feat: add justfile and improve CI

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+      time: "00:00"
+    cooldown:
+      default-days: 14
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+      time: "00:00"
+    cooldown:
+      default-days: 14

.github/workflows/audit.yml

@@ -0,0 +1,36 @@
+name: Security Audit
+
+on: [push, pull_request]
+
+env:
+  CARGO_TERM_COLOR: always
+
+permissions: {}
+
+jobs:
+  supply-chain:
+    name: 'cargo-audit'
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        with:
+          persist-credentials: false
+
+      - uses: dtolnay/rust-toolchain@0f44b27771c32bda9f458f75a1e241b09791b331 # 1.91.1
+        with:
+            toolchain: 1.91.1
+
+      - uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
+        with:
+          cache-on-failure: true
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit@0.21.0 --force --locked
+
+      - name: Check for audit warnings
+        run: cargo audit -D warnings
+        continue-on-error: true
+
+      - name: Check for vulnerabilities
+        run: cargo audit

.github/workflows/benchmarks.yml

@@ -27,6 +27,9 @@ on:
         default: "none"
         type: string
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
@@ -35,6 +38,8 @@ jobs:
   benchmark:
     name: Run Performance Benchmarks
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -48,18 +53,19 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
         with:
           fetch-depth: 0 # Full history for baseline comparison
+          persist-credentials: false
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@0f44b27771c32bda9f458f75a1e241b09791b331 # 1.91.1
         with:
           toolchain: ${{ matrix.rust }}
           components: clippy, rustfmt
 
       - name: Configure Rust cache
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@f13886b937689c021905a6b90929199931d60db1 # v2.8.1
         with:
           key: ${{ matrix.os }}-benchmark-${{ matrix.rust }}
           cache-on-failure: true
@@ -141,29 +147,34 @@ jobs:
           echo "✅ Full benchmark suite with HTML reports completed successfully"
 
       - name: Generate performance summary
+        env:
+          BRANCH_NAME: ${{ github.ref_name }}
+          RUNNER_NAME: ${{ runner.name }}
+          BENCHMARK_SUITE: ${{ github.event.inputs.benchmark_suite || 'all' }}
+          BASELINE: ${{ github.event.inputs.baseline || 'none' }}
         run: |
           echo "Generating performance summary..."
           mkdir -p benchmark-results
 
           # Create a summary file
-          cat > benchmark-results/summary.md << 'EOF'
+          cat > benchmark-results/summary.md << EOF
           # Benchmark Results Summary
 
           **Date:** $(date -u +"%Y-%m-%d %H:%M:%S UTC")
           **OS:** ${{ matrix.os }}
           **Rust:** ${{ matrix.rust }}
           **Commit:** ${{ github.sha }}
-          **Branch:** ${{ github.ref_name }}
+          **Branch:** ${BRANCH_NAME}
 
           ## Environment
           - **CPU Cores:** $(nproc 2>/dev/null || sysctl -n hw.ncpu)
-          - **Runner:** ${{ runner.name }}
+          - **Runner:** ${RUNNER_NAME}
           - **Architecture:** ${{ matrix.target }}
 
           ## Benchmark Execution
           - **Trigger:** ${{ github.event_name }}
-          - **Suite:** ${{ github.event.inputs.benchmark_suite || 'all' }}
-          - **Baseline:** ${{ github.event.inputs.baseline || 'none' }}
+          - **Suite:** ${BENCHMARK_SUITE}
+          - **Baseline:** ${BASELINE}
 
           ## Results
           Detailed results are available in the artifacts and HTML reports.
@@ -175,6 +186,9 @@ jobs:
           EOF
 
       - name: Collect benchmark artifacts
+        env:
+          BRANCH_NAME: ${{ github.ref_name }}
+          WORKFLOW_NAME: ${{ github.workflow }}
         run: |
           echo "Collecting benchmark artifacts..."
 
@@ -195,8 +209,8 @@ jobs:
           # Create archive info
           echo "Archive created: $(date)" > artifacts/archive-info.txt
           echo "Commit: ${{ github.sha }}" >> artifacts/archive-info.txt
-          echo "Branch: ${{ github.ref_name }}" >> artifacts/archive-info.txt
-          echo "Workflow: ${{ github.workflow }}" >> artifacts/archive-info.txt
+          echo "Branch: ${BRANCH_NAME}" >> artifacts/archive-info.txt
+          echo "Workflow: ${WORKFLOW_NAME}" >> artifacts/archive-info.txt
           echo "Run number: ${{ github.run_number }}" >> artifacts/archive-info.txt
 
       - name: Upload benchmark results
@@ -221,6 +235,8 @@ jobs:
     runs-on: ubuntu-latest
     if: always()
     needs: [benchmark]
+    permissions:
+      contents: read
 
     steps:
       - name: Reset environment

.github/workflows/rust.yml

@@ -1,31 +1,34 @@
 name: Rust
 
-on:
-  push:
-    branches: ["main"]
-  pull_request:
-    branches: ["main"]
+permissions:
+  contents: read
 
 env:
   CARGO_TERM_COLOR: always
 
+on: [push, pull_request]
+
 jobs:
-  linting:
+  check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        with:
+          persist-credentials: false
 
-      - name: Install latest nightly
-        uses: dtolnay/rust-toolchain@nightly
+      - name: Install latest nightly Rust toolchain
+        uses: dtolnay/rust-toolchain@b95584d8105b9ab200e15821fa671848cf2b7017 # nightly
         with:
-          components: rustfmt, clippy
+          components: clippy, rustfmt
 
-      - name: Run cargo fmt
-        run: cargo +nightly fmt --all --check
+      - name: Setup just
+        uses: extractions/setup-just@e33e0265a09d6d736e2ee1e0eb685ef1de4669ff # v3
 
-      - name: Run cargo clippy
-        run: cargo +nightly clippy --all-targets
+      - name: Run just check
+        run: just check
 
   cross-testing:
     strategy:
@@ -34,12 +37,17 @@ jobs:
         toolchain: [nightly, stable]
 
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@master
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        with:
+          persist-credentials: false
+
+      - uses: dtolnay/rust-toolchain@0f44b27771c32bda9f458f75a1e241b09791b331 # 1.91.1
         with:
           toolchain: ${{ matrix.toolchain }}
           components: rustfmt, clippy
 
       - name: Run Tests
-        run: cargo +${{ matrix.toolchain }} test --all
+        run: cargo +${{ matrix.toolchain }} test --all-features

.github/workflows/zizmor.yml

@@ -0,0 +1,21 @@
+name: GitHub Actions Security Analysis with zizmor
+
+on: [push, pull_request]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        with:
+          persist-credentials: false
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
+
+      - name: Run zizmor
+        run: uvx zizmor .

Cargo.toml

@@ -8,7 +8,7 @@ license = "MIT"
 repository = "https://github.com/mit-dci/rustreexo"
 readme = "README.md"
 homepage = "https://github.com/mit-dci/rustreexo"
-rust-version = "1.63.0"
+rust-version = "1.66.0"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [dependencies]
@@ -25,6 +25,9 @@ rand = "0.9.2"
 with-serde = ["serde"]
 default = []
 
+[lints.clippy]
+use_self = "warn"
+
 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = ['cfg(bench)'] }
 

examples/custom-hash-type.rs

@@ -45,9 +45,9 @@ enum CustomHash {
 impl std::fmt::Display for CustomHash {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {
-            CustomHash::Hash(h) => write!(f, "Hash({h:?})"),
-            CustomHash::Placeholder => write!(f, "Placeholder"),
-            CustomHash::Empty => write!(f, "Empty"),
+            Self::Hash(h) => write!(f, "Hash({h:?})"),
+            Self::Placeholder => write!(f, "Placeholder"),
+            Self::Empty => write!(f, "Empty"),
         }
     }
 }
@@ -57,24 +57,24 @@ impl std::fmt::Display for CustomHash {
 impl AccumulatorHash for CustomHash {
     // returns a new placeholder type such that is_placeholder returns true
     fn placeholder() -> Self {
-        CustomHash::Placeholder
+        Self::Placeholder
     }
 
     // returns an empty hash such that is_empty returns true
     fn empty() -> Self {
-        CustomHash::Empty
+        Self::Empty
     }
 
     // returns true if this is a placeholder. This should be true iff this type was created by
     // calling placeholder.
     fn is_placeholder(&self) -> bool {
-        matches!(self, CustomHash::Placeholder)
+        matches!(self, Self::Placeholder)
     }
 
     // returns true if this is an empty hash. This should be true iff this type was created by
     // calling empty.
     fn is_empty(&self) -> bool {
-        matches!(self, CustomHash::Empty)
+        matches!(self, Self::Empty)
     }
 
     // used for serialization, writes the hash to the writer
@@ -85,9 +85,9 @@ impl AccumulatorHash for CustomHash {
         W: std::io::Write,
     {
         match self {
-            CustomHash::Hash(h) => writer.write_all(h),
-            CustomHash::Placeholder => writer.write_all(&[0u8; 32]),
-            CustomHash::Empty => writer.write_all(&[0u8; 32]),
+            Self::Hash(h) => writer.write_all(h),
+            Self::Placeholder => writer.write_all(&[0u8; 32]),
+            Self::Empty => writer.write_all(&[0u8; 32]),
         }
     }
 
@@ -101,9 +101,9 @@ impl AccumulatorHash for CustomHash {
         let mut h = [0u8; 32];
         reader.read_exact(&mut h)?;
         if h.iter().all(|&x| x == 0) {
-            Ok(CustomHash::Placeholder)
+            Ok(Self::Placeholder)
         } else {
-            Ok(CustomHash::Hash(h))
+            Ok(Self::Hash(h))
         }
     }
 
@@ -113,12 +113,12 @@ impl AccumulatorHash for CustomHash {
     // **both** children are not empty.
     fn parent_hash(left: &Self, right: &Self) -> Self {
         match (left, right) {
-            (CustomHash::Hash(l), CustomHash::Hash(r)) => {
+            (Self::Hash(l), Self::Hash(r)) => {
                 let mut h = [0u8; 32];
                 for i in 0..32 {
                     h[i] = l[i] ^ r[i];
                 }
-                CustomHash::Hash(h)
+                Self::Hash(h)
             }
             _ => unreachable!(),
         }

justfile

@@ -0,0 +1,25 @@
+_default:
+    @just --list
+
+# Run benchmarks 
+bench:
+    cargo bench
+
+# Build with all features
+build:
+    cargo build --all-features
+
+# Check code formatting, compilation and linting
+check:
+    cargo +nightly fmt --all --check
+    cargo +nightly check --all-features --all-targets --tests --benches
+    cargo +nightly clippy --all-features --all-targets --tests --benches -- -D warnings
+    RUSTDOCFLAGS="-D warnings" cargo +nightly doc --no-deps --all-features
+
+# Format code
+fmt:
+    cargo +nightly fmt --all
+
+# Run all tests
+test:
+    cargo test --all-features