fix(ci): unblock main + tighten rust-cache keying

lingcoder · lingcoder · commit 034179aa8a08 · 2026-04-17T15:29:30.000+08:00
- crab-fs glob: use sort_by_key to satisfy clippy::unnecessary_sort_by
- crab-common ca_certs: inject env sources in tests so ubuntu runner's
  SSL_CERT_FILE (system bundle) doesn't pollute assertions
- deny.toml: allow MIT-0 (borrow-or-share via fluent-uri, OSI approved,
  strictly more permissive than MIT)
- ci.yml: share cache key between check + test-ubuntu jobs, disable
  CARGO_INCREMENTAL, trim debuginfo, prefer git CLI for fetches
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,6 +8,14 @@ on:
 env:
   CARGO_TERM_COLOR: always
   RUSTFLAGS: -Dwarnings
+  # Disable incremental compilation on CI: unused by fresh builds and
+  # wastes cache space. See https://matklad.github.io/2021/09/04/fast-rust-builds.html
+  CARGO_INCREMENTAL: 0
+  # Use git CLI for cargo fetches — more reliable on Windows than libgit2.
+  CARGO_NET_GIT_FETCH_WITH_CLI: true
+  # Shrink debuginfo to speed compile + cache. Tests still run fine.
+  CARGO_PROFILE_DEV_DEBUG: "line-tables-only"
+  CARGO_PROFILE_TEST_DEBUG: "line-tables-only"
 
 jobs:
   check:
@@ -20,6 +28,14 @@ jobs:
           toolchain: stable
           components: rustfmt, clippy
       - uses: Swatinem/rust-cache@v2
+        with:
+          # Share cache between check & test on ubuntu — same toolchain
+          # + Cargo.lock → same dependency graph, so this is safe and
+          # roughly halves cold-start time for the test-ubuntu job.
+          shared-key: "ubuntu-stable"
+          # Save cache even if a step fails. Keeps warm cache primed so
+          # the next run (after fix) can benefit.
+          save-if: ${{ github.ref == 'refs/heads/main' }}
       - run: cargo fmt --all --check
       - run: cargo clippy --workspace -- -D warnings
       - run: cargo check --workspace
@@ -39,6 +55,11 @@ jobs:
         with:
           toolchain: stable
       - uses: Swatinem/rust-cache@v2
+        with:
+          # Ubuntu shares the check job's cache (same shared-key); win/mac
+          # get their own per-OS cache (rust-cache keys on OS automatically).
+          shared-key: ${{ matrix.os == 'ubuntu-latest' && 'ubuntu-stable' || '' }}
+          save-if: ${{ github.ref == 'refs/heads/main' }}
       - uses: taiki-e/install-action@nextest
         continue-on-error: true
         id: nextest
diff --git a/crates/common/src/utils/ca_certs.rs b/crates/common/src/utils/ca_certs.rs
@@ -80,19 +80,40 @@ impl CaBundle {
 /// Returns `Err` only on invalid PEM data in a file that was otherwise
 /// readable. Missing files / missing env vars are not errors.
 pub fn load_ca_bundle(extra_paths: &[PathBuf]) -> crate::Result<CaBundle> {
+    let env = EnvSources {
+        crab_bundle: std::env::var(CRAB_CA_BUNDLE_ENV).ok(),
+        ssl_cert_file: std::env::var(SSL_CERT_FILE_ENV).ok(),
+        ssl_cert_dir: std::env::var(SSL_CERT_DIR_ENV).ok(),
+    };
+    load_ca_bundle_with_env(&env, extra_paths)
+}
+
+/// Env-var inputs to the CA loader.
+///
+/// Split out from [`load_ca_bundle`] so tests can inject a hermetic
+/// environment instead of reading the process's real env (which on CI
+/// runners includes system-wide cert bundles that pollute assertions).
+#[derive(Debug, Default, Clone)]
+struct EnvSources {
+    crab_bundle: Option<String>,
+    ssl_cert_file: Option<String>,
+    ssl_cert_dir: Option<String>,
+}
+
+fn load_ca_bundle_with_env(env: &EnvSources, extra_paths: &[PathBuf]) -> crate::Result<CaBundle> {
     let mut bundle = CaBundle::default();
 
     // 1. CRAB_CA_BUNDLE (single file, takes priority)
-    if let Ok(path) = std::env::var(CRAB_CA_BUNDLE_ENV) {
-        try_load_file(&mut bundle, Path::new(&path));
+    if let Some(path) = env.crab_bundle.as_deref() {
+        try_load_file(&mut bundle, Path::new(path));
     }
     // 2. SSL_CERT_FILE
-    if let Ok(path) = std::env::var(SSL_CERT_FILE_ENV) {
-        try_load_file(&mut bundle, Path::new(&path));
+    if let Some(path) = env.ssl_cert_file.as_deref() {
+        try_load_file(&mut bundle, Path::new(path));
     }
     // 3. SSL_CERT_DIR
-    if let Ok(dir) = std::env::var(SSL_CERT_DIR_ENV) {
-        try_load_dir(&mut bundle, Path::new(&dir));
+    if let Some(dir) = env.ssl_cert_dir.as_deref() {
+        try_load_dir(&mut bundle, Path::new(dir));
     }
     // 4. Caller extras
     for path in extra_paths {
@@ -256,13 +277,19 @@ mod tests {
         );
     }
 
+    /// Hermetic load: no env vars, only explicit paths. Used by tests to
+    /// avoid picking up the CI runner's system cert bundle (e.g. Ubuntu
+    /// sets `SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt`, which
+    /// would add hundreds of certs and break `assert_eq!(b.len(), N)`).
+    fn load_hermetic(extra_paths: &[PathBuf]) -> CaBundle {
+        load_ca_bundle_with_env(&EnvSources::default(), extra_paths).unwrap()
+    }
+
     #[test]
     fn load_missing_env_returns_empty_bundle() {
-        // None of the env vars are set in this test; nothing loaded.
-        let b = load_ca_bundle(&[]).unwrap();
-        // May not be empty if the user's env already has SSL_CERT_FILE set,
-        // so check the weaker property: no-extra-paths load succeeds.
-        let _ = b;
+        let b = load_hermetic(&[]);
+        assert!(b.is_empty());
+        assert_eq!(b.len(), 0);
     }
 
     #[test]
@@ -272,7 +299,7 @@ mod tests {
         let mut f = fs::File::create(&path).unwrap();
         f.write_all(CERT_A.as_bytes()).unwrap();
 
-        let b = load_ca_bundle(std::slice::from_ref(&path)).unwrap();
+        let b = load_hermetic(std::slice::from_ref(&path));
         assert_eq!(b.len(), 1);
         assert_eq!(b.sources, vec![path]);
     }
@@ -284,15 +311,15 @@ mod tests {
         fs::write(tmp.path().join("b.crt"), CERT_B).unwrap();
         fs::write(tmp.path().join("readme.txt"), "ignored").unwrap();
 
-        let b = load_ca_bundle(std::slice::from_ref(&tmp.path().to_path_buf())).unwrap();
+        let b = load_hermetic(std::slice::from_ref(&tmp.path().to_path_buf()));
         assert_eq!(b.len(), 2);
         assert_eq!(b.sources.len(), 2);
     }
 
     #[test]
     fn load_extra_path_nonexistent_is_silent() {
-        let b = load_ca_bundle(&[PathBuf::from("/definitely/does/not/exist/bundle.pem")]).unwrap();
-        let _ = b;
+        let b = load_hermetic(&[PathBuf::from("/definitely/does/not/exist/bundle.pem")]);
+        assert!(b.is_empty());
     }
 
     #[test]
@@ -301,7 +328,7 @@ mod tests {
         let path = tmp.path().join("empty.pem");
         fs::write(&path, "just some text, no BEGIN CERTIFICATE").unwrap();
 
-        let b = load_ca_bundle(std::slice::from_ref(&path)).unwrap();
+        let b = load_hermetic(std::slice::from_ref(&path));
         // The file was readable but had no valid blocks; bundle stays empty.
         assert_eq!(b.len(), 0);
     }
diff --git a/crates/fs/src/glob.rs b/crates/fs/src/glob.rs
@@ -111,7 +111,7 @@ pub fn find_files(opts: &GlobOptions<'_>) -> crab_common::Result<GlobResult> {
     }
 
     // 4. Sort by mtime descending (most recent first)
-    entries.sort_by(|a, b| b.1.cmp(&a.1));
+    entries.sort_by_key(|e| std::cmp::Reverse(e.1));
 
     // 5. Truncate at limit
     let truncated = opts.limit > 0 && entries.len() > opts.limit;
diff --git a/deny.toml b/deny.toml
@@ -10,6 +10,7 @@ allow = [
     "Apache-2.0",
     "Apache-2.0 WITH LLVM-exception",
     "MIT",
+    "MIT-0",
     "BSD-2-Clause",
     "BSD-3-Clause",
     "ISC",

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ pub fn find_files(opts: &GlobOptions<'_>) -> crab_common::Result<GlobResult> {`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`// 4. Sort by mtime descending (most recent first)`
`114`		`- entries.sort_by(\|a, b\| b.1.cmp(&a.1));`
	`114`	`+ entries.sort_by_key(\|e\| std::cmp::Reverse(e.1));`
`115`	`115`
`116`	`116`	`// 5. Truncate at limit`
`117`	`117`	`let truncated = opts.limit > 0 && entries.len() > opts.limit;`