shared-actions/rust-build/action.yml

name: rust-build
description: >
  Set up Rust toolchain, configure Cargo registry, cache dependencies,
  run optional checks, and build via the project's build.sh script.

inputs:
  working-directory:
    description: Directory containing Cargo.toml and build.sh
    required: false
    default: "."
  rust-version:
    description: Rust toolchain version (passed to dtolnay/rust-toolchain)
    required: false
    default: "1.95.0"
  cross-target:
    description: Cross-compilation target triple
    required: false
    default: x86_64-unknown-linux-musl
  build-mode:
    description: Build mode — 'release' or 'debug'
    required: false
    default: release
  run-checks:
    description: Comma-separated checks to run before building — 'fmt', 'clippy', 'test'
    required: false
    default: ""
  jfrog-token:
    description: JFrog token for the Artifactory Cargo registry
    required: false
    default: ""

runs:
  using: composite
  steps:
    - name: Install musl tools
      shell: bash
      run: |
        if ! command -v musl-gcc &>/dev/null; then
          sudo apt-get update -qq && sudo apt-get install -y -qq musl-tools
        fi

    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
    # dtolnay/rust-toolchain v1 (2026-03-27) — https://github.com/dtolnay/rust-toolchain/commit/3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
    - name: Setup Rust toolchain
      id: rust-toolchain
      uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
      with:
        toolchain: ${{ inputs.rust-version }}
        targets: ${{ inputs.cross-target }}
        components: rustfmt,clippy

    - name: Configure Cargo registry (JFrog Artifactory)
      if: ${{ inputs.jfrog-token != '' }}
      shell: bash
      env:
        JFROG_TOKEN: ${{ inputs.jfrog-token }}
      run: |
        mkdir -p "${CARGO_HOME}"
        cat >> "${CARGO_HOME}/config.toml" <<'EOF'
        [registries.artifactory]
        index = "sparse+https://schmalz.jfrog.io/artifactory/api/cargo/schmalz-cargo-local/index/"
        [registry]
        global-credential-providers = ["cargo:token"]
        EOF

        cat >> "${CARGO_HOME}/credentials.toml" <<EOF
        [registries.artifactory]
        token = "Bearer ${JFROG_TOKEN}"
        EOF

    - name: Cache cargo registry
      uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/cache@cache-v1
      with:
        path: |
          ~/.cargo/registry/index
          ~/.cargo/registry/cache
          ~/.cargo/git/db
        key: ${{ runner.os }}-cargo-${{ steps.rust-toolchain.outputs.cachekey }}-${{ inputs.cross-target }}-${{ hashFiles(format('{0}/Cargo.lock', inputs.working-directory)) }}
        restore-keys: |
          ${{ runner.os }}-cargo-${{ steps.rust-toolchain.outputs.cachekey }}-${{ inputs.cross-target }}-
          ${{ runner.os }}-cargo-${{ steps.rust-toolchain.outputs.cachekey }}-

    - name: Run checks
      if: ${{ inputs.run-checks != '' }}
      shell: bash
      env:
        WORKING_DIR: ${{ inputs.working-directory }}
        CROSS_TARGET: ${{ inputs.cross-target }}
        RUN_CHECKS: ${{ inputs.run-checks }}
      run: |
        IFS=',' read -ra CHECKS <<< "${RUN_CHECKS}"
        for check in "${CHECKS[@]}"; do
          case "${check}" in
            fmt)    cargo fmt --manifest-path="${WORKING_DIR}/Cargo.toml" --check ;;
            clippy) cargo clippy --manifest-path="${WORKING_DIR}/Cargo.toml" --target="${CROSS_TARGET}" -- -D warnings ;;
            test)   cargo test --manifest-path="${WORKING_DIR}/Cargo.toml" ;;
            *)      echo "Unknown check: ${check}"; exit 1 ;;
          esac
        done

    - name: Build
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      env:
        CROSS_TARGET: ${{ inputs.cross-target }}
        BUILD_MODE: ${{ inputs.build-mode }}
      run: |
        BUILD_ARGS="--target ${CROSS_TARGET}"
        if [ "${BUILD_MODE}" = "release" ]; then
          BUILD_ARGS="${BUILD_ARGS} --release"
        fi
        ./build.sh ${BUILD_ARGS}