ryanccn
diff --git a/‎.github/dependabot.yml
Lines changed: 11 additions & 0 deletions b/‎.github/dependabot.yml
Lines changed: 11 additions & 0 deletions
diff --git a/‎.github/workflows/build.yml
Lines changed: 113 additions & 0 deletions b/‎.github/workflows/build.yml
Lines changed: 113 additions & 0 deletions
diff --git a/‎.github/workflows/check.yml
Lines changed: 64 additions & 0 deletions b/‎.github/workflows/check.yml
Lines changed: 64 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml
Lines changed: 76 additions & 0 deletions b/‎.github/workflows/release.yml
Lines changed: 76 additions & 0 deletions
diff --git a/‎.gitignore
Lines changed: 3 additions & 0 deletions b/‎.gitignore
Lines changed: 3 additions & 0 deletions
diff --git a/‎.taplo.toml
Lines changed: 2 additions & 0 deletions b/‎.taplo.toml
Lines changed: 2 additions & 0 deletions
@@ -0,0 +1,11 @@
+version: 2
+
+updates:
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
@@ -0,0 +1,113 @@
+name: Build
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    permissions:
+      id-token: write
+      attestations: write
+
+    strategy:
+      matrix:
+        target:
+          - aarch64-apple-darwin
+          - x86_64-apple-darwin
+          - aarch64-pc-windows-msvc
+          - x86_64-pc-windows-msvc
+        include:
+          - target: aarch64-apple-darwin
+            runner: macos-14
+          - target: x86_64-apple-darwin
+            runner: macos-latest
+          - target: aarch64-pc-windows-msvc
+            runner: windows-latest
+          - target: x86_64-pc-windows-msvc
+            runner: windows-latest
+      fail-fast: false
+
+    runs-on: ${{ matrix.runner }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: stable
+          target: ${{ matrix.target }}
+
+      - name: Setup Rust cache
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install cargo-auditable
+        run: cargo install cargo-auditable
+
+      - name: Build
+        run: cargo auditable build --release --locked --target ${{ matrix.target }}
+        env:
+          CARGO_PROFILE_RELEASE_LTO: "fat"
+          CARGO_PROFILE_RELEASE_CODEGEN_UNITS: "1"
+
+      - name: Generate build provenance attestations
+        uses: actions/attest-build-provenance@v1
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          subject-path: |
+            ./target/${{ matrix.target }}/release/spdx-gen
+            ./target/${{ matrix.target }}/release/spdx-gen.exe
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          if-no-files-found: "error"
+          name: spdx-gen-${{ matrix.target }}
+          path: |
+            ./target/${{ matrix.target }}/release/spdx-gen
+            ./target/${{ matrix.target }}/release/spdx-gen.exe
+
+  linux-static:
+    permissions:
+      id-token: write
+      attestations: write
+
+    strategy:
+      matrix:
+        target:
+          - "x86_64-unknown-linux-musl"
+          - "aarch64-unknown-linux-musl"
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Build
+        run: nix build --fallback --print-build-logs '.#spdx-gen-static-${{ matrix.target }}'
+
+      - name: Generate build provenance attestations
+        uses: actions/attest-build-provenance@v1
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          subject-path: ./result/bin/spdx-gen
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          if-no-files-found: "error"
+          name: spdx-gen-${{ matrix.target }}
+          path: ./result/bin/spdx-gen
@@ -0,0 +1,64 @@
+name: Check
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  clippy:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Check
+        run: nix build --fallback --print-build-logs '.#check-clippy'
+
+      - name: Upload analysis results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: result
+          wait-for-processing: true
+
+  rustfmt:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Check
+        run: nix build --fallback --print-build-logs '.#check-rustfmt'
+
+  nixfmt:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Check
+        run: nix build --fallback --print-build-logs '.#check-nixfmt'
@@ -0,0 +1,76 @@
+name: Release
+
+on:
+  push:
+    tags: ["v*.*.*"]
+
+jobs:
+  build:
+    permissions:
+      id-token: write
+      attestations: write
+    uses: ./.github/workflows/build.yml
+
+  crates-io:
+    name: crates.io
+    needs: build
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: stable
+
+      - name: Setup Rust cache
+        uses: Swatinem/rust-cache@v2
+
+      - name: Publish
+        run: cargo publish
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_API_TOKEN }}
+
+  github:
+    name: GitHub Releases
+    needs: build
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Download artifacts
+        id: download
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/artifacts
+
+      - name: Prepare assets
+        env:
+          ARTIFACTS: ${{ steps.download.outputs.download-path }}
+        id: prepare
+        run: |
+          asset_path="/tmp/assets"
+          mkdir -p "$asset_path"
+          for artifact in "$ARTIFACTS"/*/; do
+            basename "$artifact" | \
+              xargs -I {} zip -jr "$asset_path"/{}.zip "$artifact"
+          done
+
+      - name: Create release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          gh release create --draft --verify-tag "$TAG" /tmp/assets/*.zip
@@ -0,0 +1,3 @@
+/target
+
+result*
@@ -0,0 +1,2 @@
+[formatting]
+column_width = 120