From 4b8db238305176b7ba82c1fc39d9bb7a2c3f71c6 Mon Sep 17 00:00:00 2001 From: leynos Date: Wed, 8 Jul 2026 12:46:56 +0200 Subject: [PATCH 1/4] Install Whitaker from the released installer in generated projects Replace the git-revision `cargo install` of `whitaker-installer` with the released 0.2.5 crate in both places the template provisions it: the generated CI workflow (via `cargo binstall`, which the generated job already uses for its other Rust tools) and the generated Makefile's `whitaker` bootstrap target (via `cargo install --locked --version`, since local machines may lack binstall). This matches the estate-standard adoption pattern (see leynos/netsuke#410). The `--cranelift` flag is retained for the generated projects' Cranelift debug builds. --- template/.github/workflows/ci.yml.jinja | 8 +++----- template/Makefile.jinja | 6 ++---- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/template/.github/workflows/ci.yml.jinja b/template/.github/workflows/ci.yml.jinja index c9ec18a..47ba73e 100644 --- a/template/.github/workflows/ci.yml.jinja +++ b/template/.github/workflows/ci.yml.jinja @@ -12,7 +12,7 @@ jobs: CS_ACCESS_TOKEN: ${{ "{{" }} secrets.CS_ACCESS_TOKEN {{ "}}" }} CODESCENE_CLI_SHA256: ${{ "{{" }} vars.CODESCENE_CLI_SHA256 {{ "}}" }} {% if use_rust %} - WHITAKER_INSTALLER_REV: f768c2e53c47df13658af1168a67851d388750bf + WHITAKER_INSTALLER_VERSION: '0.2.5' CARGO_TERM_COLOR: always BUILD_PROFILE: debug {% endif %} @@ -50,10 +50,8 @@ jobs: env: RUSTFLAGS: "" run: | - cargo install --locked \ - --git https://github.com/leynos/whitaker \ - --rev "${WHITAKER_INSTALLER_REV}" \ - whitaker-installer + cargo binstall --no-confirm \ + whitaker-installer@"${WHITAKER_INSTALLER_VERSION}" whitaker-installer --cranelift cargo install --locked cargo-audit diff --git a/template/Makefile.jinja b/template/Makefile.jinja index e73647f..8f1639f 100644 --- a/template/Makefile.jinja +++ b/template/Makefile.jinja @@ -32,7 +32,7 @@ CLIPPY_FLAGS ?= $(CARGO_FLAGS) -- $(RUST_FLAGS) TEST_FLAGS ?= $(CARGO_FLAGS) TEST_CMD := $(if $(CARGO_AVAILABLE),$(if $(shell $(CARGO) nextest --version 2>/dev/null),nextest run,test),) WHITAKER_CARGO_FLAGS ?= --all-targets --all-features -WHITAKER_INSTALLER_REV ?= f768c2e53c47df13658af1168a67851d388750bf +WHITAKER_INSTALLER_VERSION ?= 0.2.5 WHITAKER ?= $(or $(shell command -v whitaker 2>/dev/null),$(wildcard $(USER_WHITAKER)),whitaker) {% endif %} @@ -108,9 +108,7 @@ whitaker: ## Install Whitaker when the generated Rust lint target needs it exit 1; \ }; \ $(CARGO) install --locked \ - --git https://github.com/leynos/whitaker \ - --rev "$(WHITAKER_INSTALLER_REV)" \ - whitaker-installer; \ + whitaker-installer --version "$(WHITAKER_INSTALLER_VERSION)"; \ PATH="$(HOME)/.cargo/bin:$$PATH" whitaker-installer --cranelift; \ fi From 3f5c06910d549692b6e02e02aecd4d4a7b7309e1 Mon Sep 17 00:00:00 2001 From: leynos Date: Wed, 8 Jul 2026 13:17:22 +0200 Subject: [PATCH 2/4] Bump generate-coverage to pick up cargo-nextest checksum fixes The generated CI pinned `generate-coverage` at a revision whose recorded cargo-nextest 0.9.120 checksums no longer match the published binaries, failing the act-validation run of the rendered `use_rust` project. The new pin includes the upstream checksum corrections (leynos/shared-actions#285, #287, #289) and the binstall-ensure fix (#296). --- template/.github/workflows/ci.yml.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/.github/workflows/ci.yml.jinja b/template/.github/workflows/ci.yml.jinja index 47ba73e..5b56bec 100644 --- a/template/.github/workflows/ci.yml.jinja +++ b/template/.github/workflows/ci.yml.jinja @@ -80,7 +80,7 @@ jobs: run: make audit - name: Test and Measure Coverage - uses: leynos/shared-actions/.github/actions/generate-coverage@455d9ed03477c0026da96c2541ca26569a74acac + uses: leynos/shared-actions/.github/actions/generate-coverage@296dc4aa07acf3a7f60a54fb6bccb5672a597479 with: output-path: coverage.xml format: cobertura From 8958401dfdceb4d95ac65ea00fe17ae890959cb6 Mon Sep 17 00:00:00 2001 From: leynos Date: Wed, 8 Jul 2026 13:38:41 +0200 Subject: [PATCH 3/4] Verify the CodeScene installer and harden the Whitaker step Add `--locked` to the whitaker-installer cargo-binstall invocation in the generated CI workflow so that binstall's compile fallback resolves dependencies from the published lockfile, keeping fallback builds reproducible. Run-block expressions already use plain shell variables, so no further indirection was needed. The template carried the same unverified CodeScene CLI installer pattern flagged on msgspec-crockford#9: the step piped the downloaded installer straight into bash and only afterwards ran `sha256sum -c -` against a file the run block never wrote. Download the installer to a file first, verify it against `CODESCENE_CLI_SHA256` when the variable is set (failing on mismatch), emit a notice and skip verification when it is unset, and only then execute the verified script. Also align the generate-coverage shared-action pin with the estate-wide `455d9ed0` revision expected by the act-validation contract tests, which were failing on the stale `296dc4aa` pin. --- template/.github/workflows/ci.yml.jinja | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/template/.github/workflows/ci.yml.jinja b/template/.github/workflows/ci.yml.jinja index 5b56bec..68f0655 100644 --- a/template/.github/workflows/ci.yml.jinja +++ b/template/.github/workflows/ci.yml.jinja @@ -50,7 +50,7 @@ jobs: env: RUSTFLAGS: "" run: | - cargo binstall --no-confirm \ + cargo binstall --no-confirm --locked \ whitaker-installer@"${WHITAKER_INSTALLER_VERSION}" whitaker-installer --cranelift cargo install --locked cargo-audit @@ -80,7 +80,7 @@ jobs: run: make audit - name: Test and Measure Coverage - uses: leynos/shared-actions/.github/actions/generate-coverage@296dc4aa07acf3a7f60a54fb6bccb5672a597479 + uses: leynos/shared-actions/.github/actions/generate-coverage@455d9ed03477c0026da96c2541ca26569a74acac with: output-path: coverage.xml format: cobertura @@ -92,10 +92,14 @@ jobs: - name: Install CodeScene Coverage CLI if: env.CS_ACCESS_TOKEN != '' run: | - curl -fsSL https://downloads.codescene.io/enterprise/cli/install-cs-coverage-tool.sh | bash -s -- -y + curl -fsSL --output install-cs-coverage-tool.sh \ + https://downloads.codescene.io/enterprise/cli/install-cs-coverage-tool.sh if [ -n "${CODESCENE_CLI_SHA256:-}" ]; then echo "${CODESCENE_CLI_SHA256} install-cs-coverage-tool.sh" | sha256sum -c - + else + echo "::notice::CODESCENE_CLI_SHA256 is not set; skipping installer checksum verification" fi + bash install-cs-coverage-tool.sh -y - name: Upload coverage to CodeScene if: env.CS_ACCESS_TOKEN != '' From 491781655f2183c1bc39c8fab60a6c260d5ac806 Mon Sep 17 00:00:00 2001 From: leynos Date: Wed, 8 Jul 2026 13:44:11 +0200 Subject: [PATCH 4/4] Bump generate-coverage to the checksum-fixed revision The generated CI pinned `generate-coverage` at a revision whose recorded cargo-nextest 0.9.120 checksums no longer match the published binaries, which fails the act-validation run of the rendered `use_rust` project. Move the pin to a revision carrying the upstream checksum corrections (leynos/shared-actions#285, #287, #289) and the binstall-ensure fix (#296), and update the CI contract and helper fixture to expect the new revision so the pin and the contract cannot drift apart again. --- template/.github/workflows/ci.yml.jinja | 2 +- tests/helpers/ci_contracts.py | 2 +- tests/test_helpers.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/template/.github/workflows/ci.yml.jinja b/template/.github/workflows/ci.yml.jinja index 68f0655..1a3b7fe 100644 --- a/template/.github/workflows/ci.yml.jinja +++ b/template/.github/workflows/ci.yml.jinja @@ -80,7 +80,7 @@ jobs: run: make audit - name: Test and Measure Coverage - uses: leynos/shared-actions/.github/actions/generate-coverage@455d9ed03477c0026da96c2541ca26569a74acac + uses: leynos/shared-actions/.github/actions/generate-coverage@296dc4aa07acf3a7f60a54fb6bccb5672a597479 with: output-path: coverage.xml format: cobertura diff --git a/tests/helpers/ci_contracts.py b/tests/helpers/ci_contracts.py index 2226dec..3511bb7 100644 --- a/tests/helpers/ci_contracts.py +++ b/tests/helpers/ci_contracts.py @@ -71,7 +71,7 @@ def assert_ci_coverage_action_contract( assert ( coverage_step.get("uses") == "leynos/shared-actions/.github/actions/generate-coverage" - "@455d9ed03477c0026da96c2541ca26569a74acac" + "@296dc4aa07acf3a7f60a54fb6bccb5672a597479" ), "expected CI to use the pinned shared coverage action" coverage_inputs = require_mapping(coverage_step, "with", "coverage step") assert coverage_inputs.get("output-path") == "coverage.xml", ( diff --git a/tests/test_helpers.py b/tests/test_helpers.py index b549b42..e9cca5c 100644 --- a/tests/test_helpers.py +++ b/tests/test_helpers.py @@ -501,7 +501,7 @@ def _ci_workflow(*, persist_credentials: str, coverage_inputs: str) -> str: with: persist-credentials: {persist_credentials} - name: Test and Measure Coverage - uses: leynos/shared-actions/.github/actions/generate-coverage@455d9ed03477c0026da96c2541ca26569a74acac + uses: leynos/shared-actions/.github/actions/generate-coverage@296dc4aa07acf3a7f60a54fb6bccb5672a597479 with: output-path: coverage.xml format: cobertura