firezone/.github/workflows/_rust.yml

---
name: Rust
"on":
  workflow_call:

defaults:
  run:
    working-directory: ./rust

permissions:
  contents: "read"
  id-token: "write"

env:
  RUSTFLAGS: "--cfg tokio_unstable"

jobs:
  static-analysis:
    name: static-analysis-${{ matrix.runs-on }}
    strategy:
      fail-fast: ${{ github.event_name == 'merge_group' }}
      matrix:
        # TODO: https://github.com/rust-lang/cargo/issues/5220
        runs-on: [ubuntu-24.04, macos-14, windows-2022]
    runs-on: ${{ matrix.runs-on }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/setup-rust
        id: setup-rust
        with:
          sccache_azure_connection_string: ${{ secrets.SCCACHE_AZURE_CONNECTION_STRING }}
      - uses: ./.github/actions/setup-tauri-v2
        timeout-minutes: 15
      - uses: taiki-e/install-action@d31232495ad76f47aad66e3501e47780b49f0f3e # v2.57.5
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tool: cargo-udeps,cargo-deny
      - uses: taiki-e/install-action@d31232495ad76f47aad66e3501e47780b49f0f3e # v2.57.5
        if: ${{ runner.os == 'Linux' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tool: bpf-linker

      - run: cargo clippy --all-targets --all-features ${{ steps.setup-rust.outputs.compile-packages }}
        name: cargo clippy
        shell: bash
      - run: cargo doc --all-features --no-deps --document-private-items ${{ steps.setup-rust.outputs.compile-packages }}
        name: cargo doc
        shell: bash
      - run: cargo fmt -- --check
      - run: cargo +${{ steps.setup-rust.outputs.nightly_version }} udeps --all-targets --all-features ${{ steps.setup-rust.outputs.compile-packages }}
        name: cargo udeps
      - run: cargo deny check --hide-inclusion-graph --deny unnecessary-skip
        shell: bash

  test:
    name: test-${{ matrix.runs-on }}
    strategy:
      fail-fast: ${{ github.event_name == 'merge_group' }}
      matrix:
        # TODO: https://github.com/rust-lang/cargo/issues/5220
        runs-on:
          [
            ubuntu-22.04,
            ubuntu-24.04,
            macos-14,
            macos-15,
            macos-26,
            windows-2022,
            windows-2025,
          ]
    runs-on: ${{ matrix.runs-on }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/setup-rust
        id: setup-rust
        with:
          sccache_azure_connection_string: ${{ secrets.SCCACHE_AZURE_CONNECTION_STRING }}
      - uses: ./.github/actions/setup-tauri-v2
      - uses: taiki-e/install-action@d31232495ad76f47aad66e3501e47780b49f0f3e # v2.57.5
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tool: ripgrep
      - uses: taiki-e/install-action@d31232495ad76f47aad66e3501e47780b49f0f3e # v2.57.5
        if: ${{ runner.os == 'Linux' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tool: bpf-linker
      - name: "cargo test"
        shell: bash
        run: |

          set -x

          # First, run all tests.
          cargo test --all-features ${{ steps.setup-rust.outputs.test-packages }} -- --include-ignored --nocapture

          # Poor man's test coverage testing: Grep the generated logs for specific patterns / lines.
          patterns=(
            "SendIcmpPacket"
            "SendUdpPacket"
            "ConnectTcp"
            "SendDnsQueries"
            "Packet for DNS resource"
            "Packet for CIDR resource"
            "Packet for Internet resource"
            "Truncating DNS response"
            "ICMP Error error=V4Unreachable"
            "ICMP Error error=V6Unreachable"
            "ICMP Error error=V4TimeExceeded"
            "ICMP Error error=V6TimeExceeded"
            "Forwarding query for DNS resource to corresponding site"
            "Revoking resource authorization"
            "Re-seeding records for DNS resources"
            "Resource is known but its addressability changed"
            "No A / AAAA records for domain"
            "State change \(got new possible\): Disconnected -> Checking"
          )

          missing_patterns=$(
            for pattern in "${patterns[@]}"; do
              if ! rg --quiet --no-ignore "$pattern" "$TESTCASES_DIR"; then
                echo "$pattern"
              fi
            done
          )

          if [ -n "$missing_patterns" ]; then
            echo "Error: Some required patterns were not found in test logs:"
            echo "$missing_patterns"
            exit 1
          fi

        env:
          # <https://github.com/rust-lang/cargo/issues/5999>
          # Needed to create tunnel interfaces in unit tests
          CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_RUNNER: "sudo --preserve-env"
          PROPTEST_VERBOSE: 0 # Otherwise the output is very long.
          PROPTEST_CASES: ${{ runner.os == 'Windows' && '0' || '256' }} # Default is only 256. Windows is very slow in GitHub Actions, so only run the regression cases there.
          CARGO_PROFILE_TEST_OPT_LEVEL: 1 # Otherwise the tests take forever.
          TESTCASES_DIR: "connlib/tunnel/testcases"

  fuzz:
    name: fuzz
    strategy:
      fail-fast: ${{ github.event_name == 'merge_group' }}
      matrix:
        fuzz-target: [ip_packet]
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/setup-rust
        id: setup-rust
        with:
          sccache_azure_connection_string: ${{ secrets.SCCACHE_AZURE_CONNECTION_STRING }}
      - uses: taiki-e/install-action@d31232495ad76f47aad66e3501e47780b49f0f3e # v2.57.5
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tool: cargo-fuzz
      - run: rustup run ${{ steps.setup-rust.outputs.nightly_version }} cargo fuzz run --target x86_64-unknown-linux-gnu --fuzz-dir tests/fuzz ${{ matrix.fuzz-target }} -- -max_total_time=120
        env:
          CARGO_PROFILE_RELEASE_LTO: false

  headless-client:
    name: headless-client-${{ matrix.test }}-${{ matrix.runs-on }}
    strategy:
      fail-fast: ${{ github.event_name == 'merge_group' }}
      matrix:
        include:
          - { runs-on: windows-2022, test: token-path-windows.ps1 }
          - { runs-on: windows-2025, test: token-path-windows.ps1 }
          - { runs-on: ubuntu-22.04, test: linux-group.sh }
          - { runs-on: ubuntu-24.04, test: linux-group.sh }
          - { runs-on: ubuntu-22.04, test: token-path-linux.sh }
          - { runs-on: ubuntu-24.04, test: token-path-linux.sh }
    runs-on: ${{ matrix.runs-on }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/setup-rust
        with:
          sccache_azure_connection_string: ${{ secrets.SCCACHE_AZURE_CONNECTION_STRING }}
      - uses: ./.github/actions/setup-tauri-v2
        timeout-minutes: 15
      - run: scripts/tests/${{ matrix.test }}
        name: "test script"
        working-directory: ./