chore(dev): review CI

- resolves #182 by replacing rust-based benchmark with nushell script (which employs `hyperfine`)
- satisfies `zizmor` linting of CI workflows
- migrate from `nox` to `nur` for dev task runner (uses nushell script)
- updated pre-commit hooks
- updated locked python deps

Author: 2bndy5

.gitattributes

@@ -27,3 +27,5 @@
 *.code-workspace text eol=lf
 *.clang-tidy text eol=lf
 *.clang-format text eol=lf
+nurfile text eol=lf
+*.nu text eol=lf

.github/workflows/benchmark.yml

@@ -1,62 +1,135 @@
-name: Benchmark
+name: Performance Regression
 
 on:
   push:
     branches: [main]
     paths:
-      - cpp-linter/src/
-      - cpp-linter/benches/
+      - cpp-linter/src/**
       - cpp-linter/Cargo.toml
       - Cargo.toml
       - Cargo.lock
       - .github/workflows/benchmark.yml
-    tags-ignore: ['*']
   pull_request:
     branches: [main]
     paths:
-      - cpp-linter/src/
-      - cpp-linter/benches/
+      - cpp-linter/src/**
       - cpp-linter/Cargo.toml
       - Cargo.toml
       - Cargo.lock
       - .github/workflows/benchmark.yml
-  # `workflow_dispatch` allows CodSpeed to trigger back-test
-  # performance analysis in order to generate initial data.
-  workflow_dispatch:
 
-# This CI workflow can take up to 2 hours.
-# This setting will auto-cancel a old run if a new run is started.
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+permissions: {}
 
 jobs:
+  build-bin:
+    name: Build ${{ matrix.name }} binary
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - commit: ${{ github.sha }}
+            name: current
+          - commit: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
+            name: previous
+    env:
+      BIN: target/release/cpp-linter
+    steps:
+      - name: Checkout ${{ matrix.name }}
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ matrix.commit }}
+          persist-credentials: false
+      - name: Cache base ref build
+        uses: actions/cache@v4
+        id: cache
+        with:
+          key: bin-cache-${{ hashFiles('cpp-linter/src/**', 'Cargo.toml', 'Cargo.lock', 'cpp-linter/Cargo.toml') }}
+          path: ${{ env.BIN }}
+      - name: Validate cached binary
+        if: steps.cache.outputs.cache-hit == 'true'
+        id: validate
+        run: |
+          chmod +x ${{ env.BIN }}
+          if ! ${{ env.BIN }} version; then
+            echo "Cached binary is invalid, rebuilding..."
+            echo "cache-valid=false" >> "$GITHUB_OUTPUT"
+          fi
+      - run: rustup update --no-self-update
+        if: steps.cache.outputs.cache-hit != 'true' || steps.validate.outputs.cache-valid == 'false'
+      - run: cargo build --bin cpp-linter --release
+        if: steps.cache.outputs.cache-hit != 'true' || steps.validate.outputs.cache-valid == 'false'
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.name }}
+          path: ${{ env.BIN }}
+
+  build-py-binding:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        id: setup-python
+        with:
+          python-version: '3.x'
+      - name: Build wheels
+        uses: PyO3/maturin-action@86b9d133d34bc1b40018696f782949dac11bd380 # v1.49.4
+        with:
+          target: x86_64
+          args: --release --out dist --find-interpreter --features openssl-vendored
+          manylinux: auto
+          before-script-linux: |
+            # NOTE: rust-cross/manylinux docker images are CentOS based
+            yum update -y
+            yum install -y openssl openssl-devel
+      - name: Upload wheels
+        uses: actions/upload-artifact@v4
+        with:
+          name: wheel
+          path: dist/*
+
   benchmark:
+    name: Measure Performance Difference
+    needs: [build-bin, build-py-binding]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      # using the generated compilation database,
-      # we will use cpp-linter to scan libgit2 src/libgit2/**.c files.
+        with:
+          persist-credentials: false
       - name: Checkout libgit2
         uses: actions/checkout@v5
         with:
           repository: libgit2/libgit2
           ref: v1.8.1
-          path: cpp-linter/benches/libgit2
-      - name: Generate compilation database
-        working-directory: cpp-linter/benches/libgit2
-        run: |
-          mkdir build && cd build
-          cmake -DCMAKE_EXPORT_COMPILE_COMMANDS=ON ..
+          path: benchmark/libgit2
+          persist-credentials: false
+
+      - name: Download built binaries
+        uses: actions/download-artifact@v5
+
       - name: Install cargo-binstall
-        uses: cargo-bins/cargo-binstall@main
-      - name: Install cargo-codspeed
-        run: cargo binstall -y cargo-codspeed
-      - name: Build the benchmark target(s)
-        run: cargo codspeed build
-      - name: Run benchmarks
-        uses: CodSpeedHQ/action@v4
-        with:
-          mode: instrumentation
-          run: cargo codspeed run
-          token: ${{ secrets.CODSPEED_TOKEN }}
+        uses: cargo-bins/cargo-binstall@38e8f5e4c386b611d51e8aa997b9a06a3c8eb67a # v1.15.6
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - name: Install hyperfine
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: cargo binstall -y hyperfine
+      - name: Install nushell
+        uses: hustcer/setup-nu@985d59ec83ae3e3418f9d36471cda38b9d8b9879 # v3.20
+
+      - name: Run benchmark script
+        working-directory: benchmark
+        shell: nu {0}
+        run: |-
+          let new_py = (
+            glob "../wheel/cpp_linter-*.whl"
+            | first
+            | path expand
+          )
+          let prev_bin = "../previous/cpp-linter" | path expand
+          let curr_bin = "../current/cpp-linter" | path expand
+          nu benchmark.nu --new-py $new_py --rust-bin $curr_bin --prev-rust-bin $prev_bin

.github/workflows/binary-builds.yml

@@ -1,8 +1,5 @@
 name: Binary builds
 
-permissions:
-  contents: read
-
 on:
   push:
     branches: [main]
@@ -25,9 +22,7 @@ env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
 
-defaults:
-  run:
-    shell: bash
+permissions: {}
 
 jobs:
 
@@ -103,19 +98,26 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Setup Rust
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          target: ${{ matrix.target }}
+        env:
+          RS_TARGET: ${{ matrix.target }}
+        run: |-
+          rustup update stable --no-self-update
+          rustup target add $RS_TARGET
 
+      - name: Install cargo-binstall
+        if: matrix.cross
+        uses: cargo-bins/cargo-binstall@38e8f5e4c386b611d51e8aa997b9a06a3c8eb67a # v1.15.6
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
       - name: Install cross (cargo cross compiler)
         if: matrix.cross
-        uses: taiki-e/install-action@v2
         env:
           GITHUB_TOKEN: ${{ github.token }}
-        with:
-          tool: cross
+        run: cargo binstall -y cross
 
       - name: Build
         run: >-
@@ -127,8 +129,25 @@ jobs:
           --target ${{ matrix.target }}
           ${{ matrix.vendored && '--features openssl-vendored' || '' }}
 
-      - name: Prepare artifacts
-        run: mv target/${{ matrix.target }}/release/cpp-linter${{ runner.os == 'Windows' && '.exe' || '' }} ./cpp-linter-${{ matrix.target }}${{ runner.os == 'Windows' && '.exe' || '' }}
+      - name: Prepare artifacts (unix)
+        if: runner.os != 'Windows'
+        shell: bash
+        run: |-
+          tgt="cpp-linter"
+          mv "target/${{ matrix.target }}/release/${tgt}" "${tgt}"
+          arc_name="cpp-linter-${{ matrix.target }}.tar.gz"
+          tar -a -c -v -z -f "${arc_name}" ${tgt} LICENSE
+      - name: Prepare artifacts (windows)
+        if: runner.os == 'Windows'
+        shell: pwsh
+        # `tar.exe` in powershell is different from `tar` in bash.
+        # need to use `tar.exe` in powershell to create a valid zip file.
+        run: |-
+          $tgt = "cpp-linter.exe"
+          mv "target/${{ matrix.target }}/release/${tgt}" "${tgt}"
+          $arc_name = "cpp-linter-${{ matrix.target }}.zip"
+          tar -a -c -v -f "${arc_name}" ${tgt} LICENSE
+
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -141,6 +160,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [create-assets]
     permissions:
+      id-token: write
       contents: write
     steps:
       - uses: actions/checkout@v5
@@ -160,9 +180,14 @@ jobs:
       - name: Create a Github Release
         env:
           GH_TOKEN: ${{ github.token }}
+          GIT_REF: ${{ github.ref_name }}
         run: |
           files=$(ls dist/cpp-linter*)
-          gh release upload "${{ github.ref_name }}" $files
-      - run: cargo publish -p cpp-linter
+          gh release upload "$GIT_REF" $files
+      - name: Establish provenance
+        id: auth
+        uses: rust-lang/crates-io-auth-action@e919bc7605cde86df457cf5b93c5e103838bd879 # v1.0.1
+      - name: Publish package
         env:
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
+        run: cargo publish -p cpp-linter

.github/workflows/build-docs.yml

@@ -23,11 +23,15 @@ env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
 
+permissions: {}
+
 jobs:
   cache-deps:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - run: rustup update --no-self-update
       - name: Cache .cargo locked resources
         uses: actions/cache@v4
@@ -39,51 +43,78 @@ jobs:
   build-mkdocs:
     runs-on: ubuntu-latest
     needs: [cache-deps]
-    permissions:
-      contents: write
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Cache .cargo locked resources
         uses: actions/cache/restore@v4
         with:
           path: ~/.cargo
           key: ${{ runner.os }}-docs-cargo-${{ hashFiles('Cargo.lock') }}
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
-        with:
-          enable-cache: true
-          cache-dependency-glob: "uv.lock"
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+      - name: Install cargo-binstall
+        uses: cargo-bins/cargo-binstall@38e8f5e4c386b611d51e8aa997b9a06a3c8eb67a # v1.15.6
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - name: Install nur
+        run: cargo binstall -y nur
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
       - name: Build docs
-        run: uvx nox -s docs-build
+        run: nur docs --build
       - name: Upload docs build as artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-pages-artifact@v4
         with:
           name: cpp-linter-docs
           path: docs/site
-      - name: Upload to github pages
-        # only publish doc changes from main branch
-        if: github.ref == 'refs/heads/main'
-        uses: peaceiris/actions-gh-pages@v4
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: docs/site
 
   build-rustdoc:
     runs-on: ubuntu-latest
     needs: [cache-deps]
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - run: rustup update --no-self-update
       - name: Cache .cargo locked resources
         uses: actions/cache/restore@v4
         with:
           path: ~/.cargo
           key: ${{ runner.os }}-docs-cargo-${{ hashFiles('Cargo.lock') }}
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
-      - run: uvx nox -s docs-rs
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+      - name: Install cargo-binstall
+        uses: cargo-bins/cargo-binstall@38e8f5e4c386b611d51e8aa997b9a06a3c8eb67a # v1.15.6
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - name: Install nur
+        run: cargo binstall -y nur
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - run: nur docs rs
       - name: upload rustdoc build as artifact
         uses: actions/upload-artifact@v4
         with:
           path: target/doc
           name: cpp-linter-api_docs
+
+  deploy:
+    if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
+    needs: [build-mkdocs]
+    runs-on: ubuntu-latest
+    permissions:
+      pages: write # to deploy to Pages
+      id-token: write # to verify the deployment originates from an appropriate source
+    # Deploy to the github-pages environment
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        uses: actions/deploy-pages@v4
+        id: deployment
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          artifact_name: cpp-linter-docs