ci(security): verify cargo-deny and enforce strict toolchain pin

This commit is contained in:
xj
2026-03-01 17:05:06 -08:00
parent dbd04574db
commit 0cc3144db5
3 changed files with 67 additions and 4 deletions
+40
View File
@@ -3,6 +3,16 @@ set -euo pipefail
requested_toolchain="${1:-1.92.0}"
fallback_toolchain="${2:-stable}"
strict_mode_raw="${3:-${ENSURE_CARGO_COMPONENT_STRICT:-false}}"
strict_mode="$(printf '%s' "${strict_mode_raw}" | tr '[:upper:]' '[:lower:]')"
is_truthy() {
local value="${1:-}"
case "${value}" in
1 | true | yes | on) return 0 ;;
*) return 1 ;;
esac
}
probe_cargo() {
local toolchain="$1"
@@ -33,6 +43,22 @@ export_toolchain_for_next_steps() {
} >>"${GITHUB_ENV}"
}
assert_rustc_version_matches() {
local toolchain="$1"
local expected_version="$2"
local actual_version
if [[ ! "${expected_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
return 0
fi
actual_version="$(rustup run "${toolchain}" rustc --version | awk '{print $2}')"
if [ "${actual_version}" != "${expected_version}" ]; then
echo "rustc version mismatch for ${toolchain}: expected ${expected_version}, got ${actual_version}" >&2
exit 1
fi
}
selected_toolchain="${requested_toolchain}"
echo "Ensuring cargo component is available for toolchain: ${requested_toolchain}"
@@ -49,6 +75,11 @@ if ! probe_cargo "${requested_toolchain}"; then
fi
if ! probe_cargo "${requested_toolchain}"; then
if is_truthy "${strict_mode}"; then
echo "::error::Strict mode enabled; cargo is unavailable for requested toolchain ${requested_toolchain}." >&2
rustup toolchain list || true
exit 1
fi
echo "::warning::Falling back to ${fallback_toolchain} because ${requested_toolchain} cargo remains unavailable."
rustup toolchain install "${fallback_toolchain}" --profile default
rustup component add cargo --toolchain "${fallback_toolchain}" || true
@@ -60,6 +91,15 @@ if ! probe_cargo "${requested_toolchain}"; then
selected_toolchain="${fallback_toolchain}"
fi
if is_truthy "${strict_mode}" && [ "${selected_toolchain}" != "${requested_toolchain}" ]; then
echo "::error::Strict mode enabled; refusing fallback toolchain ${selected_toolchain} (requested ${requested_toolchain})." >&2
exit 1
fi
if is_truthy "${strict_mode}"; then
assert_rustc_version_matches "${selected_toolchain}" "${requested_toolchain}"
fi
export_toolchain_for_next_steps "${selected_toolchain}"
echo "Using Rust toolchain: ${selected_toolchain}"