Skip to content

bump(cargo)!: 🚀 upgrades available#1608

Open
hedgehog-dataplane-update[bot] wants to merge 16 commits into
mainfrom
bump/cargo-upgrades
Open

bump(cargo)!: 🚀 upgrades available#1608
hedgehog-dataplane-update[bot] wants to merge 16 commits into
mainfrom
bump/cargo-upgrades

Conversation

@hedgehog-dataplane-update

Copy link
Copy Markdown
Contributor

🚀 Upgrades available

name      old req compatible latest  new req
====      ======= ========== ======  =======
anyhow    1.0.102 1.0.103    1.0.103 1.0.103
arc-swap  1.9.1   1.9.2      1.9.2   1.9.2  
rapidhash 4.4.1   4.4.2      4.4.2   4.4.2  
uuid      1.23.3  1.23.4     1.23.4  1.23.4 

⚠️ This Pull Request was automatically generated and should be carefully reviewed before acceptance. It may introduce breaking changes.

Copilot AI review requested due to automatic review settings June 29, 2026 04:57
@hedgehog-dataplane-update hedgehog-dataplane-update Bot requested a review from a team as a code owner June 29, 2026 04:57
@hedgehog-dataplane-update hedgehog-dataplane-update Bot added automated ci:+cross/full dependencies Pull requests that update a dependency file labels Jun 29, 2026
@hedgehog-dataplane-update hedgehog-dataplane-update Bot requested review from Fredi-raspall and removed request for a team June 29, 2026 04:57

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@qmonnet

This comment was marked as outdated.

@mvachhar mvachhar requested a review from daniel-noland June 30, 2026 12:46
@mvachhar

Copy link
Copy Markdown
Contributor

@daniel-noland Can you take a look at this to see what the correct fix is (or if Claude's fix is correct)?

@qmonnet

qmonnet commented Jun 30, 2026

Copy link
Copy Markdown
Member

This is now blocking because of https://rustsec.org/advisories/RUSTSEC-2026-0190. I'll update a dependency bump without the npins update as a separate PR.

[EDIT: it's not, Daniel fixed it already. This PR just needs a rebase.]

@qmonnet

qmonnet commented Jun 30, 2026

Copy link
Copy Markdown
Member

Actually, it looks like Daniel already fixed the whole issue in main with a4ca986

@qmonnet

qmonnet commented Jun 30, 2026

Copy link
Copy Markdown
Member

We hit a different error now, it looks like oxalica's rust-overlay hasn't published a manifest for Rust 1.96.1 yet, which we try to pull. I'll try again tomorrow - I don't know if there's a better way to fix it to avoid this to happen again on future Rust releases.

@hedgehog-dataplane-update hedgehog-dataplane-update Bot force-pushed the bump/cargo-upgrades branch 3 times, most recently from 2d93cc2 to 3dcf6ef Compare July 1, 2026 05:58
@mvachhar

mvachhar commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Closed in favor of #1613 which appears to contain all the needed bumps.

@mvachhar mvachhar closed this Jul 1, 2026
@mvachhar mvachhar deleted the bump/cargo-upgrades branch July 1, 2026 09:57
@mvachhar mvachhar restored the bump/cargo-upgrades branch July 1, 2026 09:58
@mvachhar

mvachhar commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Reopening this #1613 was targeted to Daniels other branch which isn't passing tests. I accidentally merged that because I didn't realize it wasn't for main. Reopening this as a placeholder, I suspect this will be subsumed by another PR and closed later.

@mvachhar mvachhar reopened this Jul 1, 2026
@hedgehog-dataplane-update hedgehog-dataplane-update Bot force-pushed the bump/cargo-upgrades branch 4 times, most recently from fd391e6 to 2bd059a Compare July 1, 2026 22:31
@hedgehog-dataplane-update hedgehog-dataplane-update Bot force-pushed the bump/cargo-upgrades branch 4 times, most recently from c1e5831 to 411e4ba Compare July 1, 2026 23:42
daniel-noland and others added 16 commits July 1, 2026 18:47
I updated Cargo.lock to keep the other diffs as clean as possible.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Pin every third-party `uses:` reference (marketplace actions and
composite actions) to a specific commit SHA, with the resolved tag
kept as a trailing comment for readability. Managed going forward
via `pinact run` (config in .pinact.yaml).

The one exception is the cross-repo reusable workflow
`githedgehog/fabricator/.github/workflows/run-vlab.yaml`: we control
that workflow and pinning it is not desired.  It floats intentionally
and should pose no meaningful security issue.

.pinact.yaml also sets a 10-day `min_age` so `pinact run` never adopts
an action release less than 10 days old.

Also adds `pinact` to the nix devshell so it can be run locally.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Trim GITHUB_TOKEN permissions to what each job actually consumes,
traced through the composite actions and justfile recipes:

- bump.yml / version-bump.yml: the blanket contents/id-token/
  pull-requests grants had no consumer -- the actual git push and PR
  creation go through a separately-minted, already-scoped GitHub App
  token, not GITHUB_TOKEN. Reduced to `contents: read` (needed for
  checkout on this private repo).
- dev.yml: same story for the shared `check-perms` block (check,
  sanitize, test_each, concurrency, miri, wasm, cross) -- none of
  those jobs build or push containers, so checks/pull-requests/
  packages/id-token were dead weight. `build` and `publish` keep
  `packages: write` since they push images via `just push-container`.
  `check_changes` keeps `pull-requests: read` for dorny/paths-filter's
  API-based file-list lookup on PR events.

Also scope the three `create-github-app-token` steps (bump.yml,
dev.yml, version-bump.yml) to `permission-contents`/
`permission-pull-requests` instead of inheriting the full GitHub App
installation's permissions, and set `persist-credentials: false` on
checkout steps that never push with the default token (bump.yml,
dev.yml, fossa.yml, lint-validate-dependabot.yml), plus add zizmor to
the nix devshell used to audit this.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
- Name the previously-anonymous cargo-upgrades, version, publish,
  commitlint, and validate jobs (zizmor anonymous-definition).
- Add a concurrency group to mergeability.yml and
  lint-validate-dependabot.yml (zizmor concurrency-limits); the
  former falls back to github.run_id for merge_group events so an
  in-progress merge-queue check is never cancelled.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Give each linter its own just recipe (clippy, opengrep, pinact,
zizmor) instead of burying cargo clippy alone in `lint`, then compose
them in the justfile.  This gives local parity with the individual CI
lint jobs and a single place to tune each tool's flags.

dev.yml's `check` job now calls the `clippy` recipe directly (it
already ran individual recipes like fmt/test/doctest rather than the
aggregate `lint`; this keeps that step's naming honest).
lint-opengrep.yml now delegates to `just opengrep` instead of
duplicating the scan invocation inline.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Fold actionlint, cargo-fmt's sibling checks, license-headers, opengrep,
pinact, and zizmor into one non-matrixed `lint` job in dev.yml instead
of six independent lint-*.yml workflows, each of which paid for its
own nix-shell/cachix pull. One job now means one pull per PR instead
of six.

check-dependencies moves here too, off of the check job's debug/release
matrix and out of build's inline step list. `build` (and therefore
`publish`, which pushes to our container registry) now depends on the
whole `lint` job via `needs:`, so a check-dependencies failure still
blocks a container push.

Adds .github/zizmor.yml carrying an unpinned-uses `ref-pin` policy for
the fabricator run-vlab reusable workflow, so zizmor accepts its
`@master` ref pin (which pinact can't SHA-pin; see the pinning commit).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add a commitlint check to the same job, gated by a config
(.commitlintrc.yaml) that mirrors the type list and header-length
intent of the existing lint-commitlint.yml action, no trailing
period, roughly 72-char headers. commitlint-rs has no single
"whole header length" rule, only a per-field description-max-length.
That bound is looser than the old check in principle.

commitlint-rs's `--from`/`--to` flags are unusable in any
non-interactive shell, CI included: its arg-handling checks stdin
before checking --from/--to, and stdin is never a TTY there, so it
silently lints empty/stray stdin content instead of the requested
commit range. Worked around by feeding each commit's message to
commitlint individually over stdin instead, which is the one
invocation mode that actually works.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Steps in a job run sequentially and stop at the first failure, so as
written, a fmt failure would hide whatever clippy/opengrep/zizmor/
pinact/actionlint/license-headers would have said -- a step backwards
from the six independent jobs this replaced, which all ran in parallel
and reported together.

Mark each check `continue-on-error` and add a final step that checks
every step's outcome and fails the job if any of them didn't succeed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Extract the dependency-bump logic that lived inline in bump.yml into
just recipes so it can be run and tested locally:

- `bump-cargo-deps` runs `cargo update` plus per-package
  `cargo upgrade`, committing each bump separately, and (in CI) emits
  the PR-body summary via GITHUB_OUTPUT. It uses mktemp scratch files
  and guards the GITHUB_* writes so it is safe to run outside Actions.
- `bump-actions` runs `pinact run --update` to refresh pinned action
  SHAs; available for manual/local use.

bump.yml now calls `just bump-cargo-deps` and drives check-dependencies
through the shared `just` composite action instead of duplicating the
recipe bodies inline. It also switches the app-token input from the
deprecated `app-id` to `client-id` and adds the `ci:+vlab` label to
generated PRs.

Also bumps the dependabot cooldown from 7 to 10 days to match the
pinact `min_age`, so automated dependency PRs wait the same window
before adopting a fresh release.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
The cross compile job isn't run that frequently, but when failures
happen it is very annoying to debug because the max-parallel setting
of 1 makes failures take a long time. Increasing to 2 is very helpful
here and doesn't tax CI too much.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name   old req compatible latest  new req
====   ======= ========== ======  =======
anyhow 1.0.102 1.0.103    1.0.103 1.0.103

Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name     old req compatible latest new req
====     ======= ========== ====== =======
arc-swap 1.9.1   1.9.2      1.9.2  1.9.2

Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name      old req compatible latest new req
====      ======= ========== ====== =======
rapidhash 4.4.1   4.4.2      4.4.2  4.4.2

Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name old req compatible latest new req
==== ======= ========== ====== =======
uuid 1.23.3  1.23.4     1.23.4 1.23.4

Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated ci:+cross/full dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants