Skip to content

mozilla/actions

BranchesTags

Repository files navigation

actions

GitHub actions shared by various Mozilla projects.

Composite Actions

rust — Install Rust and tools

Installs a Rust toolchain with optional components and tools. Uses Swatinem/rust-cache to cache dependencies (one entry per OS × toolchain, saves only on the default branch). Handles MSVC setup on Windows.

- uses: mozilla/actions/rust@v1
  with:
    version: stable # Toolchain version (default: stable)
    components: clippy # Space-separated Rust components
    tools: cargo-nextest # Comma- or space-separated tools (installed via cargo-binstall)
    token: ${{ github.token }} # GitHub token to avoid API rate limits
    targets: aarch64-unknown-linux-gnu # Comma-separated target triples
    rust-cache: true # Whether to enable rust-cache (default: true; auto-disabled when sccache: true)
    sccache: false # Whether to enable sccache (default: false)

toolchains — Determine Rust toolchains from MSRV

Reads rust-version from Cargo.toml and outputs a JSON array ["<msrv>", "stable", "nightly"] for use in CI matrices.

- uses: mozilla/actions/toolchains@v1
  id: toolchains
  with:
    working-directory: . # Directory containing Cargo.toml (default: .)

# Use in matrix:
# strategy:
#   matrix:
#     toolchain: ${{ fromJSON(steps.toolchains.outputs.toolchains) }}

claude-review — Claude Code Review

Runs Claude Code to perform an AI-assisted code review on a pull request. Posts inline comments and a PR-level summary via the GitHub review API. Only runs for pull requests whose author is an OWNER, MEMBER, or COLLABORATOR of the repository.

Note

Requires an ANTHROPIC_API_KEY repository secret.

The easiest way to use this is to copy .github/workflows/claude-review.yml into your repository — it includes the trigger and permission gating. Add a concurrency group and an ANTHROPIC_API_KEY secret and you're done.

Alternatively, call it as a reusable workflow using secrets: inherit. Or use the composite action directly to customize model, budget, or prompt:

- uses: mozilla/actions/claude-review@v1
  with:
    anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} # zizmor: ignore[secrets-outside-env]
    prompt: "Focus on protocol compliance and unsafe FFI usage." # optional
Input Default Description
anthropic_api_key (required) Anthropic API key
model claude-opus-4-6 Primary Claude model
fallback_model claude-sonnet-4-6 Fallback model
budget 5.00 Max spend per review in USD
prompt "" Additional project-specific review instructions

nss — Install Mozilla NSS

Installs Mozilla's Network Security Services (NSS) library. Uses the system package if it meets the minimum version requirement; otherwise downloads and builds from source with caching.

Sets environment variables: NSS_DIR, NSS_PREBUILT, LD_LIBRARY_PATH (Linux), DYLD_FALLBACK_LIBRARY_PATH (macOS).

- uses: mozilla/actions/nss@v1
  with:
    minimum-version: "3.100" # Minimum required NSS version
    # OR
    version-file: nss/min_version.txt # File containing the minimum version
    target: "" # Cross-compilation target (e.g. aarch64-linux-android)
    sccache: false # Whether to enable sccache for NSS compilation (default: false)
    token: ${{ github.token }} # GitHub token to avoid API rate limits (needed for Android builds)

If the rust action was called with sccache: true earlier in the same job, the nss action will detect this automatically and use sccache for the NSS build without needing sccache: true here.

Reusable Workflows

Call these from a job in your workflow using uses:. Workflows that depend on NSS require callers to run mozilla/actions/nss@v1 in a prior step.

jobs:
  claude-review:
    uses: mozilla/actions/.github/workflows/claude-review.yml@v1
    permissions:
      contents: read
      pull-requests: write
      issues: read
      actions: read
    secrets: inherit
  deny:
    uses: mozilla/actions/.github/workflows/deny.yml@v1
  rustfmt:
    uses: mozilla/actions/.github/workflows/rustfmt.yml@v1
  machete:
    uses: mozilla/actions/.github/workflows/machete.yml@v1
  actionlint:
    uses: mozilla/actions/.github/workflows/actionlint.yml@v1
    permissions:
      contents: read
      security-events: write # Required for zizmor to upload SARIF results
  dependency-review:
    if: github.event_name == 'pull_request'
    uses: mozilla/actions/.github/workflows/dependency-review.yml@v1
  clippy:
    uses: mozilla/actions/.github/workflows/clippy.yml@v1
    with:
      exclude-features: gecko # optional
  sanitize:
    uses: mozilla/actions/.github/workflows/sanitize.yml@v1
    with:
      features: ci # optional
  mutants-pr:
    uses: mozilla/actions/.github/workflows/mutants-pr.yml@v1
  mutants:
    uses: mozilla/actions/.github/workflows/mutants.yml@v1
  semver:
    uses: mozilla/actions/.github/workflows/semver.yml@v1
    with:
      package: my-crate # optional; omit to check all packages

claude-review.yml — Claude Code Review

Wraps the claude-review composite action as a self-contained workflow. Handles the pull_request_target trigger and permission gating (OWNER/MEMBER/COLLABORATOR only). Concurrency is the caller's responsibility. Can be copied directly into a repository or called as a reusable workflow with secrets: inherit. To customize model, budget, or prompt, use the composite action directly.

deny.yml — cargo deny

Runs cargo-deny to check for security advisories, banned crates, license compliance, and allowed sources. Advisory checks use continue-on-error to avoid blocking CI on sudden announcements. Requires a deny.toml in the repository root.

rustfmt.yml — Formatting

Runs cargo fmt --all -- --check with nightly rustfmt.

machete.yml — Unused dependencies

Runs cargo-machete and cargo-hack to find unused dependencies across all workspace crates and feature combinations.

actionlint.yml — Lint GitHub Actions workflows

Runs actionlint and zizmor on changes to workflow and composite action files. Triggers automatically on pull requests.

dependency-review.yml — Dependency review

Runs the GitHub Dependency Review Action to surface known-vulnerable package versions introduced in a PR.

clippy.yml — Clippy

Runs cargo hack clippy --feature-powerset across a matrix of OS (Linux, macOS, Windows) and toolchains (MSRV, stable, nightly), plus cargo doc with strict warnings. Accepts an exclude-features input for project-specific features to exclude from the powerset (e.g. gecko).

sanitize.yml — Sanitizers

Runs tests with address, thread, and leak sanitizers on Linux and macOS using nightly Rust. Accepts a features input to enable project-specific Cargo features during testing. macOS leak sanitizer suppresses known system library leaks automatically.

mutants-pr.yml — PR mutation testing

Runs cargo-mutants on the diff introduced by a PR, checking that each mutation is caught by the test suite. Posts results as a job summary.

mutants.yml — Full mutation testing

Runs cargo-mutants across the entire codebase in parallel shards (configurable via shards input). Designed for scheduled runs — callers must provide their own schedule trigger. Merges shard results and posts a summary with missed/caught/timeout counts.

semver.yml — Semver compatibility

Runs cargo-semver-checks against the PR base branch to catch breaking API changes. Accepts a package input to check a specific crate (omit to check all packages).

Versioning

Actions and workflows are versioned with @v1 tags. Pin to a tag for stability:

- uses: mozilla/actions/rust@v1

or to a specific commit SHA for reproducibility:

- uses: mozilla/actions/rust@<sha>

About

GitHub actions shared by various Mozilla projects

Resources

Readme

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT

Code of conduct

Code of conduct
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 12

v1.1.0 Latest
Apr 14, 2026
+ 11 releases

Packages

 
 
 

Contributors

Languages