v0.2.4: Add Security Checks: cargo-audit & cargo-deny (GitHub actions) and pre-commit hooks (#2)

Add `audit.yml` GitHub action, modify `ci.yml`, add `.pre-commit-config.yaml`

Author: ivanbgd

.cargo/audit.toml

@@ -0,0 +1,10 @@
+[advisories]
+ignore = [
+    # Warning:   unmaintained
+    # Title:     paste - no longer maintained
+    "RUSTSEC-2024-0436",
+]
+
+[output]
+quiet = false
+deny = ["warnings", "unmaintained"]

.github/workflows/audit.yml

@@ -0,0 +1,47 @@
+name: Security audit
+
+on:
+  push:
+    paths:
+      - "**/Cargo.lock"
+      - "**/Cargo.toml"
+      - "**/deny.toml"
+  pull_request:
+    types: [ opened, reopened, synchronize ]
+    branches:
+      - main
+  #  schedule:
+  #    - cron: "0 0 * * *"
+
+jobs:
+
+  audit-check:
+    name: Audit check
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      checks: write
+    steps:
+      - uses: actions/checkout@v5
+      - uses: rustsec/audit-check@v2.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+  cargo-deny:
+    name: Cargo deny
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          rust-version: "1.89.0"
+          log-level: warn
+          command: check
+          arguments: --all-features
+
+  audit-success:
+    name: Audit success
+    runs-on: ubuntu-latest
+    needs: [audit-check, cargo-deny]
+    steps:
+      - run: echo "All audit jobs successfully finished."

.github/workflows/ci.yml

@@ -2,6 +2,8 @@ name: CI
 
 on:
   push:
+    branches:
+      - "*"
   pull_request:
     types: [ opened, reopened, synchronize ]
     branches:
@@ -18,26 +20,18 @@ permissions:
 # Each job runs in a runner environment specified by `runs-on`.
 jobs:
 
-  test:
-    name: Test
+  clippy:
+    name: Clippy
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/checkout@v5
       - uses: ilammy/setup-nasm@v1
-
-      - name: Check out repository code
-        uses: actions/checkout@v5
-
-      # This GitHub Action installs a Rust toolchain using "rustup".
-      # It is designed for one-line concise usage and good defaults.
-      - name: Install the Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
-
-      # A GitHub Action that implements smart caching for rust/cargo projects with sensible defaults.
-      - name: Rust Cache Action
-        uses: Swatinem/rust-cache@v2
-
-      - name: Run tests
-        run: cargo test
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy
+      - uses: Swatinem/rust-cache@v2
+      - name: Linting
+        run: cargo clippy --all-targets --all-features -- -D warnings
 
   fmt:
     name: Format
@@ -47,18 +41,60 @@ jobs:
       - uses: dtolnay/rust-toolchain@stable
         with:
           components: rustfmt
+      - uses: Swatinem/rust-cache@v2
       - name: Enforce formatting
-        run: cargo fmt --check
+        run: cargo fmt --all -- --check --color always
 
-  clippy:
-    name: Clippy
+  msrv:
+    name: MSRV check
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
       - uses: ilammy/setup-nasm@v1
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@master
         with:
+          toolchain: 1.89.0
           components: clippy
+      - run: cargo fetch
+      - name: MSRV check with cargo clippy
+        run: cargo clippy --all-targets --all-features -- -D warnings
+
+  publish-check:
+    name: Publish check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: ilammy/setup-nasm@v1
+      - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
-      - name: Linting
-        run: cargo clippy -- -D warnings
+      - run: cargo fetch
+      - name: cargo publish dry run
+        run: cargo publish --dry-run
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v5
+
+      - uses: ilammy/setup-nasm@v1
+
+      # This GitHub Action installs a Rust toolchain using "rustup".
+      # It is designed for one-line concise usage and good defaults.
+      - name: Install the Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      # A GitHub Action that implements smart caching for rust/cargo projects with sensible defaults.
+      - name: Rust Cache Action
+        uses: Swatinem/rust-cache@v2
+
+      - name: Run tests
+        run: cargo test --all --all-targets
+
+  ci-success:
+    name: CI success
+    runs-on: ubuntu-latest
+    needs: [clippy, fmt, msrv, publish-check, test]
+    steps:
+      - run: echo "All CI jobs successfully finished."

.pre-commit-config.yaml

@@ -0,0 +1,47 @@
+repos:
+
+  - repo: local
+    hooks:
+      - id: check
+        name: check
+        description: Standard check
+        entry: cargo check
+        language: system
+        types: [ rust ]
+        pass_filenames: false
+
+      - id: clippy
+        name: clippy
+        description: More rigorous check
+        entry: cargo clippy --all-targets --all-features -- -D warnings
+        language: rust
+        pass_filenames: false
+
+      - id: rustfmt
+        name: rustfmt
+        description: Check if all files follow the rustfmt style
+        entry: cargo fmt --all -- --check --color always
+        language: rust
+        types: [ rust ]
+        pass_filenames: false
+
+      - id: test
+        name: test
+        description: Run tests
+        entry: cargo test --all --all-targets
+        language: rust
+        types: [ rust ]
+        pass_filenames: false
+
+  - repo: https://github.com/EmbarkStudios/cargo-deny
+    rev: 0.18.5
+    hooks:
+      - id: cargo-deny
+        args: ["--all-features", "check"]
+
+  -   repo: https://github.com/pre-commit/pre-commit-hooks
+      rev: v6.0.0
+      hooks:
+        -   id: check-added-large-files
+        -   id: check-yaml
+        -   id: end-of-file-fixer

CHANGELOG.md

@@ -10,11 +10,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Some form of concurrent execution, but this might not be necessary as some
   dependencies already use `rayon` and `crossbeam`.
 
-## [0.2.4] - 2025-09-08
+## [0.2.4] - 2025-09-30
+
+### Added
+
+- GitHub action `audit.yml`, with `audit-check` and `cargo-deny-action` actions
+  - `audit.toml` for local and CI `cargo audit` configuration
+  - `deny.toml` for local and CI `cargo deny` configuration
+- Pre-commit hooks, `.pre-commit-config.yaml`
 
 ### Changed
 - Updated several dependencies to newer versions.
   - `cargo audit` found a security vulnerability in a dependency (that version has been yanked).
+- The build process for the release profile now uses the LTO optimization.
 
 ## [0.2.3] - 2024-07-10
 

Cargo.lock

@@ -1,16 +1,15 @@
 [package]
 name = "reduce_image_size"
+description = "Reduces size of images in a folder (and optionally sub-folders, recursively)."
 version = "0.2.4"
-edition = "2024"
 authors = ["Ivan Lazarević"]
-description = "Reduces size of images in a folder (and optionally sub-folders, recursively)."
 repository = "https://github.com/ivanbgd/reduce-image-size-rust"
 license = "MIT"
-keywords = ["image", "images", "photo", "jpeg", "png"]
+readme = "README.md"
 categories = ["computer-vision", "multimedia", "multimedia::images", "command-line-utilities"]
-
-[profile.release]
-strip = "symbols"
+keywords = ["image", "images", "photo", "jpeg", "png"]
+edition = "2024"
+rust-version = "1.89.0"
 
 [lib]
 path = "src/lib.rs"
@@ -20,10 +19,18 @@ name = "reduce_image_size"
 path = "src/main.rs"
 
 [dependencies]
-clap = { version = "4.5.9", features = ["derive"] }
+clap = { version = "4.5.48", features = ["derive"] }
 fast_image_resize = { version = "5.3.0" }
 image = "0.25.8"
-oxipng = { version = "9.1.1", default-features = false, features = ["parallel"] }
-pathdiff = { version = "0.2.1" }
-turbojpeg = { version = "1.1.0", features = ["image"] }
+oxipng = { version = "9.1.5", default-features = false, features = ["parallel"] }
+pathdiff = { version = "0.2.3" }
+turbojpeg = { version = "1.3.3", features = ["image"] }
 walkdir = "2.5.0"
+
+[profile.dev.package.oxipng]
+opt-level = 3
+
+[profile.release]
+strip = "symbols"
+lto = "fat"
+codegen-units = 1

Cargo.toml

@@ -1,8 +1,11 @@
 # Reduce Image Size
 
-[![CI](https://github.com/ivanbgd/reduce-image-size-rust/actions/workflows/ci.yml/badge.svg)](https://github.com/ivanbgd/reduce-image-size-rust/actions/workflows/ci.yml)
+[![license](https://img.shields.io/badge/License-MIT-blue.svg?style=flat)](LICENSE)
 [![Crates.io](https://img.shields.io/crates/v/reduce_image_size.svg)](https://crates.io/crates/reduce_image_size)
 [![docs.rs](https://docs.rs/reduce_image_size/badge.svg)](https://docs.rs/reduce_image_size/)
+[![CI](https://github.com/ivanbgd/reduce-image-size-rust/actions/workflows/ci.yml/badge.svg)](https://github.com/ivanbgd/reduce-image-size-rust/actions/workflows/ci.yml)
+[![Security audit](https://github.com/ivanbgd/reduce-image-size-rust/actions/workflows/audit.yml/badge.svg)](https://github.com/ivanbgd/reduce-image-size-rust/actions/workflows/audit.yml)
+[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit)
 
 ## Description
 Reduces size of images in a folder (and optionally sub-folders, recursively).
@@ -57,13 +60,37 @@ The file paths in the examples are for Windows.
 - `reduce_image_size D:\img_src D:\img_dst --recursive --resize --quality 60 --size L`
 
 ## Notes
-- Updated and tested in Rust 1.89.0 on Apple silicon with macOS Sequoia 15.3.
+- Updated and tested in Rust 1.89.0 and 1.90.0 on Apple silicon with macOS Sequoia 15.3.2.
 - First developed in Rust 1.74.1, but also tested later with Rust 1.79.0.
 - Tested on x86-64 CPUs on Windows 10 and Windows 11.
 - Tested on Apple silicon, M2 Pro, on macOS Sonoma 14.5.
 - Also tested on WSL - Ubuntu 22.04.2 LTS (GNU/Linux 5.15.133.1-microsoft-standard-WSL2 x86_64) on Windows 11 @ x86-64.
 - Linux wasn't tested directly, but should work, at least on x86-64 CPUs.
 
+## Security
+
+- [cargo audit](https://github.com/rustsec/rustsec/blob/main/cargo-audit/README.md) is supported,
+  as well as its GitHub action, [audit-check](https://github.com/rustsec/audit-check).
+- [cargo deny](https://embarkstudios.github.io/cargo-deny/) is supported,
+  as well as its GitHub action, [cargo-deny-action](https://github.com/EmbarkStudios/cargo-deny-action).
+
+## Development
+
+### Pre-commit
+
+[pre-commit](https://pre-commit.com/) hooks are supported.
+
+```shell
+$ pip install pre-commit  # If you don't already have pre-commit installed on your machine. Run once.
+$ pre-commit autoupdate  # Update hook repositories to the latest versions.
+$ pre-commit install  # Sets up the pre-commit git hook script for the repository. Run once.
+$ pre-commit install --hook-type pre-push  # Sets up the pre-push git hook script for the repository. Run once.
+$ pre-commit run  # For manual running; considers only modified files.
+$ pre-commit run --all-files  # For manual running; considers all files.
+```
+
+After installing it, the provided [pre-commit hook(s)](.pre-commit-config.yaml) will run automatically on `git commit`.
+
 ## Running the Application
 Executable files for Windows, macOS and Linux can be downloaded from
 the [Releases](https://github.com/ivanbgd/reduce-image-size-rust/releases) page of the repository.