bump(cargo)!: 🚀 upgrades available#1608
bump(cargo)!: 🚀 upgrades available#1608hedgehog-dataplane-update[bot] wants to merge 16 commits into
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
|
@daniel-noland Can you take a look at this to see what the correct fix is (or if Claude's fix is correct)? |
|
This is now blocking because of https://rustsec.org/advisories/RUSTSEC-2026-0190. I'll update a dependency bump without the npins update as a separate PR. [EDIT: it's not, Daniel fixed it already. This PR just needs a rebase.] |
|
Actually, it looks like Daniel already fixed the whole issue in |
e13660f to
2254dc6
Compare
|
We hit a different error now, it looks like oxalica's rust-overlay hasn't published a manifest for Rust 1.96.1 yet, which we try to pull. I'll try again tomorrow - I don't know if there's a better way to fix it to avoid this to happen again on future Rust releases. |
2d93cc2 to
3dcf6ef
Compare
|
Closed in favor of #1613 which appears to contain all the needed bumps. |
|
Reopening this #1613 was targeted to Daniels other branch which isn't passing tests. I accidentally merged that because I didn't realize it wasn't for main. Reopening this as a placeholder, I suspect this will be subsumed by another PR and closed later. |
fd391e6 to
2bd059a
Compare
c1e5831 to
411e4ba
Compare
I updated Cargo.lock to keep the other diffs as clean as possible. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Pin every third-party `uses:` reference (marketplace actions and composite actions) to a specific commit SHA, with the resolved tag kept as a trailing comment for readability. Managed going forward via `pinact run` (config in .pinact.yaml). The one exception is the cross-repo reusable workflow `githedgehog/fabricator/.github/workflows/run-vlab.yaml`: we control that workflow and pinning it is not desired. It floats intentionally and should pose no meaningful security issue. .pinact.yaml also sets a 10-day `min_age` so `pinact run` never adopts an action release less than 10 days old. Also adds `pinact` to the nix devshell so it can be run locally. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Trim GITHUB_TOKEN permissions to what each job actually consumes, traced through the composite actions and justfile recipes: - bump.yml / version-bump.yml: the blanket contents/id-token/ pull-requests grants had no consumer -- the actual git push and PR creation go through a separately-minted, already-scoped GitHub App token, not GITHUB_TOKEN. Reduced to `contents: read` (needed for checkout on this private repo). - dev.yml: same story for the shared `check-perms` block (check, sanitize, test_each, concurrency, miri, wasm, cross) -- none of those jobs build or push containers, so checks/pull-requests/ packages/id-token were dead weight. `build` and `publish` keep `packages: write` since they push images via `just push-container`. `check_changes` keeps `pull-requests: read` for dorny/paths-filter's API-based file-list lookup on PR events. Also scope the three `create-github-app-token` steps (bump.yml, dev.yml, version-bump.yml) to `permission-contents`/ `permission-pull-requests` instead of inheriting the full GitHub App installation's permissions, and set `persist-credentials: false` on checkout steps that never push with the default token (bump.yml, dev.yml, fossa.yml, lint-validate-dependabot.yml), plus add zizmor to the nix devshell used to audit this. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
- Name the previously-anonymous cargo-upgrades, version, publish, commitlint, and validate jobs (zizmor anonymous-definition). - Add a concurrency group to mergeability.yml and lint-validate-dependabot.yml (zizmor concurrency-limits); the former falls back to github.run_id for merge_group events so an in-progress merge-queue check is never cancelled. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Give each linter its own just recipe (clippy, opengrep, pinact, zizmor) instead of burying cargo clippy alone in `lint`, then compose them in the justfile. This gives local parity with the individual CI lint jobs and a single place to tune each tool's flags. dev.yml's `check` job now calls the `clippy` recipe directly (it already ran individual recipes like fmt/test/doctest rather than the aggregate `lint`; this keeps that step's naming honest). lint-opengrep.yml now delegates to `just opengrep` instead of duplicating the scan invocation inline. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Fold actionlint, cargo-fmt's sibling checks, license-headers, opengrep, pinact, and zizmor into one non-matrixed `lint` job in dev.yml instead of six independent lint-*.yml workflows, each of which paid for its own nix-shell/cachix pull. One job now means one pull per PR instead of six. check-dependencies moves here too, off of the check job's debug/release matrix and out of build's inline step list. `build` (and therefore `publish`, which pushes to our container registry) now depends on the whole `lint` job via `needs:`, so a check-dependencies failure still blocks a container push. Adds .github/zizmor.yml carrying an unpinned-uses `ref-pin` policy for the fabricator run-vlab reusable workflow, so zizmor accepts its `@master` ref pin (which pinact can't SHA-pin; see the pinning commit). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Add a commitlint check to the same job, gated by a config (.commitlintrc.yaml) that mirrors the type list and header-length intent of the existing lint-commitlint.yml action, no trailing period, roughly 72-char headers. commitlint-rs has no single "whole header length" rule, only a per-field description-max-length. That bound is looser than the old check in principle. commitlint-rs's `--from`/`--to` flags are unusable in any non-interactive shell, CI included: its arg-handling checks stdin before checking --from/--to, and stdin is never a TTY there, so it silently lints empty/stray stdin content instead of the requested commit range. Worked around by feeding each commit's message to commitlint individually over stdin instead, which is the one invocation mode that actually works. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Steps in a job run sequentially and stop at the first failure, so as written, a fmt failure would hide whatever clippy/opengrep/zizmor/ pinact/actionlint/license-headers would have said -- a step backwards from the six independent jobs this replaced, which all ran in parallel and reported together. Mark each check `continue-on-error` and add a final step that checks every step's outcome and fails the job if any of them didn't succeed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Extract the dependency-bump logic that lived inline in bump.yml into just recipes so it can be run and tested locally: - `bump-cargo-deps` runs `cargo update` plus per-package `cargo upgrade`, committing each bump separately, and (in CI) emits the PR-body summary via GITHUB_OUTPUT. It uses mktemp scratch files and guards the GITHUB_* writes so it is safe to run outside Actions. - `bump-actions` runs `pinact run --update` to refresh pinned action SHAs; available for manual/local use. bump.yml now calls `just bump-cargo-deps` and drives check-dependencies through the shared `just` composite action instead of duplicating the recipe bodies inline. It also switches the app-token input from the deprecated `app-id` to `client-id` and adds the `ci:+vlab` label to generated PRs. Also bumps the dependabot cooldown from 7 to 10 days to match the pinact `min_age`, so automated dependency PRs wait the same window before adopting a fresh release. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
The cross compile job isn't run that frequently, but when failures happen it is very annoying to debug because the max-parallel setting of 1 makes failures take a long time. Increasing to 2 is very helpful here and doesn't tax CI too much. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Daniel Noland <daniel@githedgehog.com>
Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name old req compatible latest new req ==== ======= ========== ====== ======= anyhow 1.0.102 1.0.103 1.0.103 1.0.103 Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name old req compatible latest new req ==== ======= ========== ====== ======= arc-swap 1.9.1 1.9.2 1.9.2 1.9.2 Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name old req compatible latest new req ==== ======= ========== ====== ======= rapidhash 4.4.1 4.4.2 4.4.2 4.4.2 Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
name old req compatible latest new req ==== ======= ========== ====== ======= uuid 1.23.3 1.23.4 1.23.4 1.23.4 Signed-off-by: github-actions[bot] <224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>
411e4ba to
1b0d7eb
Compare
🚀 Upgrades available