feat(ci): basic CI (#6)

Author: TheButlah

.github/workflows/misc-ci.yaml

@@ -0,0 +1,39 @@
+name: Misc CI (Language Agnostic)
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - prod
+    tags:
+      - '**'
+
+permissions:
+  contents: read
+
+jobs:
+  fmt_toml:
+    name: TOML Format (Taplo)
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # pin@v6.0.1
+        with:
+          token: ${{ secrets.GIT_HUB_TOKEN }}
+      - uses: cachix/install-nix-action@0b0e072294b088b73964f1d72dfdac0951439dbd # pin@v31.8.4
+        with:
+          github_access_token: ${{ secrets.GIT_HUB_TOKEN }}
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # pin@v15
+        continue-on-error: true
+        with:
+          name: worldcoin
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Print environment
+        run: |
+          uname -a
+          nix develop -c env
+
+      - name: Check TOML formatting
+        run: |
+          nix develop -c \
+            taplo format --check

.github/workflows/pr-compliance.yaml

@@ -0,0 +1,37 @@
+name: Pull-Request Compliance
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+permissions:
+  pull-requests: read
+
+jobs:
+  check-pr-title:
+    name: Check PR title
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # pin@v5.5.3
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
+  require-pr-description:
+    name: Require PR Description
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Fail if description is empty
+        if: ${{ github.event.pull_request.body == '' }}
+        run: |
+          echo "❌ A pull request description is required. Please update the PR body."
+          exit 1
+
+      - name: Fail if description is unchanged template
+        if: contains(github.event.pull_request.body, '<!-- Describe your changes here -->')
+        run: |
+          echo "❌ Please replace the PR template placeholder with a real description."
+          exit 1

.github/workflows/rust-ci.yaml

@@ -0,0 +1,100 @@
+name: Rust CI
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - prod
+    tags:
+      - '**'
+
+permissions:
+  read: true
+
+jobs:
+  fmt:
+    name: Format
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # pin@v6.0.1
+        with:
+          token: ${{ secrets.GIT_HUB_TOKEN }}
+      - uses: cachix/install-nix-action@0b0e072294b088b73964f1d72dfdac0951439dbd # pin@v31.8.4
+        with:
+          github_access_token: ${{ secrets.GIT_HUB_TOKEN }}
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # pin@v15
+        continue-on-error: true
+        with:
+          name: worldcoin
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Print environment
+        run: |
+          uname -a
+          nix develop -c env
+
+      - name: Check Rust formatting
+        run: cargo fmt --check --all
+
+  clippy:
+    name: Clippy
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # pin@v6.0.1
+        with:
+          token: ${{ secrets.GIT_HUB_TOKEN }}
+      - uses: cachix/install-nix-action@0b0e072294b088b73964f1d72dfdac0951439dbd # pin@v31.8.4
+        with:
+          github_access_token: ${{ secrets.GIT_HUB_TOKEN }}
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # pin@v15
+        continue-on-error: true
+        with:
+          name: worldcoin
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Authorize private git repos
+        run: git config --global url."https://${{ secrets.ORB_GIT_HUB_TOKEN }}@github.com".insteadOf https://github.com
+      - name: Cache cargo dependencies
+        uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # pin@v2.8.0
+        with:
+          key: custom-${{ hashFiles('**/*.nix', 'flake.lock') }}
+      - name: Print environment
+        run: |
+          uname -a
+          nix develop -c env
+
+      - name: Clippy lints
+        run: |
+          nix develop -c \
+            cargo clippy --all --all-features --all-targets --no-deps -- -D warnings
+
+  cargo-deny:
+    name: Cargo Deny
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # pin@v6.0.1
+        with:
+          token: ${{ secrets.GIT_HUB_TOKEN }}
+      - uses: cachix/install-nix-action@0b0e072294b088b73964f1d72dfdac0951439dbd # pin@v31.8.4
+        with:
+          github_access_token: ${{ secrets.GIT_HUB_TOKEN }}
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # pin@v15
+        continue-on-error: true
+        with:
+          name: worldcoin
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Authorize private git repos
+        run: git config --global url."https://${{ secrets.GIT_HUB_TOKEN }}@github.com".insteadOf https://github.com
+      - name: Print environment
+        run: |
+          uname -a
+          nix develop -c env
+
+      - name: Check licenses
+        run: |
+          nix develop -c \
+            cargo deny check licenses
+
+      - name: Check security advisories
+        run: |
+          nix develop -c \
+            cargo deny check advisories

Cargo.toml

@@ -11,5 +11,5 @@ license = "MIT OR (Apache-2.0 WITH LLVM-exception)"
 repository = "https://github.com/worldcoin/orb-rustzone-ci"
 
 [workspace.dependencies.orb-x-optee]
-git = "https://github.com/worldcoin/orb-software"
 branch = "main"
+git = "https://github.com/worldcoin/orb-software"

taplo.toml

@@ -0,0 +1,14 @@
+exclude = ["**/target/**/*", ".direnv/**/*"]
+
+[formatting]
+align_comments = false
+column_width = 88
+indent_string = "	"
+reoder_arrays = true
+reorder_keys = true
+trailing_newline = true
+
+[[rule]]
+keys = ["package", "project"]
+[rule.formatting]
+reorder_keys = false