"
+
+runs:
+  using: composite
+  steps:
+    - name: 'Check for yq - Unix-ish'
+      id: yq-check-unix
+      if: (runner.os == 'Linux' || runner.os == 'macOS')
+      shell: bash +e {0}
+      # language=bash
+      run: |
+        _yq_bin="$(which yq)"
+        if [ -f "${_yq_bin}" ]; then
+          echo "found=true" >> $GITHUB_OUTPUT
+        else
+          echo "found=false" >> $GITHUB_OUTPUT
+        fi
+
+    - name: 'Install yq - Unix-ish'
+      if:
+        (runner.os == 'Linux' || runner.os == 'macOS') && (steps.yq-check-unix.outputs.found == 'false' || inputs.force
+        == 'true')
+      shell: bash
+      env:
+        DL_COMPRESSED: "${{ inputs.download-compressed == 'true' }}"
+        YQ_VERSION: '${{ inputs.version }}'
+      run: $GITHUB_ACTION_PATH/scripts/unixish.sh
+
+    - name: 'Check for yq - Windows-ish'
+      id: yq-check-windows
+      if: runner.os == 'Windows'
+      shell: powershell
+      # language=powershell
+      run: |
+        if (Get-Command "yq.exe" -ErrorAction SilentlyContinue)
+        {
+            Add-Content $Env:GITHUB_OUTPUT "found=true"
+        }
+        else
+        {
+            Add-Content $Env:GITHUB_OUTPUT "found=false"
+        }
+
+    - name: 'Install yq - Windows-ish'
+      if: runner.os == 'Windows' && (steps.yq-check-windows.outputs.found == 'false' || inputs.force == 'true')
+      shell: powershell
+      env:
+        DL_COMPRESSED: "${{ inputs.download-compressed == 'true' }}"
+        YQ_VERSION: '${{ inputs.version }}'
+      run: '& $Env:GITHUB_ACTION_PATH\scripts\windowsish.ps1'

package/.github/actions/install-yq/scripts/unixish.sh

@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+echo '::group::Prep'
+
+# validate input and prepare some vars
+
+_base_url='https://github.com/mikefarah/yq/releases/download'
+
+_os=
+_arch=
+
+_root_name=
+_dl_name=
+_dl_path=
+_dl_url=
+
+case $RUNNER_OS in
+  Linux)
+    _os='linux'
+    ;;
+  macOS)
+    _os='darwin'
+    ;;
+
+  *)
+    echo "Cannot handle OS of type $RUNNER_OS"
+    echo "Expected one of: [ Linux macOS ]"
+    exit 1
+    ;;
+esac
+
+case $RUNNER_ARCH in
+  'X86')
+    _arch='386'
+    ;;
+  'X64')
+    _arch='amd64'
+    ;;
+  'ARM')
+    _arch='arm'
+    ;;
+  'ARM64')
+    _arch='arm64'
+    ;;
+
+  *)
+    echo "Cannot handle arch of type $RUNNER_ARCH"
+    echo "Expected one of: [ X86 X64 ARM ARM64 ]"
+    exit 1
+    ;;
+esac
+
+_root_name="yq_${_os}_${_arch}"
+
+echo "Creating temporary directory $RUNNER_TEMP/${_root_name}"
+mkdir -p "$RUNNER_TEMP/${_root_name}"
+
+if [[ $DL_COMPRESSED == 'true' ]]; then
+  _dl_name="${_root_name}.tar.gz"
+  _dl_path="$RUNNER_TEMP/${_dl_name}"
+else
+  _dl_name="${_root_name}"
+  _dl_path="$RUNNER_TEMP/${_root_name}/${_dl_name}"
+fi
+
+# default to _something_...
+_version="${YQ_VERSION}"
+
+if [ -z "${YQ_VERSION}" ]; then
+  _version='v4.44.3'
+fi
+
+_dl_url="${_base_url}/${_version}/${_dl_name}"
+
+echo '::endgroup::'
+
+echo "::group::Downloading yq ${_version}"
+
+echo "Src: ${_dl_url}"
+echo "Dst: ${_dl_path}"
+
+curl -L "${_dl_url}" -o "${_dl_path}"
+
+echo '::endgroup::'
+
+if [[ $DL_COMPRESSED == 'true' ]]; then
+  echo '::group::Expanding archive'
+  tar -xzv -C "$RUNNER_TEMP/${_root_name}" -f "${_dl_path}"
+  echo "Removing ${_dl_path}"
+  rm -rf "${_dl_path}"
+  echo '::endgroup::'
+fi
+
+echo '::group::Copying to tool cache'
+
+echo "Creating tool cache directory $RUNNER_TOOL_CACHE/yq"
+mkdir -p "$RUNNER_TOOL_CACHE/yq"
+
+echo "Installing into tool cache:"
+echo "Src: $RUNNER_TEMP/${_root_name}/${_root_name}"
+echo "Dst: $RUNNER_TOOL_CACHE/yq/yq"
+mv "$RUNNER_TEMP/${_root_name}/${_root_name}" "$RUNNER_TOOL_CACHE/yq/yq"
+
+echo "Removing $RUNNER_TEMP/${_root_name}"
+rm -rf "$RUNNER_TEMP/${_root_name}"
+
+echo "Adding $RUNNER_TOOL_CACHE/yq to path..."
+echo "$RUNNER_TOOL_CACHE/yq" >> $GITHUB_PATH
+
+echo '::endgroup::'

package/.github/actions/install-yq/scripts/windowsish.ps1

@@ -0,0 +1,99 @@
+$ErrorActionPreference = 'Stop'
+Set-StrictMode -Version Latest
+
+Write-Host "::group::Prep"
+
+# validate input and prepare some vars
+
+switch ($Env:RUNNER_ARCH)
+{
+    "X86" {
+        $_arch = "386"
+    }
+    "X64" {
+        $_arch = "amd64"
+    }
+    default {
+        Write-Host "Cannot handle arch of type $Env:RUNNER_ARCH"
+        Write-Host "Expected one of: [ X86 X64 ]"
+        exit 1
+    }
+}
+
+$_base_url = "https://github.com/mikefarah/yq/releases/download"
+
+$_root_name = "yq_windows_${_arch}"
+$_bin_name = "${_root_name}.exe"
+
+Write-Host "Creating temporary directory $Env:RUNNER_TEMP\${_root_name}\"
+New-Item "$Env:RUNNER_TEMP\${_root_name}\" -ItemType Directory -Force
+
+if ($Env:DL_COMPRESSED -eq "true")
+{
+    $_dl_name = "${_root_name}.zip"
+    $_dl_path = "$Env:RUNNER_TEMP\${_dl_name}"
+}
+else
+{
+    $_dl_name = "${_bin_name}"
+    $_dl_path = "$Env:RUNNER_TEMP\${_root_name}\${_dl_name}"
+    Write-Host "Creating temporary directory $Env:RUNNER_TEMP\${_root_name}\"
+    New-Item "$Env:RUNNER_TEMP\${_root_name}\" -ItemType Directory -Force
+}
+
+$_version = "$Env:YQ_VERSION"
+
+# default to _something_...
+if ($_version -eq "")
+{
+    $_version = "v4.44.3"
+}
+
+$_dl_url = "${_base_url}/${_version}/${_dl_name}"
+
+Write-Host "::endgroup::"
+
+# download artifact
+
+Write-Host "::group::Downloading yq ${_version}"
+
+Write-Host "Src: ${_dl_url}"
+Write-Host "Dst: ${_dl_path}"
+
+Invoke-WebRequest -Uri "${_dl_url}" -OutFile "${_dl_path}"
+
+Write-Host "::endgroup::"
+
+# expand archive, if necessary
+
+if ($Env:DL_COMPRESSED -eq "true")
+{
+    Write-Host "::group::Expanding archive"
+
+    Expand-Archive -LiteralPath "${_dl_path}" -DestinationPath "$Env:RUNNER_TEMP\${_root_name}\"
+
+    Write-Host "Removing ${_dl_path}"
+    Remove-Item -Force -Path "${_dl_path}"
+
+    Write-Host "::endgroup::"
+}
+
+# install into tool cache
+
+Write-Host "::group::Copying to tool cache"
+
+Write-Host "Creating tool cache directory $Env:RUNNER_TOOL_CACHE\yq\"
+New-Item "$Env:RUNNER_TOOL_CACHE\yq\" -ItemType Directory -Force
+
+Write-Host "Installing into tool cache:"
+Write-Host "Src: $Env:RUNNER_TEMP\${_root_name}\${_bin_name}"
+Write-Host "Dst: $Env:RUNNER_TOOL_CACHE\yq\yq.exe"
+Move-Item -Force -LiteralPath "$Env:RUNNER_TEMP\${_root_name}\${_bin_name}" -Destination "$Env:RUNNER_TOOL_CACHE\yq\yq.exe"
+
+Write-Host "Removing $Env:RUNNER_TEMP\${_root_name}"
+Remove-Item -Force -Recurse -Path "$Env:RUNNER_TEMP\${_root_name}"
+
+Write-Host "Adding $Env:RUNNER_TOOL_CACHE\yq\ to path..."
+Add-Content "$Env:GITHUB_PATH" "$Env:RUNNER_TOOL_CACHE\yq\"
+
+Write-Host "::endgroup::"

package/.github/actions/rust-config/action.yml

@@ -0,0 +1,34 @@
+name: Rust CI Config
+description: Merge Rust CI Config
+inputs:
+  git_token:
+    description: 'Token to authenticate for git'
+    required: false
+  arm64:
+    default: "ubicloud-standard-8-arm"
+    required: false
+  amd64:
+    default: "ubicloud-standard-4"
+    required: false
+outputs:
+  config:
+    description: 'Configuration JSON output'
+    value: ${{ steps.config.outputs.config }}
+runs:
+  using: composite
+  steps:
+    - name: Checkout code
+      uses: actions/checkout@v6
+      with:
+        token: ${{ inputs.git_token || github.token }}
+    - name: generate
+      id: generate
+      uses: dougefresh/ci@main
+    - name: replace runners
+      id: config
+      shell: bash
+      run: |
+        CONFIG="$(echo '${{ steps.generate.outputs.config }}' | sed \
+            -e 's/vars.RUNNER_ARM64/${{ inputs.arm64 }}/g' \
+            -e 's/vars.RUNNER_AMD64/${{ inputs.amd64 }}/g')"
+        echo "config=$CONFIG" >> $GITHUB_OUTPUT

package/.github/actions/rust-init/action.yml

@@ -0,0 +1,75 @@
+name: Rust Init
+description: Initialize a Rust project with a basic structure and dependencies.
+inputs:
+  git_token:
+    description: 'Token to authenticate for git'
+    required: false
+  packages:
+    description: 'Packages to install per OS, see .github/ci-configs/rust-default.yml'
+    required: false
+    default: ''
+  ref:
+    description: 'Ref to checkout'
+    required: false
+    default: ''
+runs:
+  using: composite
+  steps:
+    - name: Checkout code
+      uses: actions/checkout@v6
+      with:
+        token: ${{ inputs.git_token || github.token }}
+        ref: ${{ inputs.ref }}
+    - name: cache
+      uses: ubicloud/rust-cache@v2
+      with:
+        cache-on-failure: 'true'
+    - uses: actions-rust-lang/setup-rust-toolchain@v1
+      with:
+        toolchain: stable,nightly
+        components: rustfmt,clippy
+    # - name: Install nightyly
+    #   id: toolchain-nightly
+    #   uses: dtolnay/rust-toolchain@nightly
+    #   with:
+    #     components: "rustfmt,clippy"
+    # - name: Install stable
+    #   id: toolchain-stable
+    #   shell: bash
+    #   run: |
+    #     rustup toolchain install stable --component clippy --profile minimal --no-self-update
+    #     rustup default stable
+    #     echo "name=stable" >> $GITHUB_OUTPUT
+    - name: Debug versions
+      shell: bash
+      run: |
+        cargo +nightly --version
+        cargo +stable --version
+
+    - name: packages
+      shell: bash
+      if: ${{ inputs.packages }}
+      run: |
+        set -x
+        packages=""
+        case $RUNNER_OS in
+          Linux)
+            packages="${{ fromJSON(inputs.packages).Linux }}"
+            ;;
+          macOS)
+            packages="${{ fromJSON(inputs.packages).macOS }}"
+            ;;
+          *)
+            echo "Cannot handle OS of type $RUNNER_OS"
+            echo "Expected one of: [ Linux macOS ]"
+            exit 0
+            ;;
+        esac
+
+        if [ -z "$packages" ]; then
+          echo "No packages to install"
+          exit 0
+        fi
+
+        echo "Installing packages: $packages"
+        sudo $packages

package/.github/ci-configs/dummy.yml

@@ -0,0 +1,24 @@
+'$schema': https://github.com/CarteraMesh/ci/raw/refs/heads/main/schemas/rust-ci-config.schema.json
+
+release:
+  cargo-publish: false
+  debian: false
+  profile: release
+  bin: dummy
+  os:
+    - target: 'aarch64-unknown-linux-gnu'
+      os: 'ubicloud-standard-8-arm64'
+
+jobs:
+  semver:
+    if: false
+    continue-on-error: true
+  extra:
+    if: true
+    continue-on-error: false
+    name: extra-dummy
+    run: echo "Running extra job"
+
+pages:
+  mdbook:
+    if: true

package/.github/ci-configs/rust/ai.yml

@@ -0,0 +1,65 @@
+ai:
+  enabled: true
+  allowed_bots: '*'
+  claude_args: ''
+  use_sticky_comment: false
+  track_progress: true
+  prompt: |
+    Perform a comprehensive code review with the following focus areas:
+    Provide detailed feedback using inline comments for ONLY issues, no praise inline comments.
+    Use top-level comments for general observations or praise
+    Do not be shy, I am a big boy and can handle criticism gracefully. I welcome feedback and suggestions.
+
+    Review this PR against our team checklist:
+
+    ## Code Quality
+    - [ ] Code follows our style guide
+    - [ ] No commented-out code
+    - [ ] Meaningful variable names
+    - [ ] DRY principle followed
+
+    ## Testing
+    - [ ] Unit tests for new functions
+    - [ ] Integration tests for new endpoints
+    - [ ] Edge cases covered
+    - [ ] Test coverage > 80%
+
+    ## Documentation
+    - [ ] README updated if needed
+    - [ ] API docs updated
+    - [ ] Inline comments for complex logic
+    - [ ] CHANGELOG.md updated
+
+    ## Security
+    - [ ] No hardcoded credentials
+    - [ ] Input validation implemented
+    - [ ] Proper error handling
+    - [ ] No sensitive data in logs
+
+    For each item, check if it is satisfied and comment on any that need attention.
+    Post a summary comment with checklist results.
+  # https://code.claude.com/docs/en/settings
+  # https://www.schemastore.org/claude-code-settings.json
+  settings:
+    attribution:
+      commit: 'Generated with JobsTaker'
+      pr: ''
+    permissions:
+      allow:
+        - mcp__github_inline_comment__create_inline_comment,
+        - Bash(gh pr comment:*),
+        - Bash(gh pr diff:*),
+        - Bash(gh pr view:*),
+        - Bash(grep .*),
+        - Bash(rg .*),
+        - Bash(npm run lint)
+        - Bash(npm run test:*)
+        - Bash(cargo .*)
+      deny:
+        - Bash(cargo publis.*)
+        #   - Read(./.env)
+        #   - Read(./.env.*)
+        #   - Read(./secrets/**)
+    env:
+      CLAUDE_CODE_ENABLE_TELEMETRY: '0'
+      OTEL_METRICS_EXPORTER: otlp

package/.github/ci-configs/rust-default.yml

@@ -0,0 +1,115 @@
+global:
+  # to match $RUNNER_OS
+  packages:
+    Linux: ''
+    macOS: ''
+    Windows: ''
+  toolchains:
+    - stable
+    - nightly
+  features:
+    - default
+  rustlog: info
+  fireblocks:
+    enabled: false
+    set-env-vars: true
+
+pages:
+  mdbook:
+    if: false
+    path: docs
+    version: latest
+    command: mdbook build
+
+release:
+  cargo-publish: true # release to cargo, otherwise just tag
+  debian: false
+  profile: 'release'
+  os:
+    - target: aarch64-unknown-linux-gnu
+      os: ubicloud-standard-8-arm
+    - target: x86_64-unknown-linux-gnu
+      os: ubicloud-standard-4
+    - target: aarch64-apple-darwin
+      os: macos-latest
+#    - target: x86_64-pc-windows-msvc
+#      os: windows-latest
+jobs:
+  coverage:
+    if: true
+    continue-on-error: false
+    args:
+      test: ''
+      llvm: ''
+    run: |
+      cmd="cargo llvm-cov ${LLVM_ARGS} --locked --lcov --output-path lcov-${FEATURES}.info --no-fail-fast"
+      if [ "$FEATURES" == "default" ]; then
+        $cmd -- --no-capture $CARGO_ARGS
+      else
+        $cmd --features "$FEATURES" -- --no-capture $CARGO_ARGS
+      fi
+    matrix:
+      os: []
+      toolchains:
+        - stable
+      features:
+        - default
+  fmt:
+    if: true
+    continue-on-error: false
+    run: cargo +nightly fmt --check --all
+  clippy:
+    if: true
+    continue-on-error: false
+    flags: ''
+    matrix:
+      os: []
+      toolchains:
+        - stable
+      features:
+        - default
+
+  semver:
+    if: true
+    continue-on-error: false
+  hack:
+    if: true
+    continue-on-error: false
+    run: cargo hack --feature-powerset check
+  doc:
+    if: true
+    continue-on-error: false
+    run: cargo +nightly docs-rs
+
+  cargo-sort:
+    if: true
+    continue-on-error: false
+    run: |
+      if [ -f ./scripts/cargo-sort.sh ]; then
+        ./scripts/cargo-sort.sh
+      else
+        cargo sort -c -g
+      fi
+  dependencies:
+    if: true
+    continue-on-error: false
+    run: cargo machete --with-metadata
+
+  sanitizers:
+    enabled: true
+    matrix:
+      os: []
+      features:
+        - default
+    address:
+      if: true
+      continue-on-error: false
+      run: cargo test --lib --tests --no-fail-fast --target x86_64-unknown-linux-gnu -- --no-capture
+    leak:
+      if: true
+      continue-on-error: false
+      run: cargo test --target x86_64-unknown-linux-gnu  -- --no-capture
+    thread:
+      if: false
+      continue-on-error: false
+      run: cargo test --target x86_64-unknown-linux-gnu -- --test-threads=1

package/.github/ci-configs/test/01.yml

@@ -0,0 +1,9 @@
+global:
+  packages:
+    Linux: 'curl'
+  rustlog: debug
+  fireblocks:
+    enabled: true
+jobs:
+  coverage:
+    if: false