The gold_digger project employs a robust CI/CD infrastructure built on GitHub Actions, designed to enforce code quality, security, and reliability across all major development and deployment stages. The system integrates cross-platform testing, strict quality gates, comprehensive security scanning, supply-chain security analysis, pre-commit hook enforcement, and performance/integration benchmarking.

Cross-Platform Testing Matrices

Automated tests run on Ubuntu, macOS, and Windows using a matrix strategy in GitHub Actions. Each platform executes unit tests, integration tests, and builds release binaries to ensure consistent behavior and compatibility. The test-cross-platform job in the CI workflow defines this matrix, running on ubuntu-latest, macos-latest, and windows-latest runners. These jobs depend on the successful completion of quality checks and include platform-specific validation, such as verifying certificate store integration and running TLS configuration tests. This approach ensures that the codebase remains portable and robust across all supported environments (ci.yml).

Zero-Tolerance Quality Gates for Formatting and Linting

The CI pipeline enforces strict formatting and linting standards. The quality job runs rustfmt for formatting and clippy for linting, both with zero-tolerance for warnings (-D warnings). Any deviation from the prescribed style or the presence of lint warnings causes the pipeline to fail, blocking merges until issues are resolved. These checks are mirrored in pre-commit hooks and can be run locally, ensuring consistency between developer environments and CI (ci.yml, contributing.md).

Security Scanning with Grype and Dependency Auditing

Security is deeply integrated into the CI/CD process. Grype scans dependencies for known vulnerabilities, with the configuration set to fail the build if any high-severity or greater issues are found. Grype outputs results in JSON format and updates its vulnerability database automatically (.grype.yaml). Additional dependency auditing is performed with cargo-audit, cargo-deny, and cargo-outdated to ensure that all dependencies are secure and up-to-date (security.yml, audit.yml). The cargo-audit-pr.yml workflow runs cargo audit on every pull request as an additional security gate, blocking PRs that introduce dependencies with known advisories before merge (cargo-audit-pr.yml). Dependabot automatically submits pull requests for dependency updates on a weekly schedule (Monday), with commit messages prefixed chore(deps) for consistent changelog integration. GitHub Actions updates are grouped into a single PR for minor and patch updates, while security-sensitive Rust dependencies (mysql, rustls, clap, tokio, serde) ship as individual PRs for isolated review (dependabot.yml).

Supply-Chain Security with OpenSSF Scorecard

The OpenSSF Scorecard workflow assesses the project against supply-chain security best practices. The scorecard.yml workflow runs automatically on schedule, branch protection events, and pushes to the main branch, evaluating the repository against security checks such as branch protection, dependency updates, code review practices, and vulnerability disclosure. Results are published to GitHub's security dashboard and uploaded as SARIF artifacts, providing continuous visibility into the project's security posture (scorecard.yml).

Static Security Analysis with CodeQL

The CodeQL workflow (codeql.yml) performs static security analysis on the Rust codebase using GitHub's CodeQL engine. The workflow runs on pushes to main, pull requests, weekly on Mondays at 08:00 UTC, and can be triggered manually. CodeQL scans for security vulnerabilities and code quality issues, with results published to GitHub's security dashboard. The analysis uses security-and-quality query suites and runs against the full Rust codebase (codeql.yml).

Pre-Commit Hook Enforcement

Pre-commit hooks are configured in .pre-commit-config.yaml and enforced both locally and in CI. These hooks cover formatting, linting, security audits, shell script validation, GitHub Actions workflow validation, and commit message linting. Hooks run automatically on each commit and can be invoked manually with pre-commit run --all-files. The autofix.ci workflow further enforces these standards by automatically fixing formatting and linting issues and running all pre-commit hooks before code is merged (.pre-commit-config.yaml, autofix.yml, contributing.md).

Performance and Integration Benchmarking

Integration tests are designed to validate performance and reliability across platforms and database variants. The framework supports Linux, macOS, and (planned) Windows, and tests against multiple MySQL and MariaDB versions, both with and without TLS. Performance tests include handling large datasets, wide tables, and large content fields, as well as validating memory usage. Security tests verify credential protection and TLS certificate validation. The integration testing framework uses Docker containers for database instances and is fully integrated with GitHub Actions, supporting resource limits, automatic cleanup, and retry logic for CI environments (integration-testing.md).

The benchmarks.yml workflow executes performance benchmarks in a containerized MySQL environment. On pull requests, the workflow compiles all Criterion benchmarks without running them (cargo bench --no-run) to catch build regressions without requiring a database. On pushes to main or manual workflow dispatch, the workflow spins up a MySQL 8.4 service container and runs the full benchmark suite with database-backed benches (rows_processing, value_conversion) executing against live data. Benchmark results are uploaded as artifacts with a 30-day retention period for trend inspection (benchmarks.yml).

Code Coverage Enforcement

The coverage.yml workflow enforces an 80% line coverage threshold using llvm-cov. The workflow runs on pushes to main, pull requests, and can be triggered manually. Coverage is generated with cargo llvm-cov --workspace --lcov --output-path lcov.info --fail-under-lines 80, causing the workflow to fail if total line coverage drops below 80%. The lcov report is uploaded as an artifact and sent to Codecov for tracking over time. This hard coverage gate prevents regressions in test coverage from being merged (coverage.yml).

All CI/CD jobs are orchestrated so that merges and deployments are blocked if any quality, security, or test gate fails. Security gates include Grype vulnerability scanning, dependency auditing with cargo-audit, cargo-deny, and cargo-outdated, and supply-chain security assessments via OpenSSF Scorecard. The contributing guide and pull request process require all pre-commit hooks and CI checks to pass before merging, ensuring that local and CI/CD checks are consistent. This tightly integrated system continuously enforces high standards and prevents regressions in code quality or security (contributing.md).