Skip to content

fix: cargo-auditable build error #5895

fix: cargo-auditable build error

fix: cargo-auditable build error #5895

Workflow file for this run

name: ci
on:
push:
branches:
- main
- 'run-ci/**'
- '**/run-ci/**'
tags-ignore:
- '*'
pull_request:
branches:
- main
workflow_dispatch:
permissions:
contents: read
env:
CARGO_TERM_COLOR: always
CLICOLOR: '1'
jobs:
pure-rust-build:
runs-on: ubuntu-latest
container: debian:stable-slim
steps:
- uses: actions/checkout@v4
- name: Prerequisites
run: |
prerequisites=(
ca-certificates
curl
gcc # rustc calls gcc to invoke the linker.
libc-dev # rustc, in the toolchain we are using, dynamically links to the system libc.
)
apt-get update
apt-get install --no-install-recommends -y -- "${prerequisites[@]}"
shell: bash # This step needs `bash`, and the default in container jobs is `sh`.
- name: Verify that we are in an environment with limited dev tools
run: |
set -x
for package in cmake g++ libssl-dev make pkgconf pkg-config; do
if dpkg-query --status -- "$package"; then
exit 1
fi
done
for cmd in cmake g++ make pkgconf pkg-config; do
if command -v -- "$cmd"; then
exit 1
fi
done
- name: Install Rust via Rustup
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs |
sh -s -- -y --profile minimal
- name: Add Rust tools to path
run: echo "PATH=$HOME/.cargo/bin:$PATH" >> "$GITHUB_ENV"
- name: Generate dependency tree
run: cargo tree --locked --no-default-features --features max-pure > tree.txt
- name: Scan for dependencies that build C or C++ code
run: |
pattern='.*\b(-sys|cc|cmake|pkg-config|vcpkg)\b.*'
! GREP_COLORS='ms=30;48;5;214' grep --color=always -Ex -C 1000000 -e "$pattern" tree.txt
continue-on-error: true
- name: Check for unrecognized *-sys dependencies
run: |
! grep -qP '(?<!\blinux-raw)-sys\b' tree.txt
- name: Wrap cc1 (and cc1plus if present) to record calls
run: |
set -o noclobber # Catch any collisions with existing entries in /usr/local.
# Define the wrapper script for a compiler driver (for cc1 or cc1plus). This wrapper
# records calls, then delegates to the executable it wraps. When recording calls, writes
# to the log are synchronized so fragments of separate log entries aren't interleaved,
# even in concurrent runs. This wrapper knows what executable it is wrapping because,
# when deployed, this wrapper (or a symlink) replaces that executable, which will itself
# have been moved aside by being renamed with a `.orig` suffix, so this can call it.
cat >/usr/local/bin/wrapper1 <<'EOF'
#!/bin/sh
set -e
printf '%s\n' "$0 $*" |
flock /run/lock/wrapper1.fbd136bd-9b1b-448d-84a9-e18be53ae63c.lock \
tee -a -- /var/log/wrapper1.log ~/display >/dev/null # We'll link ~/display later.
exec "$0.orig" "$@"
EOF
# Define the script that performs the wrapping. This script shall be run once for each
# executable to be wrapped, renaming it with a `.orig` suffix and replacing it with a
# symlink to the wrapper script, defined above.
cat >/usr/local/bin/wrap1 <<'EOF'
#!/bin/sh
set -e
dir="$(dirname -- "$1")"
base="$(basename -- "$1")"
cd -- "$dir"
mv -- "$base" "$base.orig"
ln -s -- /usr/local/bin/wrapper1 "$base"
EOF
# Define a helper file that, when sourced, wires up the `~/display` symlink `wrapper1`
# uses to report calls as GitHub Actions step output (in addition to writing them to a
# log file). This is needed because stdout and stderr are both redirected elsewhere when
# the wrapper actually runs, and `/dev/tty` is not usable. This must be sourced in the
# same step as the `cargo` command that causes wrapped executables to be run, because
# different steps write to different pipe objects. (This also needs the shell that
# sourced it to remain running. But that is not the cause of the underlying limitation.)
cat >/usr/local/bin/set-display.sh <<'EOF'
ln -s -- "/proc/$$/fd/1" ~/display
EOF
chmod +x /usr/local/bin/wrapper1 /usr/local/bin/wrap1
mkdir /run/lock/wrapper1.fbd136bd-9b1b-448d-84a9-e18be53ae63c.lock
find /usr/lib/gcc \( -name cc1 -o -name cc1plus \) \
-print -exec /usr/local/bin/wrap1 {} \;
- name: Build max-pure with limited dev tools and log cc1
run: |
. /usr/local/bin/set-display.sh
cargo install --debug --locked --no-default-features --features max-pure --path .
- name: Show logged C and C++ compilations (should be none)
run: |
! cat /var/log/wrapper1.log
continue-on-error: true
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Setup dependencies
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends liblzma-dev
- uses: extractions/setup-just@v3
- uses: taiki-e/install-action@v2
with:
tool: nextest
- name: test
env:
GIX_TEST_IGNORE_ARCHIVES: '1'
run: just ci-test
test-journey:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: extractions/setup-just@v3
- name: Run journey tests
run: just ci-journey-tests
test-fast:
strategy:
matrix:
os:
- windows-latest
- macos-latest
- ubuntu-latest
- ubuntu-24.04-arm
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- name: Setup dependencies (macos)
if: startsWith(matrix.os, 'macos')
run: brew install openssl gnu-sed
- name: cargo check default features
if: startsWith(matrix.os, 'windows')
run: cargo check --workspace --bins --examples
- uses: taiki-e/install-action@v2
with:
tool: nextest
- name: Test (nextest)
env:
GIX_TEST_CREATE_ARCHIVES_EVEN_ON_CI: '1'
run: cargo nextest run --workspace --no-fail-fast
- name: Doctest
run: cargo test --workspace --doc --no-fail-fast
- name: Check that tracked archives are up to date
run: git diff --exit-code # If this fails, the fix is usually to commit a regenerated archive.
test-fixtures-windows:
runs-on: windows-latest
steps:
- name: Upgrade Git for Windows to latest stable release
# This upgrades Git to work around https://github.com/GitoxideLabs/gitoxide/issues/1849.
# TODO: Remove this step once the runner image has Git 2.49.0 or higher.
env:
GH_TOKEN: ${{ github.token }}
run: |
$workingDir = '~/git-dl'
$repo = 'git-for-windows/git'
$pattern = 'Git-*-64-bit.exe'
$log = 'setup-log.txt'
# Inno Setup args reference: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
$arguments = @(
'/VERYSILENT',
'/SUPPRESSMSGBOXES',
'/ALLUSERS',
"/LOG=$log",
'/NORESTART',
'/CLOSEAPPLICATIONS',
'/FORCECLOSEAPPLICATIONS'
)
mkdir $workingDir | Out-Null
cd $workingDir
gh release download --repo $repo --pattern $pattern
$installer = Get-Item $pattern
Start-Process -FilePath $installer -ArgumentList $arguments -NoNewWindow -Wait
Get-Content -Path $log -Tail 50
git version
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: taiki-e/install-action@v2
with:
tool: nextest
- name: Test (nextest)
id: nextest
env:
GIX_TEST_IGNORE_ARCHIVES: '1'
run: cargo nextest --profile=with-xml run --workspace --no-fail-fast
continue-on-error: true
- name: Check for errors
run: |
[xml]$junit_xml = Get-Content -Path 'target/nextest/with-xml/junit.xml'
if ($junit_xml.testsuites.errors -ne 0) { exit 1 }
- name: Collect actual failures
run: |
[xml]$junit_xml = Get-Content -Path 'target/nextest/with-xml/junit.xml'
$actual_failures = $junit_xml.SelectNodes("//testcase[failure]") |
ForEach-Object { "$($_.classname) $($_.name)" } |
Sort-Object
Write-Output $actual_failures
Set-Content -Path 'actual-failures.txt' -Value $actual_failures
- name: Compare expected and actual failures
run: |
# Fail on any differences, even unexpectedly passing tests, so they can be investigated.
git --no-pager diff --no-index --exit-code --unified=1000000 --color=always -- `
etc/test-fixtures-windows-expected-failures-see-issue-1358.txt actual-failures.txt
test-32bit:
strategy:
matrix:
container-arch: [ i386, arm32v7 ]
include:
- container-arch: i386
runner-arch: amd64
runner-os: ubuntu-latest
host-triple: i686-unknown-linux-gnu
- container-arch: arm32v7
runner-arch: arm64
runner-os: ubuntu-24.04-arm
host-triple: armv7-unknown-linux-gnueabihf
runs-on: ${{ matrix.runner-os }}
container: ${{ matrix.container-arch }}/debian:stable-slim
steps:
- name: Prerequisites
run: |
prerequisites=(
build-essential
ca-certificates
cmake
curl
git
jq
libssl-dev
libstdc++6:${{ matrix.runner-arch }} # To support external 64-bit Node.js for actions.
pkgconf
)
dpkg --add-architecture ${{ matrix.runner-arch }}
apt-get update
apt-get install --no-install-recommends -y -- "${prerequisites[@]}"
shell: bash # This step needs `bash`, and the default in container jobs is `sh`.
- uses: actions/checkout@v4
- name: Install Rust via Rustup
run: |
# Specify toolchain to avoid possible misdetection based on the 64-bit running kernel.
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs |
sh -s -- -y --default-host ${{ matrix.host-triple }} --profile minimal
- name: Add Rust tools to path
run: echo "PATH=$HOME/.cargo/bin:$PATH" >> "$GITHUB_ENV"
- uses: Swatinem/rust-cache@v2
- uses: taiki-e/install-action@v2
with:
tool: nextest
- name: Make `system` scope nonempty for "GitInstallation" tests
run: git config --system gitoxide.imaginary.arbitraryVariable arbitraryValue
- name: Test (nextest)
env:
GIX_TEST_IGNORE_ARCHIVES: '1'
run: cargo nextest run --workspace --no-fail-fast
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@master
with:
toolchain: stable
components: clippy,rustfmt
- uses: extractions/setup-just@v3
- name: Run cargo clippy
run: just clippy -D warnings -A unknown-lints --no-deps
- name: Run cargo doc
run: just doc
- name: Run cargo fmt
run: cargo fmt --all -- --check
- name: Install cargo diet
env:
CARGO_DIET_TAG: v1.2.7
run: |
curl -LSfs "https://raw.githubusercontent.com/the-lean-crate/cargo-diet/refs/tags/$CARGO_DIET_TAG/ci/install.sh" |
sh -s -- --git the-lean-crate/cargo-diet --target x86_64-unknown-linux-musl --tag "$CARGO_DIET_TAG"
- name: Run cargo diet
run: just check-size
# Let's not fail CI for this, it will fail locally often enough, and a crate a little bigger
# than allows is no problem either if it comes to that.
continue-on-error: true
# This job is not required for PR auto-merge, so that sudden announcement of a
# new advisory does not keep otherwise OK pull requests from being integrated.
cargo-deny-advisories:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install tomlq
run: |
# The runner already has the `yq` command but not its associated `tomlq` command.
sudo apt-get update
sudo apt-get install yq
- name: Strict check, but omit gix-testtools
uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check advisories
arguments: --workspace --all-features --exclude gix-testtools
- name: Configure less strict check
run: |
filter='.advisories.ignore += [
{ id: "RUSTSEC-2025-0021", reason: "gix-testtools can’t upgrade from old gix-features yet" }
]'
tomlq "$filter" deny.toml --toml-output > deny-but-ignore-RUSTSEC-2025-0021.toml
- name: Less strict check, but include gix-testtools
uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check advisories
arguments: --workspace --all-features
command-arguments: --config deny-but-ignore-RUSTSEC-2025-0021.toml
cargo-deny:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check bans licenses sources
arguments: --workspace --all-features
wasm:
name: WebAssembly
runs-on: ubuntu-latest
strategy:
matrix:
target: [ wasm32-unknown-unknown, wasm32-wasip1 ]
env:
TARGET: ${{ matrix.target }}
steps:
- uses: actions/checkout@v4
- name: Install Rust
run: |
rustup update stable
rustup default stable
rustup target add "$TARGET"
- uses: Swatinem/rust-cache@v2
- name: 'WASI only: crates without feature toggle'
if: endsWith(matrix.target, '-wasi')
run: |
set +x
for name in gix-sec; do
(cd -- "$name" && cargo build --target "$TARGET")
done
- name: crates without feature toggles
run: |
set +x
for name in gix-actor gix-attributes gix-bitmap gix-chunk gix-command gix-commitgraph gix-config-value gix-date gix-glob gix-hash gix-hashtable gix-mailmap gix-object gix-packetline gix-path gix-pathspec gix-prompt gix-quote gix-refspec gix-revision gix-traverse gix-url gix-validate; do
(cd -- "$name" && cargo build --target "$TARGET")
done
- name: features of gix-features
run: |
set +x
for feature in progress parallel io-pipe crc32 zlib zlib-rust-backend cache-efficiency-debug; do
(cd gix-features && cargo build --features "$feature" --target "$TARGET")
done
- name: crates with 'wasm' feature
run: |
set +x
for name in gix-pack; do
(cd -- "$name" && cargo build --features wasm --target "$TARGET")
done
- name: gix-pack with all features (including wasm)
run: cd gix-pack && cargo build --all-features --target "$TARGET"
check-packetline:
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
# We consider this script read-only and its effect is the same everywhere.
# However, when changes are made to `etc/copy-packetline.sh`, re-enable the other platforms for testing.
# - macos-latest
# - windows-latest
runs-on: ${{ matrix.os }}
defaults:
run:
shell: bash # Use bash even on Windows, if we ever reenable windows-latest for testing.
steps:
- uses: actions/checkout@v4
- name: Check that working tree is initially clean
run: |
set -x
git status
git diff --exit-code
- name: Regenerate gix-packetline-blocking/src
run: etc/copy-packetline.sh
- name: Check that gix-packetline-blocking/src was already up to date
run: |
set -x
git status
git diff --exit-code
# Check that only jobs intended not to block PR auto-merge are omitted as
# dependencies of the `tests-pass` job below, so that whenever a job is
# added, a decision is made about whether it must pass for PRs to merge.
check-blocking:
runs-on: ubuntu-latest
env:
# List all jobs that are intended NOT to block PR auto-merge here.
EXPECTED_NONBLOCKING_JOBS: |-
cargo-deny-advisories
wasm
tests-pass
defaults:
run:
shell: bash # Without this, the shell here is `bash` but without `-o pipefail`.
steps:
- name: Find this workflow
run: |
relative_workflow_with_ref="${GITHUB_WORKFLOW_REF#"$GITHUB_REPOSITORY/"}"
echo "WORKFLOW_PATH=${relative_workflow_with_ref%@*}" >> "$GITHUB_ENV"
- uses: actions/checkout@v4
with:
sparse-checkout: ${{ env.WORKFLOW_PATH }}
- name: Get all jobs
run: yq '.jobs | keys.[]' -- "$WORKFLOW_PATH" | sort | tee all-jobs.txt
- name: Get blocking jobs
run: yq '.jobs.tests-pass.needs.[]' -- "$WORKFLOW_PATH" | sort | tee blocking-jobs.txt
- name: Get jobs we intend do not block
run: sort <<<"$EXPECTED_NONBLOCKING_JOBS" | tee expected-nonblocking-jobs.txt
- name: Each job must block PRs or be declared not to
run: |
sort -m blocking-jobs.txt expected-nonblocking-jobs.txt |
diff --color=always -U1000 - all-jobs.txt
# Dummy job to have a stable name for the "all tests pass" requirement
tests-pass:
name: Tests pass
needs:
- pure-rust-build
- test
- test-journey
- test-fast
- test-fixtures-windows
- test-32bit
- lint
- cargo-deny
- check-packetline
- check-blocking
if: always() # always run even if dependencies fail
runs-on: ubuntu-latest
steps:
- name: Fail if ANY dependency has failed or cancelled
if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
run: exit 1
- name: OK
run: exit 0