This repository includes comprehensive GitHub Actions workflows for CI/CD, security, and quality assurance.
Trigger: Push and Pull Requests to master/main branch
Jobs:
- Build: Compiles the project on stable, beta, and nightly Rust versions
- Test: Runs all unit and integration tests in both debug and release modes
- Clippy: Runs Rust's linter to catch common mistakes and improve code quality
- Format: Checks code formatting with rustfmt
- Security Audit: Scans dependencies for known security vulnerabilities using cargo-audit
- Coverage: Generates code coverage reports and uploads to Codecov
Purpose: Ensures code quality, correctness, and security on every change.
Trigger: Push, Pull Requests, and weekly schedule (Mondays at 00:00 UTC)
Jobs:
- Performs static code analysis to detect security vulnerabilities
- Runs GitHub's CodeQL analysis engine
- Results appear in the Security tab
Purpose: Continuous security monitoring and vulnerability detection.
Trigger: Git tags matching v*.*.* pattern (e.g., v1.0.0)
Jobs:
- Creates GitHub releases
- Builds binaries for Linux, macOS, and Windows
- Uploads release artifacts automatically
Usage: Create a git tag to trigger a release:
git tag v1.0.0
git push origin v1.0.0Purpose: Automated multi-platform releases.
Trigger: Scheduled (Weekly on Mondays at 09:00 UTC)
Updates:
- Rust dependencies (Cargo)
- GitHub Actions versions
Purpose: Keeps dependencies up-to-date automatically, reducing security risks and ensuring compatibility.
Trigger: Push and Pull Requests to master/main branch, manual dispatch
Jobs:
- Runs performance benchmarks (if defined)
- Tracks performance changes over time
- Alerts on significant performance regressions (>200%)
Purpose: Performance monitoring and regression detection.
Trigger: Push and Pull Requests to master/main branch, manual dispatch
Jobs:
- Builds Rust documentation with
cargo doc - Checks for broken links
- Deploys documentation to GitHub Pages (on master/main pushes)
Purpose: Automated documentation generation and hosting.
Trigger: Push to master/main, tags, Pull Requests, manual dispatch
Jobs:
- Builds Docker image
- Pushes to GitHub Container Registry (ghcr.io)
- Tags with branch names, PR numbers, versions, and commit SHAs
Purpose: Containerized deployment support.
Trigger: Pull Requests
Jobs:
- Reviews dependency changes in PRs
- Identifies security vulnerabilities in new dependencies
- Fails if dependencies with moderate or higher severity issues are added
Purpose: Proactive security review for dependency changes.
-
Continuous Deployment
- Automatically deploy to staging/production on master branch updates
- Use GitHub Environments for deployment approval gates
-
Performance Profiling
- Add flamegraph generation for performance analysis
- Use tools like
cargo flamegraphorperf
-
End-to-End Testing
- Add E2E tests that simulate real trading scenarios
- Mock Alpaca API responses for deterministic testing
-
Nightly Builds
- Daily builds to catch issues early
- Test against latest dependencies
-
License Compliance
- Use
cargo-licenseto check dependency licenses - Ensure compliance with your license requirements
- Use
-
SBOM Generation
- Generate Software Bill of Materials (SBOM)
- Use
cargo-sbomfor tracking dependencies
-
Mutation Testing
- Add mutation testing with
cargo-mutants - Improve test quality by finding weak spots
- Add mutation testing with
-
Fuzz Testing
- Add fuzzing with
cargo-fuzz - Test edge cases automatically
- Add fuzzing with
-
Stale PR/Issue Management
- Automatically label and close stale issues/PRs
- Use GitHub's stale action
-
Automated Changelog
- Generate changelogs automatically from commits
- Use conventional commits and
git-cliffor similar
-
Matrix Testing
- Test on multiple operating systems (Linux, macOS, Windows)
- Test with different feature flags
-
Pre-commit Hooks
- Add
.pre-commit-config.yamlfor local validation - Enforce formatting and linting before commits
- Add
All workflows use GitHub Actions cache to speed up builds:
- Cargo registry: Caches downloaded crate metadata
- Cargo git: Caches git dependencies
- Target directory: Caches compiled artifacts
This significantly reduces build times on subsequent runs.
- Secrets: Never commit API keys or secrets
- Dependabot: Reviews and updates dependencies automatically
- CodeQL: Scans for vulnerabilities weekly
- Dependency Review: Blocks PRs with vulnerable dependencies
- Security Audit: Runs on every CI build
Add these badges to your README.md:
[](https://codecov.io/gh/splumber/rust-autohedge)- Review Dependabot PRs regularly
- Monitor CodeQL security alerts
- Check workflow run status in the Actions tab
- Update actions versions when Dependabot suggests
- Caching reduces build times and costs
- Matrix builds run in parallel
- Conditional jobs (e.g., release only on tags)
- Dependency review only on PRs
- Check the Actions tab for detailed logs
- Ensure all tests pass locally with
cargo test - Verify formatting with
cargo fmt --check - Run clippy locally with
cargo clippy
- Test Docker build locally:
docker build -t rust-autohedge . - Check Dockerfile for correct paths
- Ensure all dependencies are included
- Verify tag format matches
v*.*.* - Check release workflow permissions
- Ensure GITHUB_TOKEN has sufficient permissions
When contributing, ensure:
- All CI checks pass
- Code is formatted with
cargo fmt - No clippy warnings
- Tests are added for new features
- Documentation is updated
For issues with workflows:
- Check the Actions tab for error messages
- Review workflow logs
- Open an issue with the error details