import project

Author: marcoieni

.github/workflows/ci.yml

@@ -0,0 +1,142 @@
+name: CI
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+  pull_request:
+
+permissions: {}
+
+jobs:
+  test:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install node dependencies
+        run: npm ci
+
+      - name: Test
+        run: |
+          npm run test
+
+  lint:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install node dependencies
+        run: npm ci
+
+      - name: Lint
+        run: |
+          npm run lint
+
+  format:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install Prettier
+        run: npm ci
+
+      - name: Format
+        run: npx prettier --check .
+
+  zizmor:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
+        with:
+          persona: pedantic
+          # Don't use GitHub advanced security.
+          # Instead, fail if there's a security issue.
+          advanced-security: false
+
+  package:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install node dependencies
+        run: npm ci
+
+      - name: Check is packaged
+        run: |
+          # Compile to single js files.
+          npm run package
+
+          # Assert that the git diff is empty.
+          git diff --exit-code || (echo "Git diff is not empty. Please run 'npm run package' and commit the changes." && exit 1)
+
+  integration-test:
+    runs-on: ubuntu-24.04
+
+    # Required for OpenID Connect token retrieval.
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Start mock crates.io server
+        run: |
+          # Build the mock server in advance so that the binary is already built
+          # when we start checking the health endpoint.
+          manifest_path="--manifest-path=mock/Cargo.toml"
+          cargo build $manifest_path
+          # Run the mock server in the background.
+          cargo run   $manifest_path &
+
+          # Wait for server to be ready.
+          retry_count=0
+          max_retries=3
+          until curl -s http://localhost:3000/health > /dev/null 2>&1; do
+            echo "Waiting for mock server to start... (attempt $((retry_count + 1))/$max_retries)"
+            sleep 2
+            retry_count=$((retry_count + 1))
+            if [ $retry_count -ge $max_retries ]; then
+              echo "Mock server failed to start after $max_retries attempts"
+              exit 1
+            fi
+          done
+          echo "Mock server is ready"
+
+      - name: Run trusted publishing action
+        id: trusted-publishing
+        uses: ./ # Uses the action in the root directory.
+        with:
+          url: "http://localhost:3000" # Mock server url.
+
+      - name: Assert action output
+        env:
+          TOKEN: ${{ steps.trusted-publishing.outputs.token }}
+        run: |
+          if [ "$TOKEN" != "mock-token" ]; then
+            echo "Expected token to be 'mock-token', but got '$TOKEN'"
+            exit 1
+          fi
+          echo "Token assertion passed. Token value: $TOKEN"

.github/workflows/links.yml

@@ -0,0 +1,39 @@
+# Check if links present in the repository are valid.
+
+name: Links
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  linkChecker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Link Checker
+        uses: lycheeverse/lychee-action@82202e5e9c2f4ef1a55a3d02563e1cb6041e5332 # v2.4.1
+        env:
+          # Set the GitHub token to avoid rate limits when checking GitHub links.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          fail: true
+          # Accept the HTTP status code 429 (Too Many Requests) to avoid failing the workflow
+          # when the rate limit is exceeded.
+          args: |
+            --no-progress
+            --include-fragments
+            --accept '100..=103, 200..=299, 429'
+            .

.github/workflows/mock.yml

@@ -0,0 +1,38 @@
+name: Mock CI
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+    paths:
+      - "mock"
+  pull_request:
+    paths:
+      - "mock"
+
+permissions: {}
+
+jobs:
+  rustfmt:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Check formatting
+        run: cargo fmt --all --check
+
+  clippy:
+    name: Clippy
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Clippy check
+        run: cargo clippy --all-targets --all-features --workspace -- -D warnings

.gitignore

@@ -0,0 +1,6 @@
+.DS_Store
+.vscode
+.idea
+mock/target
+node_modules/
+*.js.map

.node-version

@@ -0,0 +1 @@
+20

.prettierignore

@@ -0,0 +1,2 @@
+# Ignore artifacts:
+dist

.prettierrc.json

@@ -0,0 +1,12 @@
+{
+    "tabWidth": 4,
+    "useTabs": false,
+    "overrides": [
+        {
+            "files": ["*.yml", "*.yaml", "*.md"],
+            "options": {
+                "tabWidth": 2
+            }
+        }
+    ]
+}

CONTRIBUTING.md

@@ -0,0 +1,83 @@
+# Contributing
+
+## Local development
+
+You can't run or test this action locally because it requires a GitHub environment to run.
+
+## Install node dependencies
+
+To install the node dependencies, run:
+
+```bash
+npm install
+```
+
+### Packaging
+
+The code of the action is in `src/`.
+After you edit the code, run the following command to
+compile the typescript code and its dependencies into a single typescript
+file in the `dist/` directory:
+
+```bash
+npm run package
+```
+
+This approach is inspired by the [typescript-action](https://github.com/actions/typescript-action)
+repository and it's used to avoid committing the `node_modules` directory to the repository.
+
+### Format
+
+We use [Prettier](https://prettier.io/) for formatting typescript, markdown, and YAML files.
+To format all files, run:
+
+```bash
+npx prettier --write .
+```
+
+### Linting
+
+We use [ESLint](https://eslint.org/) for formatting and linting typescript files.
+
+To check for linting errors, run:
+
+```bash
+npx eslint
+```
+
+## Crates.io docs
+
+To check the Crates.io OpenAPI documentation,
+copy paste `https://crates.io/api/openapi.json`
+in the [swagger](https://petstore.swagger.io/) bar at the top of the page.
+
+## GitHub docs
+
+Here are some useful links to the GitHub documentation:
+
+- [Creating a javascript action](https://docs.github.com/en/actions/sharing-automations/creating-actions/creating-a-javascript-action)
+- [OpenID Connect](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
+
+## FAQ
+
+### Why typescript?
+
+There are 3 types of GitHub Actions:
+
+1. Docker Actions: They are slower than the others because they need to pull a Docker image.
+2. Composite Actions: They don't support [runs.post] to clean up the job after the action has run.
+   We need this to revoke the token after the job is done.
+3. JavaScript Actions:
+   - They are faster than Docker Actions because they don't require pulling a Docker image.
+   - They support [runs.post] to clean up the job after the action has run.
+   - GitHub provides the `@actions/core` library to easily set outputs and handle errors.
+
+So we opted for a JavaScript Action.
+We use TypeScript to have type safety.
+
+[runs.post]: https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#runspost
+
+### Why node 20?
+
+We use Node 20 because it's the latest node version supported by GitHub Actions.
+The node version used by the action is defined in the `action.yml` file.

LICENSE

@@ -0,0 +1,25 @@
+Copyright (c) The Rust Project Contributors
+
+Permission is hereby granted, free of charge, to any
+person obtaining a copy of this software and associated
+documentation files (the "Software"), to deal in the
+Software without restriction, including without
+limitation the rights to use, copy, modify, merge,
+publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software
+is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice
+shall be included in all copies or substantial portions
+of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF
+ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
+TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
+SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR
+IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.