github workflow experiment

Author: alskipp

.github/workflows/ci.yml

@@ -0,0 +1,234 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: postgres:13.4
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Cache Nix store
+        uses: DeterminateSystems/magic-nix-cache-action@v7
+
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@v2
+        with:
+          shared-key: "rust-deps"
+          cache-on-failure: true
+
+      - name: Check formatting
+        run: nix develop --command cargo fmt -- --check
+
+      - name: Run clippy
+        run: nix develop --command cargo clippy --all-targets --all-features -- -D warnings
+
+      - name: Run tests
+        run: nix develop --command cargo test
+        env:
+          DATABASE_URL: postgresql://postgres:postgres@localhost
+
+  build-linux:
+    runs-on: ubuntu-latest
+    needs: test
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Cache Nix store
+        uses: DeterminateSystems/magic-nix-cache-action@v7
+
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@v2
+        with:
+          shared-key: "rust-deps"
+          cache-on-failure: true
+
+      - name: Build Linux binary (musl)
+        run: |
+          nix build .#anonymiser-musl
+          cp result/bin/anonymiser anonymiser-x86_64-unknown-linux-musl
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: anonymiser-linux
+          path: anonymiser-x86_64-unknown-linux-musl
+
+  test-alpine:
+    runs-on: ubuntu-latest
+    needs: build-linux
+    container:
+      image: alpine:3.18
+
+    services:
+      postgres:
+        image: postgres:13.4
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - name: Download Linux binary
+        uses: actions/download-artifact@v4
+        with:
+          name: anonymiser-linux
+
+      - name: Make binary executable
+        run: chmod +x anonymiser-x86_64-unknown-linux-musl
+
+      - name: Test binary on Alpine
+        run: |
+          ./anonymiser-x86_64-unknown-linux-musl generate-strategies --db-url postgresql://postgres:postgres@postgres
+        env:
+          DATABASE_URL: postgresql://postgres:postgres@postgres
+
+  test-amazon-linux:
+    runs-on: ubuntu-latest
+    needs: build-linux
+    container:
+      image: public.ecr.aws/amazonlinux/amazonlinux:latest
+
+    services:
+      postgres:
+        image: postgres:13.4
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - name: Download Linux binary
+        uses: actions/download-artifact@v4
+        with:
+          name: anonymiser-linux
+
+      - name: Make binary executable
+        run: chmod +x anonymiser-x86_64-unknown-linux-musl
+
+      - name: Test binary on Amazon Linux
+        run: |
+          ./anonymiser-x86_64-unknown-linux-musl generate-strategies --db-url postgresql://postgres:postgres@postgres
+        env:
+          DATABASE_URL: postgresql://postgres:postgres@postgres
+
+  build-macos:
+    strategy:
+      matrix:
+        include:
+          - runner: macos-13
+            target: x86_64-apple-darwin
+            name: Intel Mac
+          - runner: macos-14
+            target: aarch64-apple-darwin
+            name: Apple silicon mac
+
+    runs-on: ${{ matrix.runner }}
+    needs: test
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Cache Nix store
+        uses: DeterminateSystems/magic-nix-cache-action@v7
+
+      - name: Cache Rust dependencies
+        uses: Swatinem/rust-cache@v2
+        with:
+          shared-key: "rust-deps"
+          cache-on-failure: true
+
+      - name: Build macOS binary
+        run: |
+          nix build .#anonymiser
+          cp result/bin/anonymiser anonymiser-${{ matrix.target }}
+
+      - name: Test binary
+        run: ./anonymiser-${{ matrix.target }} --help
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: anonymiser-${{ matrix.target }}
+          path: anonymiser-${{ matrix.target }}
+
+  release:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+    needs: [test-alpine, test-amazon-linux, build-macos]
+    permissions:
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download Linux binary
+        uses: actions/download-artifact@v4
+        with:
+          name: anonymiser-linux
+
+      - name: Download macOS x86_64 binary
+        uses: actions/download-artifact@v4
+        with:
+          name: anonymiser-x86_64-apple-darwin
+
+      - name: Download macOS ARM64 binary
+        uses: actions/download-artifact@v4
+        with:
+          name: anonymiser-aarch64-apple-darwin
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release create --draft --generate-notes "${{ github.ref_name }}" \
+            './anonymiser-x86_64-unknown-linux-musl#Linux' \
+            './anonymiser-x86_64-apple-darwin#Intel Mac' \
+            './anonymiser-aarch64-apple-darwin#Apple silicon mac'

flake.nix

@@ -16,59 +16,98 @@
     flake-utils,
     rust-overlay,
   }:
-    flake-utils.lib.eachDefaultSystem (system: let
-      overlays = [rust-overlay.overlays.default];
-      pkgs = import nixpkgs {inherit overlays system;};
+    flake-utils.lib.eachDefaultSystem (
+      system: let
+        overlays = [rust-overlay.overlays.default];
+        pkgs = import nixpkgs {inherit overlays system;};
 
-      rust = pkgs.rust-bin.stable.latest.default.override {extensions = ["rust-src"];};
-      rustPlatform = pkgs.makeRustPlatform {
-        cargo = rust;
-        rustc = rust;
-      };
+        rust = pkgs.rust-bin.stable.latest.default.override {extensions = ["rust-src"];};
+        rustPlatform = pkgs.makeRustPlatform {
+          cargo = rust;
+          rustc = rust;
+        };
 
-      manifest = (pkgs.lib.importTOML ./Cargo.toml).package;
-    in {
-      # `nix develop`.
-      devShells = {
-        default = pkgs.mkShell {
-          inputsFrom = [self.packages.${system}.anonymiser];
-          buildInputs = with pkgs; [rust-analyzer];
+        manifest = (pkgs.lib.importTOML ./Cargo.toml).package;
+      in {
+        # `nix develop`.
+        devShells = {
+          default = pkgs.mkShell {
+            inputsFrom = [self.packages.${system}.anonymiser];
+            buildInputs = with pkgs; [rust-analyzer];
+          };
         };
-      };
 
-      # `nix fmt`.
-      formatter = pkgs.alejandra;
+        # `nix fmt`.
+        formatter = pkgs.alejandra;
+
+        # `nix build`.
+        packages = {
+          anonymiser = rustPlatform.buildRustPackage {
+            pname = manifest.name;
+            version = manifest.version;
+            src = pkgs.nix-gitignore.gitignoreSource [] ./.;
+            cargoLock.lockFile = ./Cargo.lock;
+
+            # Compile-time dependencies.
+            nativeBuildInputs = with pkgs; [
+              pkg-config
+              cmake
+              perl # Required for vendored OpenSSL build
+            ];
+            # Run-time dependencies.
+            buildInputs = with pkgs;
+              [
+                openssl
+              ]
+              ++ pkgs.lib.optionals pkgs.stdenv.isDarwin (
+                with pkgs.darwin.apple_sdk.frameworks; [
+                  Security
+                  SystemConfiguration
+                ]
+              );
+
+            checkFlags = [
+              # Skip tests which require access to a PostgreSQL server.
+              "--skip=anonymiser::tests::successfully_transforms"
+              "--skip=anonymiser::tests::successfully_truncates"
+              "--skip=parsers::db_schema::tests::can_read_db_columns"
+            ];
+          };
+
+          # Static musl build for Linux distribution
+          anonymiser-musl = rustPlatform.buildRustPackage {
+            pname = "${manifest.name}-musl";
+            version = manifest.version;
+            src = pkgs.nix-gitignore.gitignoreSource [] ./.;
+            cargoLock.lockFile = ./Cargo.lock;
+
+            # Target musl for static linking
+            CARGO_BUILD_TARGET = "x86_64-unknown-linux-musl";
+            CARGO_BUILD_RUSTFLAGS = "-C target-feature=+crt-static";
+
+            # Compile-time dependencies.
+            nativeBuildInputs = with pkgs; [
+              pkg-config
+              cmake
+              perl # Required for vendored OpenSSL build
+            ];
+
+            # With vendored OpenSSL, we don't need runtime dependencies
+            buildInputs = [];
 
-      # `nix build`.
-      packages = {
-        anonymiser = rustPlatform.buildRustPackage {
-          pname = manifest.name;
-          version = manifest.version;
-          src = pkgs.nix-gitignore.gitignoreSource [] ./.;
-          cargoLock.lockFile = ./Cargo.lock;
+            checkFlags = [
+              # Skip tests which require access to a PostgreSQL server.
+              "--skip=anonymiser::tests::successfully_transforms"
+              "--skip=anonymiser::tests::successfully_truncates"
+              "--skip=parsers::db_schema::tests::can_read_db_columns"
+            ];
 
-          # Compile-time dependencies.
-          nativeBuildInputs = with pkgs; [
-            pkg-config
-            cmake
-          ];
-          # Run-time dependencies.
-          buildInputs = with pkgs;
-            [
-              openssl
-            ]
-            ++ pkgs.lib.optionals pkgs.stdenv.isDarwin (with pkgs.darwin.apple_sdk.frameworks; [
-              Security
-              SystemConfiguration
-            ]);
+            # Only build on Linux
+            meta.platforms = ["x86_64-linux"];
+          };
 
-          checkFlags = [
-            # Skip tests which require acces to a PostgreSQL server.
-            "--skip=anonymiser::tests::successfully_transforms"
-            "--skip=parsers::db_schema::tests::can_read_db_columns"
-          ];
+          default = self.packages.${system}.anonymiser;
         };
-        default = self.packages.${system}.anonymiser;
-      };
-    });
+      }
+    );
 }

src/file_reader.rs

@@ -49,6 +49,10 @@ pub fn read(
         file_writer.write_all(transformed_row.as_bytes())?;
         line.clear();
     }
+
+    // Flush to ensure all data is written before auto_finish() on drop
+    file_writer.flush()?;
+
     Ok(())
 }