0.1.0 release

.cargo/audit.toml

@@ -0,0 +1,10 @@
+[advisories]
+ignore = [
+    # RUSTSEC-2023-0071: Marvin attack in rsa crate False positive - we use sqlx with sqlite only,
+    # not mysql. The rsa crate is a transitive dependency of sqlx-mysql which isn't compiled or
+    # linked in our build. This is due to a long-standing Cargo bug where lockfiles include all
+    # workspace dependencies regardless of enabled features
+    # (https://github.com/rust-lang/cargo/issues/10801). The vulnerability does not affect our
+    # binary since the code path is never compiled.
+    "RUSTSEC-2023-0071",
+]

.github/workflows/checks.yml

@@ -10,15 +10,17 @@ env:
 jobs:
   checks:
     name: Run Checks
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest]
+    runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libsqlite3-dev sqlite3
+
       - name: Install Rust
         uses: dtolnay/rust-toolchain@stable
         with:
@@ -42,9 +44,10 @@ jobs:
         run: ./scripts/checks.sh
 
       - name: Upload coverage to Codecov
-        if: matrix.os == 'ubuntu-latest' && success()
-        uses: codecov/codecov-action@v3
+        if: success()
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: ./cobertura.xml
           fail_ci_if_error: true
+          slug: avocado-linux/prserv

.github/workflows/pr.yml

@@ -8,3 +8,4 @@ jobs:
   checks:
     name: Run Checks
     uses: ./.github/workflows/checks.yml
+    secrets: inherit

.github/workflows/release.yml

@@ -12,20 +12,20 @@ env:
 jobs:
   test:
     name: Run Tests
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest]
-        rust: [stable]
+    runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libsqlite3-dev sqlite3
+
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@master
+        uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: ${{ matrix.rust }}
           components: rustfmt, clippy
 
       - name: Cache dependencies
@@ -73,12 +73,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: macos-latest
-            target: x86_64-apple-darwin
-            suffix: ""
-          - os: macos-latest
-            target: aarch64-apple-darwin
-            suffix: ""
           - os: ubuntu-latest
             target: x86_64-unknown-linux-gnu
             suffix: ""
@@ -88,14 +82,16 @@ jobs:
           - os: ubuntu-latest
             target: x86_64-unknown-linux-musl
             suffix: ""
-          - os: windows-latest
-            target: x86_64-pc-windows-msvc
-            suffix: .exe
 
     steps:
       - uses: actions/checkout@v4
         name: Checkout for cargo metadata
 
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libsqlite3-dev sqlite3
+
       - name: Extract binary name from Cargo.toml
         id: get_binary_name
         shell: bash
@@ -105,12 +101,6 @@ jobs:
           echo "binary_name=$BINARY_NAME" >> $GITHUB_OUTPUT
           echo "Binary name: $BINARY_NAME"
 
-      - name: Install aws-lc-rs build pre-reqs for Windows
-        if: ${{ matrix.target == 'x86_64-pc-windows-msvc' }}
-        run: |
-          choco install nasm -y
-          echo "C:\Program Files\NASM" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-
       - uses: dtolnay/rust-toolchain@stable
         with:
           target: ${{ matrix.target }}
@@ -123,91 +113,23 @@ jobs:
       - uses: Swatinem/rust-cache@v2
 
       - name: Build release (native)
-        if: ${{ !contains(fromJSON('["aarch64-unknown-linux-musl", "x86_64-unknown-linux-musl", "aarch64-apple-darwin"]'), matrix.target) }}
+        if: ${{ matrix.target == 'x86_64-unknown-linux-gnu' }}
         run: cargo build --release --target ${{ matrix.target }}
 
       - name: Build release (cross)
         if: ${{ contains(fromJSON('["aarch64-unknown-linux-musl", "x86_64-unknown-linux-musl"]'), matrix.target) }}
         run: cross build --release --target ${{ matrix.target }}
 
-      - name: Build release (macOS ARM64)
-        if: ${{ matrix.target == 'aarch64-apple-darwin' }}
-        run: |
-          rustup target add aarch64-apple-darwin
-          cargo build --release --target aarch64-apple-darwin
-
-      - name: Codesign executable (macOS)
-        if: ${{ contains(fromJSON('["x86_64-apple-darwin", "aarch64-apple-darwin"]'), matrix.target) }}
-        env:
-          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
-          MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
-          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
-          APPLE_ID: ${{ secrets.APPLE_ID }}
-          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
-          APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }}
-          APPLE_CODESIGNING_IDENTITY: ${{ secrets.APPLE_CODESIGNING_IDENTITY }}
-        run: |
-          # Require certificate for macOS builds
-          if [ -z "$MACOS_CERTIFICATE" ]; then
-            echo "ERROR: macOS code signing certificate not configured"
-            echo "Please configure MACOS_CERTIFICATE secret in GitHub Actions"
-            exit 1
-          fi
-
-          # Create variables
-          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
-          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
-          BINARY_PATH="./target/${{ matrix.target }}/release/${{ steps.get_binary_name.outputs.binary_name }}"
-
-          # Import certificate
-          echo -n "$MACOS_CERTIFICATE" | base64 --decode --output $CERTIFICATE_PATH
-
-          # Create temporary keychain
-          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
-          security default-keychain -s $KEYCHAIN_PATH
-          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
-
-          # Make cert accessible by codesign
-          security import $CERTIFICATE_PATH -P "$MACOS_CERTIFICATE_PWD" -k $KEYCHAIN_PATH -T /usr/bin/codesign
-
-          # Avoid password prompt
-          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
-
-          # Give permissions
-          chmod +x $BINARY_PATH
-
-          # Code sign
-          /usr/bin/codesign -s $APPLE_CODESIGNING_IDENTITY --deep -f --timestamp -o runtime $BINARY_PATH
-
-          # Verify signing
-          /usr/bin/codesign --verify --strict $BINARY_PATH
-
-          # Zip file for notarization
-          ditto -c -k --sequesterRsrc --keepParent "$BINARY_PATH" "$BINARY_PATH.zip"
-
-          # Notarize app
-          xcrun notarytool submit \
-            --wait \
-            --apple-id "$APPLE_ID" \
-            --team-id "$APPLE_TEAM_ID" \
-            --password "$APP_PASSWORD" \
-            "$BINARY_PATH.zip"
 
       - name: Package release
         shell: bash
         run: |
           BINARY_NAME="${{ steps.get_binary_name.outputs.binary_name }}${{ matrix.suffix }}"
           mv "./target/${{ matrix.target }}/release/${{ steps.get_binary_name.outputs.binary_name }}${{ matrix.suffix }}" "./$BINARY_NAME"
 
-          # Create tarball for Unix systems
-          if [ "${{ matrix.os }}" != "windows-latest" ]; then
-            tar -czf "${{ steps.get_binary_name.outputs.binary_name }}-${{ github.ref_name }}_${{ matrix.target }}.tar.gz" "./$BINARY_NAME"
-            echo "ASSET=${{ steps.get_binary_name.outputs.binary_name }}-${{ github.ref_name }}_${{ matrix.target }}.tar.gz" >> $GITHUB_ENV
-          else
-            # Create zip for Windows
-            7z a -tzip "${{ steps.get_binary_name.outputs.binary_name }}-${{ github.ref_name }}_${{ matrix.target }}.zip" "./$BINARY_NAME"
-            echo "ASSET=${{ steps.get_binary_name.outputs.binary_name }}-${{ github.ref_name }}_${{ matrix.target }}.zip" >> $GITHUB_ENV
-          fi
+          # Create tarball for Linux
+          tar -czf "${{ steps.get_binary_name.outputs.binary_name }}-${{ github.ref_name }}_${{ matrix.target }}.tar.gz" "./$BINARY_NAME"
+          echo "ASSET=${{ steps.get_binary_name.outputs.binary_name }}-${{ github.ref_name }}_${{ matrix.target }}.tar.gz" >> $GITHUB_ENV
 
       - name: Upload Release Asset
         uses: softprops/action-gh-release@v2

.gitignore

@@ -28,3 +28,4 @@ target
 # Coverage artifacts
 cobertura.xml
 lcov.info
+prserv.db*