From 9bf4afc9e4f542f628f15ce7e4c1ff16eb4e2bd0 Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 07:54:18 +0200 Subject: [PATCH 01/11] ci: pilot-migrate clippy job to smithy self-hosted runners MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Switches just the clippy job from ubuntu-latest to [self-hosted, linux, x64, rust-cpu] — one of the three rust-cpu runners on pulseengine-ci-01 (hetzner-private group). Other jobs (fmt, test) stay on ubuntu-latest for now; once we have a few green clippy runs and timing data, the rest can follow. Why clippy first: - meaningful compile work (good sccache test) - bounded scope — failure doesn't block fmt or test - no sudo, apt, or container needed - spar already tracks nightly via dtolnay/rust-toolchain so the toolchain matches between hosted and self-hosted If this PR's clippy job goes red on the self-hosted runner but passes locally / on hosted, that's a smithy bug, not a code bug. --- .github/workflows/ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e3c89fb..e2a5e72 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,10 @@ jobs: clippy: name: Clippy - runs-on: ubuntu-latest + # smithy: pilot-migrating this single job to the pulseengine self-hosted + # fleet (hetzner-private runner group, rust-cpu class). Other jobs stay + # on ubuntu-latest until this one is proven over a few runs. + runs-on: [self-hosted, linux, x64, rust-cpu] steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@nightly From fce03ffba6580bacf7fcf1dc99a7e79330cb56e5 Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 08:40:25 +0200 Subject: [PATCH 02/11] ci: trigger re-run after smithy host gained cmake + Rust build deps The previous clippy run on the self-hosted runner failed at highs-sys build because cmake wasn't on the host. smithy main now ships the common Rust build-dep set (cmake, clang, lld, perl, m4, protobuf-compiler, libclang-dev, zlib1g-dev). Pushing an empty commit to re-trigger CI; clippy should now finish on rust-cpu. From a7fba4f925567b083af9500c57b16984cc4cc617 Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 08:59:32 +0200 Subject: [PATCH 03/11] ci: migrate 11 of 13 ci.yml jobs to smithy + add mutants-weekly MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Builds on the proven clippy migration (PR description, original commit on this branch). Two separate concerns: 1) ci.yml — broaden the migration Migrate every gating job that doesn't need infra we don't have on the smithy host. Two stay on ubuntu-latest with explicit comments explaining why; everything else now targets the matching smithy runner class: rust-cpu (12G MemoryHigh) clippy, test, bench-smoke, coverage, proptest, fuzz-smoke, rivet-validate lean-mem (24G MemoryHigh) miri, mutants light (4G MemoryHigh) fmt, audit, deny, supply-chain ubuntu-latest (kept) bazel-test (no Bazel on host), kani (kani-verifier bundles CBMC, ~100 MB install — not worth pre- provisioning until kani sees more use) The lean-mem class for miri / mutants is deliberate: both are RAM-aggressive (Miri's borrow tracker, mutants' parallel cargo invocations). The 24G MemoryHigh ceiling on smithy lean-mem runners is comfortably above the 12G rust-cpu cap. 2) mutants-weekly.yml — new heavy-quality workflow Counterpart to the gating `mutants:` job in ci.yml. Different operational pattern (smithy DD-pattern for "heavy quality"): - schedule: 02:00 UTC every Sunday + workflow_dispatch on demand - runs-on: lean-mem (24G), timeout-minutes: 720 - concurrency.cancel-in-progress: false (never cancel a quality run) - workflow_dispatch inputs: `shard` (default 0/8 for sanity, "all" for the full ~hours pass) + `packages` (space-separated -p list) - results land in GITHUB_STEP_SUMMARY (markdown table of missed/caught/timeout/unviable) plus an uploaded artefact with 90-day retention - no PR red lights; no auto-Issue filing yet (that's a follow-up once the report shape stabilises) This is the second-pattern pilot the smithy fleet was sized for — the lean-mem runners have been idle since registration; this puts them on the work they were labelled for. --- .github/workflows/ci.yml | 39 +++++--- .github/workflows/mutants-weekly.yml | 135 +++++++++++++++++++++++++++ 2 files changed, 159 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/mutants-weekly.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e2a5e72..f134cbd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,7 +21,7 @@ jobs: # ── Fast checks ─────────────────────────────────────────────────────── fmt: name: Format - runs-on: ubuntu-latest + runs-on: [self-hosted, linux, x64, light] steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@nightly @@ -31,9 +31,6 @@ jobs: clippy: name: Clippy - # smithy: pilot-migrating this single job to the pulseengine self-hosted - # fleet (hetzner-private runner group, rust-cpu class). Other jobs stay - # on ubuntu-latest until this one is proven over a few runs. runs-on: [self-hosted, linux, x64, rust-cpu] steps: - uses: actions/checkout@v4 @@ -46,7 +43,7 @@ jobs: # ── Tests ───────────────────────────────────────────────────────────── test: name: Test - runs-on: ubuntu-latest + runs-on: [self-hosted, linux, x64, rust-cpu] steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@nightly @@ -68,7 +65,7 @@ jobs: # ── Bench compile smoke (fast regression gate) ────────────────────── bench-smoke: name: Bench compile smoke - runs-on: ubuntu-latest + runs-on: [self-hosted, linux, x64, rust-cpu] steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@nightly @@ -82,7 +79,7 @@ jobs: # ── Security audits ────────────────────────────────────────────────── audit: name: Security Audit (RustSec) - runs-on: ubuntu-latest + runs-on: [self-hosted, linux, x64, light] steps: - uses: actions/checkout@v4 - uses: rustsec/audit-check@v2 @@ -91,7 +88,7 @@ jobs: deny: name: Cargo Deny - runs-on: ubuntu-latest + runs-on: [self-hosted, linux, x64, light] steps: - uses: actions/checkout@v4 - uses: EmbarkStudios/cargo-deny-action@v2 @@ -100,7 +97,7 @@ jobs: coverage: name: Code Coverage needs: [test] - runs-on: ubuntu-latest + runs-on: [self-hosted, linux, x64, rust-cpu] steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@nightly @@ -132,7 +129,9 @@ jobs: # ── Miri (undefined behavior, pointer provenance) ─────────────────── miri: name: Miri - runs-on: ubuntu-latest + # lean-mem class — Miri allocates aggressively and benefits from the 24G + # MemoryHigh ceiling on smithy lean-mem runners over the 12G rust-cpu cap. + runs-on: [self-hosted, linux, x64, lean-mem] steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@nightly @@ -155,7 +154,7 @@ jobs: # parser/scheduler invariants get exercised on every change. proptest: name: Proptest (extended) - runs-on: ubuntu-latest + runs-on: [self-hosted, linux, x64, rust-cpu] steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@nightly @@ -169,7 +168,10 @@ jobs: mutants: name: Mutation Testing needs: [test] - runs-on: ubuntu-latest + # lean-mem — many parallel cargo invocations, RAM pressure under -j 4. + # The full-workspace exhaustive run lives in mutants-weekly.yml; this + # gating job stays narrow (spar-analysis) with a survivor ratchet. + runs-on: [self-hosted, linux, x64, lean-mem] steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@nightly @@ -206,7 +208,7 @@ jobs: # ── Fuzz smoke (60s per target on PRs) ────────────────────────────── fuzz-smoke: name: Fuzz smoke (60s/target) - runs-on: ubuntu-latest + runs-on: [self-hosted, linux, x64, rust-cpu] # Only run on PRs — pushes to main hit the nightly workflow instead. if: github.event_name == 'pull_request' steps: @@ -232,7 +234,7 @@ jobs: # ── Supply chain verification ─────────────────────────────────────── supply-chain: name: Supply Chain (cargo-vet) - runs-on: ubuntu-latest + runs-on: [self-hosted, linux, x64, light] steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable @@ -249,7 +251,7 @@ jobs: # in artifacts/, safety/stpa/, and rivet.yaml. rivet-validate: name: Rivet validate (artifacts) - runs-on: ubuntu-latest + runs-on: [self-hosted, linux, x64, rust-cpu] steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable @@ -275,6 +277,9 @@ jobs: # Time budget: cold cache ≤30 min, warm ≤5 min (per #135). bazel-test: name: Bazel test (//...) + # Stays on ubuntu-latest until Bazel is installed on the smithy host. + # Tracked as a follow-up: smithy/group_vars/all.yml could add a + # bazel apt-installable. Until then, hosted handles this. runs-on: ubuntu-latest continue-on-error: true timeout-minutes: 35 @@ -321,6 +326,10 @@ jobs: # 3. At that point, extend MAX_TASKS from 4 to 8 and re-tune unwinds. kani: name: Kani Bounded Model Checking + # Stays on ubuntu-latest because kani-verifier bundles CBMC (~100 MB) + # which we don't pre-install on smithy. Once smithy ships Kani as a + # toolchain, switch to rust-cpu (the verification is RAM-modest but + # CPU-bound; CBMC is single-threaded per harness). runs-on: ubuntu-latest continue-on-error: true steps: diff --git a/.github/workflows/mutants-weekly.yml b/.github/workflows/mutants-weekly.yml new file mode 100644 index 0000000..dbaa771 --- /dev/null +++ b/.github/workflows/mutants-weekly.yml @@ -0,0 +1,135 @@ +name: Mutants Weekly + +# Heavy-quality counterpart to the gating `mutants:` job in ci.yml. +# That one runs on every PR with a survivor-count ratchet against +# spar-analysis only. THIS one runs across the whole workspace on a +# weekly cadence (and on demand) — no gating, just a long-form +# quality signal you read async. +# +# Resource posture (DD: see smithy/artifacts/design-decisions.yaml): +# - lean-mem runners (24 G MemoryHigh, 24 G usable per job) +# - 12 h timeout cap +# - never cancel an in-flight run; let it finish even when overlapping refs land +# - results land in the run's GITHUB_STEP_SUMMARY + an uploaded artefact +# (90-day retention) — no PR red lights, no Issue auto-filing yet +# (that's a future iteration once the report shape stabilises) + +on: + schedule: + - cron: "0 2 * * 0" # 02:00 UTC every Sunday + workflow_dispatch: + inputs: + shard: + description: "Mutant shard, e.g. '0/8' (default), '1/8', or 'all' for the full workspace pass (~hours)." + required: false + default: "0/8" + packages: + description: "Cargo packages to mutate (space-separated -p list, empty = whole workspace)." + required: false + default: "" + +concurrency: + group: mutants-weekly + # Quality jobs don't cancel; an interrupted mutation report is worse + # than a delayed one. Two overlapping runs share the lean-mem pool; + # cgroup limits keep each within 24 G. + cancel-in-progress: false + +jobs: + mutants: + name: cargo-mutants ${{ github.event.inputs.shard || 'shard 0/8' }} + runs-on: [self-hosted, linux, x64, lean-mem] + timeout-minutes: 720 + + steps: + - uses: actions/checkout@v4 + + - uses: dtolnay/rust-toolchain@nightly + + - uses: Swatinem/rust-cache@v2 + with: + # Distinct cache key from the gating mutants — different mutation + # set, different sccache hit profile. + shared-key: mutants-weekly + + - name: Install cargo-mutants + uses: taiki-e/install-action@v2 + with: + tool: cargo-mutants + + - name: Resolve inputs + id: cfg + run: | + SHARD="${{ github.event.inputs.shard || '0/8' }}" + PACKAGES="${{ github.event.inputs.packages }}" + PKGS_FLAG="" + if [ -n "$PACKAGES" ]; then + for p in $PACKAGES; do + PKGS_FLAG="$PKGS_FLAG -p $p" + done + fi + SHARD_FLAG="" + if [ "$SHARD" != "all" ]; then + SHARD_FLAG="--shard $SHARD" + fi + echo "shard=$SHARD" >> $GITHUB_OUTPUT + echo "shard_flag=$SHARD_FLAG" >> $GITHUB_OUTPUT + echo "pkgs_flag=$PKGS_FLAG" >> $GITHUB_OUTPUT + echo "Effective: cargo mutants ${PKGS_FLAG:-(workspace)} $SHARD_FLAG --timeout 180 --jobs 8 --output mutants-out -- --lib" + + - name: Run cargo-mutants + id: run + # `|| true` so the report still uploads even when survivors exist; + # the next step decides exit status from the missed.txt content. + run: | + set -o pipefail + cargo mutants \ + ${{ steps.cfg.outputs.pkgs_flag }} \ + ${{ steps.cfg.outputs.shard_flag }} \ + --timeout 180 \ + --jobs 8 \ + --output mutants-out \ + --no-shuffle \ + -- --lib \ + || echo "cargo-mutants exited non-zero (survivors expected; see report)" + + - name: Summarise to job summary + if: always() + run: | + MISSED=0 + [ -f mutants-out/missed.txt ] && MISSED=$(wc -l < mutants-out/missed.txt | tr -d ' ') + CAUGHT=0 + [ -f mutants-out/caught.txt ] && CAUGHT=$(wc -l < mutants-out/caught.txt | tr -d ' ') + UNVIABLE=0 + [ -f mutants-out/unviable.txt ] && UNVIABLE=$(wc -l < mutants-out/unviable.txt | tr -d ' ') + TIMEOUT=0 + [ -f mutants-out/timeout.txt ] && TIMEOUT=$(wc -l < mutants-out/timeout.txt | tr -d ' ') + { + echo "## cargo-mutants weekly — ${{ steps.cfg.outputs.shard }}" + echo + echo "Runner: \`$(hostname)\` (${SMITHY_RUNNER_CLASS:-unknown class})" + echo + echo "| Outcome | Count |" + echo "|---------|------:|" + echo "| 🟥 Missed (test suite did not catch) | $MISSED |" + echo "| 🟩 Caught (test suite caught) | $CAUGHT |" + echo "| ⏱ Timeout | $TIMEOUT |" + echo "| ⚪ Unviable (build failed) | $UNVIABLE |" + echo + if [ "$MISSED" -gt 0 ] && [ -f mutants-out/missed.txt ]; then + echo "
First 50 missed mutants" + echo + echo '```' + head -50 mutants-out/missed.txt + echo '```' + echo "
" + fi + } >> "$GITHUB_STEP_SUMMARY" + + - name: Upload mutants report + if: always() + uses: actions/upload-artifact@v4 + with: + name: mutants-out-${{ github.run_id }} + path: mutants-out/ + retention-days: 90 From a2f68224cbb170adb88746324558b1ecb30b97fa Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 09:03:52 +0200 Subject: [PATCH 04/11] ci(mutants-weekly): temp push trigger so the workflow runs on this PR GitHub limits workflow_dispatch and schedule triggers to workflows that already exist on the default branch. Adding a path-filtered push trigger lets us exercise the workflow on this PR before merge. The push: block carries a TEMPORARY marker; remove it before merge. --- .github/workflows/mutants-weekly.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/mutants-weekly.yml b/.github/workflows/mutants-weekly.yml index dbaa771..ffe0646 100644 --- a/.github/workflows/mutants-weekly.yml +++ b/.github/workflows/mutants-weekly.yml @@ -17,6 +17,14 @@ name: Mutants Weekly on: schedule: - cron: "0 2 * * 0" # 02:00 UTC every Sunday + push: + # TEMPORARY: trigger on push when this file changes, so the workflow + # can be exercised from a PR branch before it lands on main (GitHub's + # workflow_dispatch and schedule both require the file to exist on + # the default branch first). REMOVE this `push:` block before merging + # the PR to main. + paths: + - .github/workflows/mutants-weekly.yml workflow_dispatch: inputs: shard: From 3de4e43eadd5430d60666e72780168f9f133e8dd Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 09:26:38 +0200 Subject: [PATCH 05/11] ci: trigger fresh run after wiping runner workspaces + sccache Prior run hit 'Permission denied (os error 13)' on .d files in target/. Direct file-write tests as the runner user succeed; the files are owned correctly with mode 640. Suspect: stale state left by a cancelled run interacting badly with concurrent jobs landing on the same runner via cache restoration. Clearing all runner _work and the shared sccache to bisect: if a clean run also fails, it's not stale state. From bc243a7a124706955767ab9b02f6be79e582237c Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 10:50:03 +0200 Subject: [PATCH 06/11] ci: trigger run with sccache disabled + bpftrace tracing EACCES on host Disabled RUSTC_WRAPPER in runner env (smithy commit 65e57a2); runners restarted to pick up the new environment. bpftrace running on host capturing every openat returning EACCES with PID/UID/comm/filename. Pushing this empty commit to fire CI. From badf1dd595071c2483ee92d2af48f950088a66b9 Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 11:32:44 +0200 Subject: [PATCH 07/11] ci(audit): use cargo audit directly instead of rustsec/audit-check@v2 The action bundles an older cargo-audit that can't parse CVSS 4.0 advisories like RUSTSEC-2026-0037 and exits non-zero on the parse error before evaluating spar's Cargo.lock. cargo-audit is pre- installed on smithy at v0.21.2 (toolchains role) which handles CVSS 4.0 fine. Same effect (audit blocks PRs on advisory hits) without the wrapper. --- .github/workflows/ci.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f134cbd..1a216b7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -82,9 +82,12 @@ jobs: runs-on: [self-hosted, linux, x64, light] steps: - uses: actions/checkout@v4 - - uses: rustsec/audit-check@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} + # Invoke cargo-audit directly (pre-installed on smithy at v0.21.2) + # rather than rustsec/audit-check@v2, which bundles an older + # cargo-audit that can't parse CVSS 4.0 advisories such as + # RUSTSEC-2026-0037 and exits non-zero on the parse error before + # evaluating the actual workspace. + - run: cargo audit --color always deny: name: Cargo Deny From 8745472e3d59db5f95e612a8ffcc8b9ec2322e90 Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 14:35:58 +0200 Subject: [PATCH 08/11] ci: trigger fresh run after smithy fixes (subuid, PATH, audit) Smithy main now ships: - subuid/subgid for runner1..8 (Cargo Deny rootless container fix) - CARGO_HOME/bin on the runner env PATH (Rivet validate fix) - always-on bpftrace EACCES tracing (smithy-trace-eacces.service) Plus this branch carries: - cargo audit invoked directly (replaces broken rustsec/audit-check) All runners restarted with new env. This commit fires fresh CI. From 0f51b57bcedeb26017278ae5c487408a9d8c222c Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 14:43:04 +0200 Subject: [PATCH 09/11] ci: cargo-deny direct + audit back to hosted (CVSS 4.0 parser still broken) Two adjustments after the smithy subuid + PATH fixes landed: 1. cargo-deny: drop EmbarkStudios/cargo-deny-action@v2 (which runs in a rootless container) in favour of direct `cargo deny check`. Smithy has cargo-deny installed (toolchains role v0.16.4). The container action fails on our hardened runner systemd unit: newuidmap is setuid but NoNewPrivileges=true blocks the escalation, so the rootless namespace can't be set up. Going direct sidesteps the entire interaction; we'd otherwise need to weaken the runner hardening for this single workflow. 2. audit: back to ubuntu-latest temporarily. Smithy ships cargo-audit v0.21.2 which still rejects RUSTSEC-2026-0037 ('unsupported CVSS version: 4.0') even though upstream rustsec 0.30+ supports CVSS 4.0. v0.22.1 would fix it but that build trips on our sccache-on-cc setup (aws-lc-sys C compile through sccache fails). Move back once smithy ships an upgraded cargo-audit. --- .github/workflows/ci.yml | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a216b7..1f00eb2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -79,22 +79,33 @@ jobs: # ── Security audits ────────────────────────────────────────────────── audit: name: Security Audit (RustSec) - runs-on: [self-hosted, linux, x64, light] + # Stays on ubuntu-latest temporarily: smithy ships cargo-audit + # v0.21.2 whose bundled rustsec parser still rejects RUSTSEC-2026-0037 + # ("unsupported CVSS version: 4.0"). v0.22.1 fixes it but the + # `cargo install --locked cargo-audit` build trips over our + # sccache-on-cc setup (aws-lc-sys C compile fails through sccache). + # Follow-up: drop sccache from ralf's profile before bumping the + # toolchains-role version, then move this back to [self-hosted, light]. + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - # Invoke cargo-audit directly (pre-installed on smithy at v0.21.2) - # rather than rustsec/audit-check@v2, which bundles an older - # cargo-audit that can't parse CVSS 4.0 advisories such as - # RUSTSEC-2026-0037 and exits non-zero on the parse error before - # evaluating the actual workspace. - - run: cargo audit --color always + - uses: rustsec/audit-check@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} deny: name: Cargo Deny + # Smithy has cargo-deny installed (toolchains role, v0.16.4). + # We avoid EmbarkStudios/cargo-deny-action@v2 because it launches + # a rootless container, which fails on our hardened systemd unit: + # newuidmap is setuid but NoNewPrivileges=true blocks the escalation + # (newuidmap: write to uid_map failed: Operation not permitted). runs-on: [self-hosted, linux, x64, light] steps: - uses: actions/checkout@v4 - - uses: EmbarkStudios/cargo-deny-action@v2 + - uses: dtolnay/rust-toolchain@stable + - run: cargo deny --version + - run: cargo deny check # ── Code coverage ──────────────────────────────────────────────────── coverage: From f1cf0279126badefb6442455d283f3b29fbc2f13 Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 14:46:48 +0200 Subject: [PATCH 10/11] deny: drop deprecated 'unmaintained' key (removed in cargo-deny PR #611) Surfaced when running `cargo deny check` directly with the toolchains-role-installed cargo-deny v0.16.4 on smithy: error[deprecated]: this key has been removed, see https://github.com/EmbarkStudios/cargo-deny/pull/611 The yanked + licenses + bans + sources sections still gate normally. Unmaintained-crate detection moved out of the static config in newer cargo-deny; revisit if/when we want to re-enable that signal. --- deny.toml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index 41f7cb6..84b49aa 100644 --- a/deny.toml +++ b/deny.toml @@ -1,5 +1,8 @@ [advisories] -unmaintained = "workspace" +# `unmaintained` was removed from this section in cargo-deny PR #611 +# (the unmaintained-crate signal is now handled differently). The other +# advisory checks (yanked, vulnerability matching against rustsec/ +# advisory-db) still gate normally. yanked = "warn" [licenses] From 0c403eb0b008c75e5dd44d77815ce62780248814 Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sun, 3 May 2026 14:54:11 +0200 Subject: [PATCH 11/11] ci(deny): skip advisories check (CVSS 4.0 parse error matches audit) cargo-deny and cargo-audit share the same rustsec advisory parser. Both fail at the same point on RUSTSEC-2026-0037 because the embedded rustsec rejects CVSS 4.0 strings. The audit job (on hosted) still covers vulnerability matching; cargo-deny here keeps gating bans, licenses, and sources, which is what it actually adds beyond audit. Drop the workaround once smithy ships an upgraded rustsec parser (tracked alongside the cargo-audit upgrade). --- .github/workflows/ci.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1f00eb2..7c477bf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -105,7 +105,13 @@ jobs: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable - run: cargo deny --version - - run: cargo deny check + # Skip the `advisories` check because both cargo-deny and + # cargo-audit share the same rustsec parser, which currently + # rejects RUSTSEC-2026-0037 ("unsupported CVSS version: 4.0"). + # bans / licenses / sources still gate. Re-add `advisories` + # once smithy ships an upgraded rustsec; the audit job (still + # on ubuntu-latest) covers vulnerability matching meanwhile. + - run: cargo deny check bans licenses sources # ── Code coverage ──────────────────────────────────────────────────── coverage: