merge queue: queuing main (345c27a) and #1650 together#1668
Closed
mergify[bot] wants to merge 4 commits into
Closed
merge queue: queuing main (345c27a) and #1650 together#1668mergify[bot] wants to merge 4 commits into
mergify[bot] wants to merge 4 commits into
Conversation
CI ran fmt / clippy / test / build but lacked the supply-chain and contract gates a distributed Rust CLI should enforce. Add them, all wired into ci-gate: - msrv: compile the workspace on the declared rust-version, read from Cargo.toml so the floor stays a single source of truth — the MSRV becomes a tested contract instead of a comment. - cargo-deny (deny.toml): RUSTSEC advisories, a license allow-list, banned/duplicate crates, and crates.io-only source provenance. - typos (_typos.toml): spellcheck source, comments, and docs. - --locked on every cargo invocation so the committed Cargo.lock is the build contract; --all-features on clippy/test so feature-gated paths are linted and exercised. - concurrency.cancel-in-progress: drop a superseded run on the same ref instead of finishing the obsolete matrix. The one doc-comment reword in queue unpause.rs avoids a typos false positive on "DELETEs". Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Change-Id: I8b77d970942d4bd223b23f5a148553438334d8bb
Harden the release and CI supply chain:
- Pin every third-party GitHub Action to a full commit SHA (with a
trailing `# tag` so Renovate still tracks updates), across all
workflows. Mutable tags — including pypa/gh-action-pypi-publish,
which rode the moving `release/v1` branch in the privileged
publish job — can be repointed at malicious code after review.
- Mint a build-provenance attestation for each binary asset in the
draft-release job (actions/attest-build-provenance), so a
downloader can verify origin with `gh attestation verify`.
- Enable PEP 740 attestations on the PyPI publish, reusing the
existing Trusted Publishing identity.
- Route `override-version` into the wheel/sdist stamp steps through
the environment instead of `${{ }}` interpolation, so a value with
shell metacharacters can't break out of the script.
- Add concurrency cancel-in-progress to the live functional-tests
workflow, which spends a real Mergify API budget per run.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Change-Id: If3faaafa3f3ed8debb9a033babadd5d7d240502a
Every crate re-declared its third-party versions and feature sets
inline — serde in 7 manifests, tokio in ~11 with divergent features,
tempfile pinned both "3" and "3.14" in one file. Versions could drift
apart silently and the per-crate feature lists read as isolation they
never provided (Cargo unifies features additively per build).
Hoist all shared deps into a root [workspace.dependencies] table, the
way [workspace.package] and [lints] are already inherited; each crate
now writes `dep = { workspace = true }`. Behaviour-preserving:
Cargo.lock is byte-identical and the resolved feature set per build is
unchanged.
One deliberate exception: tokio's rt-multi-thread feature is declared
only on the dev-dependency entries that need it, not in the workspace
default, so the shipped binary's single current-thread runtime never
pulls in the multi-threaded scheduler.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Change-Id: I1b937d90d1ea0fcd6b6abe63943b4026f7690534
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎉 This pull request has been checked successfully and will be merged soon. 🎉
Branch main (345c27a) and #1650 are queued together for merge.
This pull request has been created by Mergify to check the mergeability of #1650.
You don't need to do anything. Mergify will close this pull request automatically when it is complete.
Required conditions of queue rule
defaultfor merge:depends-on = Mergifyio/mergify-cli#1649[⛓️ ci(release): pin action SHAs and add build/publish attestations #1649]title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:#approved-reviews-by>=2author = dependabot[bot]author = mergify-ci-botauthor = renovate[bot]body ~= (?ms:.{48,})#changes-requested-reviews-by = 0#review-requested = 0#review-threads-unresolved = 0check-success=ci-gateRequired conditions to stay in the queue:
base=maindepends-on = Mergifyio/mergify-cli#1649[⛓️ ci(release): pin action SHAs and add build/publish attestations #1649]label!=manual mergetitle ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:#approved-reviews-by>=2author = dependabot[bot]author = mergify-ci-botauthor = renovate[bot]body ~= (?ms:.{48,})#changes-requested-reviews-by = 0#review-requested = 0#review-threads-unresolved = 0check-success=ci-gate