Conversation
The code snippets are written with bash newer than 2014 in mind. This works fine on Linux and Windows, but not macOS.
EliahKagan
added a commit
to EliahKagan/gitoxide
that referenced
this pull request
Jan 4, 2026
Previously, we used manual `rustup` commands in some CI jobs, but the `dtolnay/rust-toolchain` action in most. That action handles various conditions nicely, and is also very convenient. One of the conditions it handles, on some operating systems, is even to install `rustup` itself, if absent. However, we don't seem to need any of its additional functionality now or in the immediately foreseeable future. Furthermore, as tracked at dtolnay/rust-toolchain#160, it doesn't have any specific version tags for its own versions, nor any tags at all for Rust versions (instead, Rust versions are specified either in `with` keys, or by specifying a *branch* of the action named as the version). This makes it so that it can't be pinned to a version in such a way that Dependabot (or similar tools like Renovatebot) can update it. That means if we want recent toolchains, we would either have to manually (or through some ad-hoc automated method) update it regularly, or continue to specify `@master` and `@stable` as we had been doing. The latter is incompatible with the Dependabot `cooldown` period set up recently to provide partial defense against supply chain attacks. `dtolnay/rust-toolchain` is overall high quality, and replacing it with a less used action would not necessarily confer a net gain in security. At least one other action is also actively maintained and may be mostly suitable, `actions-rust-lang/setup-rust-toolchain`, though it is less widely used. However, it wouldn't be easy to use that action correctly here, because on macOS it installs a newer version of `bash` via `brew`, placing it ahead of the very old `bash` 3 that ships with macOS. (Per actions-rust-lang/setup-rust-toolchain#10, it does this because its own script steps rely on some newer `bash` features.) It's important that the shell scripts in this repository, such as the fixture scripts run via `gix-testtools`, be run in `bash` 3 on macOS. Otherwise, we might break compatibility with most macOS systems, where often no newer `bash` has been installed. Thus, `actions-rust-lang/setup-rust-toolchain` won't work here as a drop-in replacement. Fortunately, because all the jobs using `dtolnay/rust-toolchain` run in environments that have a working `rustup` command, which is able to install the desired versions, it's enough to replace each use of that action with a small number of `rustup` commands (and adjust how data used to parameterize it is passed around, in a few cases). This makes that change. Because `dtolnay/rust-toolchain` is now no longer used, this change should resolve all non-suppressed Zizmor alerts, as well as most CodeQL alerts.
EliahKagan
added a commit
to EliahKagan/gitoxide
that referenced
this pull request
Jan 4, 2026
Previously, we used manual `rustup` commands in some CI jobs, but the `dtolnay/rust-toolchain` action in most. That action handles various conditions nicely, and is also very convenient. One of the conditions it handles, on some operating systems, is even to install `rustup` itself, if absent. However, we don't seem to need any of its additional functionality now or in the immediately foreseeable future. Furthermore, as tracked at dtolnay/rust-toolchain#160, it doesn't have any specific version tags for its own versions, nor any tags at all for Rust versions (instead, Rust versions are specified either in `with` keys, or by specifying a *branch* of the action named as the version). This makes it so that it can't be pinned to a version in such a way that Dependabot (or similar tools like Renovatebot) can update it. That means if we want recent toolchains, we would either have to manually (or through some ad-hoc automated method) update it regularly, or continue to specify `@master` and `@stable` as we had been doing. The latter is incompatible with the Dependabot `cooldown` period set up recently to provide partial defense against supply chain attacks. `dtolnay/rust-toolchain` is overall high quality, and replacing it with a less used action would not necessarily confer a net gain in security. At least one other action is also actively maintained and may be mostly suitable, `actions-rust-lang/setup-rust-toolchain`, though it is less widely used. However, it wouldn't be easy to use that action correctly here, because on macOS it installs a newer version of `bash` via `brew`, placing it ahead of the very old `bash` 3 that ships with macOS. (Per actions-rust-lang/setup-rust-toolchain#10, it does this because its own script steps rely on some newer `bash` features.) It's important that the shell scripts in this repository, such as the fixture scripts run via `gix-testtools`, be run in `bash` 3 on macOS. Otherwise, we might break compatibility with most macOS systems, where often no newer `bash` has been installed. Thus, `actions-rust-lang/setup-rust-toolchain` won't work here as a drop-in replacement. Fortunately, because all the jobs using `dtolnay/rust-toolchain` run in environments that have a working `rustup` command, which is able to install the desired versions, it's enough to replace each use of that action with a small number of `rustup` commands (and adjust how data used to parameterize it is passed around, in a few cases). This makes that change. Because `dtolnay/rust-toolchain` is now no longer used, this change should resolve all non-suppressed Zizmor alerts, as well as most CodeQL alerts.
EliahKagan
added a commit
to EliahKagan/gitoxide
that referenced
this pull request
Jan 4, 2026
Previously, we used manual `rustup` commands in some CI jobs, but the `dtolnay/rust-toolchain` action in most. That action handles various conditions nicely, and is also very convenient. One of the conditions it handles, on some operating systems, is even to install `rustup` itself, if absent. However, we don't seem to need any of its additional functionality now or in the immediately foreseeable future. Furthermore, as tracked at dtolnay/rust-toolchain#160, it doesn't have any specific version tags for its own versions, nor any tags at all for Rust versions (instead, Rust versions are specified either in `with` keys, or by specifying a *branch* of the action named as the version). This makes it so that it can't be pinned to a version in such a way that Dependabot (or similar tools like Renovatebot) can update it. That means if we want recent toolchains, we would either have to manually (or through some ad-hoc automated method) update it regularly, or continue to specify `@master` and `@stable` as we had been doing. The latter is incompatible with the Dependabot `cooldown` period set up recently to provide partial defense against supply chain attacks. `dtolnay/rust-toolchain` is overall high quality, and replacing it with a less used action would not necessarily confer a net gain in security. At least one other action is also actively maintained and may be mostly suitable, `actions-rust-lang/setup-rust-toolchain`, though it is less widely used. However, it wouldn't be easy to use that action correctly here, because on macOS it installs a newer version of `bash` via `brew`, placing it ahead of the very old `bash` 3 that ships with macOS. (Per actions-rust-lang/setup-rust-toolchain#10, it does this because its own script steps rely on some newer `bash` features.) It's important that the shell scripts in this repository, such as the fixture scripts run via `gix-testtools`, be run in `bash` 3 on macOS. Otherwise, we might break compatibility with most macOS systems, where often no newer `bash` has been installed. Thus, `actions-rust-lang/setup-rust-toolchain` won't work here as a drop-in replacement. Fortunately, because all the jobs using `dtolnay/rust-toolchain` run in environments that have a working `rustup` command, which is able to install the desired versions, it's enough to replace each use of that action with a small number of `rustup` commands (and adjust how data used to parameterize it is passed around, in a few cases). This makes that change. Because `dtolnay/rust-toolchain` is now no longer used, this change should resolve all non-suppressed Zizmor alerts, as well as most CodeQL alerts.
EliahKagan
added a commit
to EliahKagan/gitoxide
that referenced
this pull request
Jan 4, 2026
Previously, we used manual `rustup` commands in some CI jobs, but the `dtolnay/rust-toolchain` action in most. That action handles various conditions nicely, and is also very convenient. One of the conditions it handles, on some operating systems, is even to install `rustup` itself, if absent. However, we don't seem to need any of its additional functionality now or in the immediately foreseeable future. Furthermore, as tracked at dtolnay/rust-toolchain#160, it doesn't have any specific version tags for its own versions, nor any tags at all for Rust versions (instead, Rust versions are specified either in `with` keys, or by specifying a *branch* of the action named as the version). This makes it so that it can't be pinned to a version in such a way that Dependabot (or similar tools like Renovatebot) can update it. That means if we want recent toolchains, we would either have to manually (or through some ad-hoc automated method) update it regularly, or continue to specify `@master` and `@stable` as we had been doing. The latter is incompatible with the Dependabot `cooldown` period set up recently to provide partial defense against supply chain attacks. `dtolnay/rust-toolchain` is overall high quality, and replacing it with a less used action would not necessarily confer a net gain in security. At least one other action is also actively maintained and may be mostly suitable, `actions-rust-lang/setup-rust-toolchain`, though it is less widely used. However, it wouldn't be easy to use that action correctly here, because on macOS it installs a newer version of `bash` via `brew`, placing it ahead of the very old `bash` 3 that ships with macOS. (Per actions-rust-lang/setup-rust-toolchain#10, it does this because its own script steps rely on some newer `bash` features.) It's important that the shell scripts in this repository, such as the fixture scripts run via `gix-testtools`, be run in `bash` 3 on macOS. Otherwise, we might break compatibility with most macOS systems, where often no newer `bash` has been installed. Thus, `actions-rust-lang/setup-rust-toolchain` won't work here as a drop-in replacement. Fortunately, because all the jobs using `dtolnay/rust-toolchain` run in environments that have a working `rustup` command, which is able to install the desired versions, it's enough to replace each use of that action with a small number of `rustup` commands (and adjust how data used to parameterize it is passed around, in a few cases). This makes that change. Because `dtolnay/rust-toolchain` is now no longer used, this change should resolve all non-suppressed Zizmor alerts, as well as most CodeQL alerts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #9