Skip to content

deps(v4): consolidate Cargo bumps + API migrations + ubuntu 26.04 docs#306

Merged
pacphi merged 11 commits into
v4from
chore/bulk-deps-update-v4
May 14, 2026
Merged

deps(v4): consolidate Cargo bumps + API migrations + ubuntu 26.04 docs#306
pacphi merged 11 commits into
v4from
chore/bulk-deps-update-v4

Conversation

@pacphi

@pacphi pacphi commented May 13, 2026

Copy link
Copy Markdown
Owner

Summary

Consolidates PRs #266, #269, #294, #295, #296 with API migrations for breaking changes.

Cargo bumps applied:

API migrations:

  • keyless.rs: pkcs8::der::{Decode,Encode}x509_cert::der::{Decode,Encode} — fixes der 0.7/0.8 version split (pkcs8 0.11 uses der 0.8; x509-cert 0.2.5 uses der 0.7)
  • file.rs: removed rand::RngCore import (no longer re-exported in rand 0.10); replaced rng().fill_bytes() with rand::random::<[u8;12]>()

rand_core note: sindri-registry/Cargo.toml kept at rand_core = "0.6" because p256 0.13 / ecdsa 0.16 still use rand_core::OsRng from 0.6 in test helpers. A full rand_core 0.9 migration requires coordinating p256 0.14+ / ecdsa 0.17+ upgrades.

Ubuntu 26.04 consistency (docs):

  • TARGETS.md: ubuntu:24.04ubuntu:26.04 in example docker target config
  • ADR-009: ubuntu-24.04-armubuntu-26.04-arm in CI matrix table

Test plan

  • cargo fmt --all --check — passes
  • cargo clippy --workspace --all-targets -- -D warnings — passes (0 errors)
  • cargo test --workspace — all tests pass
  • cargo run -p schema-gen -- --check — all 5 schemas up to date
  • cargo run -p target-doc-gen -- --check — docs up to date

Closes: #266, #294, #295, #296
Partially closes: #269 (rand_core 0.9 in registry requires p256/ecdsa upgrade)

🤖 Generated with Claude Code

dependabot Bot and others added 11 commits May 13, 2026 16:03
Bumps [pkcs8](https://github.com/RustCrypto/formats) from 0.10.2 to 0.11.0.
- [Commits](RustCrypto/formats@pkcs8/v0.10.2...pkcs8/v0.11.0)

---
updated-dependencies:
- dependency-name: pkcs8
  dependency-version: 0.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [rand_core](https://github.com/rust-random/rand_core) from 0.6.4 to 0.9.5.
- [Release notes](https://github.com/rust-random/rand_core/releases)
- [Changelog](https://github.com/rust-random/rand_core/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rust-random/rand_core/commits)

---
updated-dependencies:
- dependency-name: rand_core
  dependency-version: 0.9.5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the tokio-ecosystem group in /v4 with 1 update: [tokio](https://github.com/tokio-rs/tokio).


Updates `tokio` from 1.52.1 to 1.52.2
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](tokio-rs/tokio@tokio-1.52.1...tokio-1.52.2)

---
updated-dependencies:
- dependency-name: tokio
  dependency-version: 1.52.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tokio-ecosystem
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [jsonschema](https://github.com/Stranger6667/jsonschema) from 0.46.3 to 0.46.4.
- [Release notes](https://github.com/Stranger6667/jsonschema/releases)
- [Changelog](https://github.com/Stranger6667/jsonschema/blob/master/CHANGELOG.md)
- [Commits](Stranger6667/jsonschema@ruby-v0.46.3...ruby-v0.46.4)

---
updated-dependencies:
- dependency-name: jsonschema
  dependency-version: 0.46.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [rand](https://github.com/rust-random/rand) from 0.9.4 to 0.10.1.
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/master/CHANGELOG.md)
- [Commits](rust-random/rand@0.9.4...0.10.1)

---
updated-dependencies:
- dependency-name: rand
  dependency-version: 0.10.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
…ntu docs

pkcs8 0.11 / der 0.8 migration:
- keyless.rs: replace pkcs8::der::{Decode,Encode} with x509_cert::der::{Decode,Encode}
  to resolve der 0.7/0.8 version split (x509-cert uses der 0.7, pkcs8 0.11 uses der 0.8)

rand 0.10 migration:
- file.rs: remove rand::RngCore import (no longer re-exported); replace
  rng().fill_bytes() with rand::random::<[u8;12]>() (idiomatic rand 0.10)

rand_core compatibility:
- sindri-registry/Cargo.toml: keep rand_core at "0.6" (p256/ecdsa 0.16/0.13
  still require rand_core 0.6 OsRng; coordinated upgrade requires p256 bump)

ubuntu consistency (docs):
- TARGETS.md: ubuntu:24.04 → ubuntu:26.04 in example target config
- ADR-009: ubuntu-24.04-arm → ubuntu-26.04-arm in CI matrix table

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
paths.rs:
- Add ENV_LOCK mutex to home_dir_* tests that mutate SINDRI_HOME; prevents
  concurrent test runs from racing on the global env var (flaky on ubuntu-latest)

registry/mod.rs:
- detect_source_kind: replace starts_with('/') with Path::is_absolute() so
  Windows drive-letter paths (C:\...) are accepted as absolute paths
  (was failing detect_source_kind_absolute_path_* on windows-latest CI)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
HOME env var is ignored by dirs_next on Windows (uses Win32 API instead).
SINDRI_HOME is the portable override designed for exactly this: tests that
redirect the binary's home dir to a tempdir.

Fixes: init_policy_with_global_flag_writes_to_home,
       policy_use_global_flag_writes_to_home on windows-latest CI

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
On Windows, pick_variant falls back to the .sh file when no .ps1 exists.
Previously build_command keyed on OS alone and would invoke such a .sh
script with pwsh, which is wrong — .sh files must run under bash.

Switch to extension-based dispatch:
- .ps1 → pwsh -NonInteractive -File
- .sh (or anything else) → bash

Bash is available on all GitHub-hosted Windows runners via Git for Windows.

Fixes: hooks::tests::install_phase_invokes_bash_with_argv on windows-latest

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Background: Windows CI runs intermittently fail with env-var race tests
(platform::current_env_override_*, home_dir_honours_sindri_home_env,
etc.). The race is between concurrent test threads mutating the global
environ table — std::env::set_var is not thread-safe.

Pattern: per-crate `pub(crate) static ENV_LOCK: Mutex<()>` shared across
all tests in that crate's test binary. Any test calling env::set_var or
env::remove_var first acquires the lock. Mirrors the existing convention
in sindri-targets::well_known::ENV_LOCK.

Changes:
- sindri-core: ENV_LOCK promoted from paths.rs::tests-local to file-level
  pub(crate). platform.rs now uses it across all three env-override tests
  (fixes flaky `current_env_override_macos_aarch64`).
- sindri-extensions: new ENV_LOCK in lib.rs; applied to 5 env-mutating
  tests in redeemer.rs.
- sindri-secrets: new ENV_LOCK in lib.rs; applied to 2 async env tests in
  backends/env.rs with #[allow(clippy::await_holding_lock)] since the
  serialisation is intentional.
- sindri (binary): new ENV_LOCK in commands/mod.rs; applied to 1 test in
  rollback.rs and 3 tests in commands/secrets.rs.

Also picks up rustfmt's normalisation of build_command in
sindri-extensions/src/hooks.rs.

These fixes are pure test infrastructure — no runtime user impact.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The earlier ENV_LOCK consolidation covered the home_dir_* tests but
missed the three sindri_subpath_* tests in the same module, which
mutate SINDRI_HOME_ENV the same way. Under concurrent test execution,
those unlocked mutations race with the locked home_dir_* tests and
intermittently fail (observed on windows-latest CI).

Add the lock acquisition to all three sindri_subpath_* tests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pacphi pacphi merged commit 8533a90 into v4 May 14, 2026
6 checks passed
@pacphi pacphi deleted the chore/bulk-deps-update-v4 branch May 14, 2026 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant