chore(ci): replace to actions-rust-lang/setup-rust-toolchain#210
Conversation
…t-toolchain Migrates 13 call sites away from the Boshen/setup-rust personal-account action to the Rust ecosystem org-maintained equivalent actions-rust-lang/setup-rust-toolchain v1.16.1, pinned by SHA. Parameter mapping: save-cache: <expr> -> cache-save-if: <expr> restore-cache: false -> cache: false tools: <name> -> extracted into separate taiki-e/install-action step components: <name> -> components: <name> (unchanged) Cache-write security model preserved: every job that previously gated save-cache on the main branch continues to gate cache-save-if on main, so fork PRs still cannot poison the shared cache. Jobs that defaulted to restore-only under Boshen's defaults are made explicit with cache-save-if false or main-only. Reduces supply-chain exposure to a single Rust-ecosystem org account.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1db57c1df5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
Migrates GitHub Actions Rust toolchain setup from Boshen/setup-rust to the Rust ecosystem–maintained actions-rust-lang/setup-rust-toolchain, preserving existing cache-write gating while extracting previously inlined cargo tool installs into explicit taiki-e/install-action steps.
Changes:
- Replace
Boshen/setup-rustusage with SHA-pinnedactions-rust-lang/setup-rust-toolchain@v1.16.1across workflows. - Map caching semantics to
cache-save-if/cache: falsewhere appropriate, maintaining main-branch-only cache writes. - Install
cargo-deny,cargo-llvm-cov, andcargo-codspeedviataiki-e/install-actioninstead of the oldtools:input.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/reusable-build.yml | Switch reusable build workflow to setup-rust-toolchain and keep build cache keying. |
| .github/workflows/release-plz.yml | Update release workflow to new Rust toolchain setup action with main-only cache saves. |
| .github/workflows/codecov.yml | Replace Rust setup action and add explicit cargo-llvm-cov installation step. |
| .github/workflows/ci.yml | Replace Rust setup action throughout CI and extract cargo-deny installation. |
| .github/workflows/benchmark.yml | Replace Rust setup action and add explicit cargo-codspeed installation step. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
stormslowly
changed the title
actions-rust-lang/setup-rust-toolchain exports RUSTFLAGS=-D warnings by default, which Boshen/setup-rust never did. The project carries pre-existing platform-gated warnings (cfg-conditional unused imports and dead code on wasm/wasi/windows targets) that surfaced as build failures once warnings were promoted to errors. Pass rustflags: "" on every call site to restore the prior posture: warnings stay warnings for library builds, while the lint job's explicit cargo clippy -- -D warnings continues to enforce strict checking on the dedicated lint path.
actions-rust-lang/setup-rust-toolchain exports RUSTFLAGS=-D warnings by
default. Three pre-existing platform-gated warnings then become build
failures:
file_system.rs (wasm/wasi):
cfg_if and pnp::fs::{VPath, VPathInfo, ZipCache} are referenced only
inside the non-wasm impl block, and FileSystemOs's options/pnp_lru
fields are read only there too. Tighten the import guards and mark
the struct dead-code-allowed on wasm32.
src/tests/mod.rs + lib.rs (windows):
The node_path test module is entirely posix-gated, leaving its outer
new_resolver helper and the lib-side with_node_path_dirs hook unused
on Windows test builds. Gate the mod declaration and the helper on
cfg(not(target_os = windows)).
With these warnings fixed at the source, the rustflags workaround on
every setup-rust-toolchain call site is reverted, so the new default
-D warnings posture now tightens CI instead of being neutralized.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f87b2189a2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Summary
Migrate 13 workflow call sites from the personal-account action
Boshen/setup-rustto the Rust ecosystem org-maintained equivalentactions-rust-lang/setup-rust-toolchain@v1.16.1(pinned by SHA46268bd060767258de96ed93c1251119784f2ab6).Why
A SHA-pinned third-party action still trusts the upstream account's 2FA — every Renovate bump silently re-extends that trust. Moving toolchain setup from a single maintainer's repo to a Rust ecosystem org reduces the supply-chain blast radius if any one personal account is compromised.
Parameter mapping
save-cache: <expr>cache-save-if: <expr>restore-cache: falsecache: falsetools: <name>taiki-e/install-actionstepcomponents: <name>Cache-write security model preserved
Every job that previously gated
save-cacheon the main branch now gatescache-save-ifon main, so fork PRs still cannot write to the shared cache. Jobs that previously defaulted to restore-only under Boshen's defaults are now explicit:lint(clippy),doc—cache-save-if: \${{ github.ref_name == 'main' }}(newly saves on main, an improvement)test—cache-save-if: false(keeps the dedicatedcachejob as the sole writer of thewarmkey, avoiding races)format,deny,unused-deps—cache: false(no caching at all, as before)Tools that needed extraction
cargo-deny(inci.yml)cargo-codspeed(inbenchmark.yml)cargo-llvm-cov(incodecov.yml)All installed via the already-pinned
taiki-e/install-action@v2.75.18.Test plan