fix(ci): harden cargo-deny step (remove || true, add step names) (#107)

avrabe · claude · web-flow · commit eaa5c6a9022a · 2026-05-10T22:55:54.000-05:00
Issue #103 was largely closed in PR #106 (smithy runner migration), which replaced EmbarkStudios/cargo-deny-action@v2 with rustup + direct `cargo install --locked` + `cargo deny check`. This commit cleans up two residual defects in that step: 1. The install command was wrapped in `|| true`, so an install failure was silently swallowed and the next step would fail with a confusing "command not found". Drop the `|| true` so install failure fails the job loudly with a clear error. 2. Add explicit `name:` labels to the install / check steps so CI logs are readable. 3. Rewrite the rationale comment to reference the rust-toolchain.toml / musl interaction (the actual root cause of #103) with the smithy rootless-container note as secondary context. The duplicate `thiserror` 1.x/2.x versions cargo-deny will likely re-flag once it actually runs cleanly are out of scope here; will file a follow-up if it surfaces. Fixes: #103 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml
@@ -64,12 +64,16 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - uses: dtolnay/rust-toolchain@stable
-    # EmbarkStudios/cargo-deny-action@v2 launches a rootless container which
-    # fails on smithy (newuidmap is setuid + NoNewPrivileges=true on the
-    # runner unit). Direct install + invocation, per smithy migration playbook.
-    # bans/licenses/sources only (advisories handled by cargo-audit job).
-    - run: cargo install cargo-deny --locked --version 0.16.4 || true
-    - run: cargo deny check bans licenses sources
+    # EmbarkStudios/cargo-deny-action@v2 runs in a musl container that can't
+    # install the toolchain pinned by rust-toolchain.toml (issue #103). Also
+    # fails on smithy (rootless container + NoNewPrivileges). Install +
+    # invoke cargo-deny directly so the runner's rustup respects the project
+    # toolchain file. bans/licenses/sources only — advisories live in the
+    # cargo-audit job above.
+    - name: Install cargo-deny
+      run: cargo install --locked cargo-deny --version 0.16.4
+    - name: Run cargo deny check
+      run: cargo deny check bans licenses sources
 
   mutants:
     name: Mutation Testing
