Rust CI: Security, Dependency Policy, Coverage Gate, and Fast Builds

A typical GitHub Actions workflow for Rust:

runs-on: ubuntu-latest

steps:
  - uses: actions/checkout@v4

  - name: Install cargo-audit, cargo-deny, tarpaulin, chef
    run: cargo install cargo-audit cargo-deny cargo-tarpaulin cargo-chef

  - name: Security check
    run: cargo audit

  - name: Dependency policy check
    run: cargo deny check

  - name: Test coverage gate
    run: cargo tarpaulin --fail-under 80

  - name: Build using cargo chef
    run: |
      cargo chef prepare --recipe-path recipe.json
      cargo chef cook --recipe-path recipe.json
      cargo build --release

This pipeline:

• performs security validation,
• enforces dependency and license policies,
• ensures test coverage quality,
• and builds your Rust project quickly using dependency caching.

What each step does:

Security check (cargo-audit)

cargo audit

Scans Cargo.lock for vulnerable, deprecated, or compromised dependencies using the RustSec advisory database.

Dependency policy check (cargo-deny)

cargo deny check

Validates your dependency graph: licenses, banned crates, duplicates, and other policy rules.

Test coverage gate (cargo-tarpaulin)

cargo tarpaulin --fail-under 80

Measures test coverage and fails the CI pipeline if coverage is below 80%.

Fast build using cargo-chef

cargo chef prepare --recipe-path recipe.json
cargo chef cook --recipe-path recipe.json
cargo build --release

• prepare: generates a dependency recipe.
• cook: builds and caches dependencies separately.
• cargo build --release: final build using a warmed dependency cache.

via @Let's Get Rusty