1 files changed, 52 insertions, 37 deletions

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9c1e563d..bf8c2004 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,27 @@ on:
     - master
   schedule:
   - cron: '00 01 * * *'
+
+# The section is needed to drop write-all permissions that are granted on
+# `schedule` event. By specifying any permission explicitly all others are set
+# to none. By using the principle of least privilege the damage a compromised
+# workflow can do (because of an injection or compromised third party tool or
+# action) is restricted. Currently the worklow doesn't need any additional
+# permission except for pulling the code. Adding labels to issues, commenting
+# on pull-requests, etc. may need additional permissions:
+#
+# Syntax for this section:
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+#
+# Reference for how to assign permissions on a job-by-job basis:
+# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+#
+# Reference for available permissions that we can enable if needed:
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+permissions:
+  # to fetch code (actions/checkout)
+  contents: read
+
 jobs:
   test:
     name: test
@@ -14,32 +35,21 @@ jobs:
       # systems.
       CARGO: cargo
       # When CARGO is set to CROSS, this is set to `--target matrix.target`.
+      # Note that we only use cross on Linux, so setting a target on a
+      # different OS will just use normal cargo.
       TARGET_FLAGS:
       # When CARGO is set to CROSS, TARGET_DIR includes matrix.target.
       TARGET_DIR: ./target
+      # Bump this as appropriate. We pin to a version to make sure CI
+      # continues to work as cross releases in the past have broken things
+      # in subtle ways.
+      CROSS_VERSION: v0.2.5
       # Emit backtraces on panics.
       RUST_BACKTRACE: 1
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
-        build:
-        # We test ripgrep on a pinned version of Rust, along with the moving
-        # targets of 'stable' and 'beta' for good measure.
-        - pinned
-        - stable
-        - beta
-        # Our release builds are generated by a nightly compiler to take
-        # advantage of the latest optimizations/compile time improvements. So
-        # we test all of them here. (We don't do mips releases, but test on
-        # mips for big-endian coverage.)
-        - nightly
-        - nightly-musl
-        - nightly-32
-        - nightly-mips
-        - nightly-arm
-        - macos
-        - win-msvc
-        - win-gnu
         include:
         - build: pinned
           os: ubuntu-latest
@@ -53,27 +63,26 @@ jobs:
         - build: nightly
           os: ubuntu-latest
           rust: nightly
-        - build: nightly-musl
+        - build: stable-musl
           os: ubuntu-latest
-          rust: nightly
+          rust: stable
           target: x86_64-unknown-linux-musl
-        - build: nightly-32
+        - build: stable-x86
           os: ubuntu-latest
-          rust: nightly
+          rust: stable
           target: i686-unknown-linux-gnu
-        - build: nightly-mips
+        - build: stable-aarch64
           os: ubuntu-latest
-          rust: nightly
-          target: mips64-unknown-linux-gnuabi64
-        - build: nightly-arm
+          rust: stable
+          target: aarch64-unknown-linux-gnu
+        - build: stable-powerpc64
           os: ubuntu-latest
-          rust: nightly
-          # For stripping release binaries:
-          # docker run --rm -v $PWD/target:/target:Z \
-          #   rustembedded/cross:arm-unknown-linux-gnueabihf \
-          #   arm-linux-gnueabihf-strip \
-          #   /target/arm-unknown-linux-gnueabihf/debug/rg
-          target: arm-unknown-linux-gnueabihf
+          rust: stable
+          target: powerpc64-unknown-linux-gnu
+        - build: stable-s390x
+          os: ubuntu-latest
+          rust: stable
+          target: s390x-unknown-linux-gnu
         - build: macos
           os: macos-latest
           rust: nightly
@@ -103,9 +112,17 @@ jobs:
         toolchain: ${{ matrix.rust }}
 
     - name: Use Cross
-      if: matrix.target != ''
+      if: matrix.os == 'ubuntu-latest' && matrix.target != ''
       run: |
-        cargo install cross
+        # In the past, new releases of 'cross' have broken CI. So for now, we
+        # pin it. We also use their pre-compiled binary releases because cross
+        # has over 100 dependencies and takes a bit to compile.
+        dir="$RUNNER_TEMP/cross-download"
+        mkdir "$dir"
+        echo "$dir" >> $GITHUB_PATH
+        cd "$dir"
+        curl -LO "https://github.com/cross-rs/cross/releases/download/$CROSS_VERSION/cross-x86_64-unknown-linux-musl.tar.gz"
+        tar xf cross-x86_64-unknown-linux-musl.tar.gz
         echo "CARGO=cross" >> $GITHUB_ENV
         echo "TARGET_FLAGS=--target ${{ matrix.target }}" >> $GITHUB_ENV
         echo "TARGET_DIR=./target/${{ matrix.target }}" >> $GITHUB_ENV
@@ -177,7 +194,6 @@ jobs:
       run: ci/test-complete
 
   rustfmt:
-    name: rustfmt
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
@@ -191,7 +207,6 @@ jobs:
       run: cargo fmt --all --check
 
   docs:
-    name: Docs
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository