The `github.sha` is a merge commit with the parents of latest master
and the head of the pr. Trying to diff the changes from that merge
SHA to base will show all changes that have been made in-between.
And that doesn't seem about right.
We switch to `github.event.pull_request.head.sha` if there is a pr.
See: https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/version-bump.20CI.20failing
I've been having some repos not updated lately. RenovateBot project's theory is
that its because RenovateBot is scheduled to run once every 3 hours and
checks the schedule at that point while the schedules I use only offers
an exact 3 hour window, making this a race condition. The schedule
originally came from RenovateBot but they changed their polling
schedule.
See https://github.com/renovatebot/renovate/discussions/23642#discussioncomment-6618560
This will update `Cargo.toml` and `Cargo.lock` at the same time. By
default, all dependencies will be updated, so we pull out the compatible
dependencies into a consolidated PR.
This starts off with the dependency dashboard and automerging being
disabled but explicitly specified to call attention to the potential for
this. We can evaluate these later.
chore: make credential dependencies platform-specific
### What does this PR try to resolve?
Starting from #11993, we made `cargo-credential-macos-keychain` and `cargo-credential-wincred` able to build on all platforms. However, some of their dependencies are not. This PR turns them into platform specific dependencies to circumvent the situation.
### How should we test and review this PR?
Run the following commands on all platforms Cargo supports.
```
cargo check --workspace --exclude cargo-credential-gnome-secret
```
chore(ci): Enforce cargo-deny in CI
With #11448, we are pulling in a wide and deep dependency tree which makes it harder for us to track what we are pulling in over time.
I've been trying out [`cargo-deny`](https://github.com/EmbarkStudios/cargo-deny) on my projects and wanted to explore how useful it might be for cargo. atm I only have it configured to fail for unexpected licenses. We can also use its warnings to hunt down and remove duplicated dependencies to speed up our builds.
I did also enable advisories. We ignore the failure in a way to not block PRs or even show up as failure in PRs as PR authors are not responsible for dealing with these (unless its a new dep) and it can be intimidating as a contributor to see a failure and have no idea how to resolve it (as authors generally assume CI is green and failures are there fault)
I did not go too much further into what all `cargo-deny` can do; there might be more we can leverage.
This allows to use `gitoxide` for all fetch operations, boosting performance
for fetching the `crates.io` index by a factor of 2.2x, while being consistent
on all platforms.
For trying it, nightly builds of `cargo` can specify `-Zgitoxide=fetch`.
It's also possible to set the `__CARGO_USE_GITOXIDE_INSTEAD_OF_GIT2=1` environment
variable (value matters), which is when `-Zgitoxide=none` can be used
to use `git2` instead.
Limitations
-----------
Note that what follows are current shortcomings that will be addressed in future PRs.
- it's likely that authentication around the `ssh` protocol will work differently in practice
as it uses the `ssh` program.
- clones from `file://` based crates indices will need the `git` binary to serve the locatl repository.
- the progress bar shown when fetching doesn't work like the orgiinal, but should already feel 'faster'.
We skip failure for advisories on the step, rather than the job, to not
distract contributors in thinking they broke something as that bubbles
up into the PR job summary.
Previously mdbook was bumped in #11646 for contrib.yml worflow
but main.yaml workflow. This makes the two in sync and also
upgrades to the latest 0.4.27. (Though there is nothing really
changed for application users as us)
