build(deps): update all Rust dependencies and fix lockfile refresh workflow#704
Conversation
Bulk-update all Cargo.lock files across the workspace and bindings to their latest compatible versions. This supersedes the individual per-directory dependabot PRs (microsoft#678-microsoft#682) that fail CI due to version skew when only one lockfile is updated. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates Rust dependency lockfiles across the repo and adjusts the dependabot lockfile refresh workflow to avoid dependency version skew across multiple Cargo.lock files.
Changes:
- Refreshed
Cargo.lockin the root workspace and in each bindings workspace (ffi/java/python/ruby/wasm). - Updated
dependabot-refresh-cargo-lockfilesworkflow to refresh all lockfiles whenever any Cargo manifest/lockfile changes are detected (plustests/ensure_no_std).
Reviewed changes
Copilot reviewed 1 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| Cargo.lock | Root workspace lockfile refreshed to latest compatible dependency versions. |
| bindings/ffi/Cargo.lock | FFI bindings workspace lockfile refreshed. |
| bindings/java/Cargo.lock | Java bindings workspace lockfile refreshed. |
| bindings/python/Cargo.lock | Python bindings workspace lockfile refreshed. |
| bindings/ruby/Cargo.lock | Ruby bindings workspace lockfile refreshed. |
| bindings/wasm/Cargo.lock | WASM bindings workspace lockfile refreshed. |
| .github/workflows/dependabot-refresh-cargo-lockfiles.yml | Workflow updated to refresh all lockfiles rather than only those in touched directories. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Bulk refresh of Rust dependency lockfiles across the workspace and language bindings, plus an update to the Dependabot lockfile-refresh workflow to avoid version skew across multiple Cargo.lock files on Dependabot PRs.
Changes:
- Updated Rust dependencies across the root workspace and binding lockfiles (
cargo update-style refresh). - Changed the Dependabot refresh workflow to refresh all lockfiles whenever any Cargo manifest/lockfile changes are detected.
- Added a fetch step intended to ensure the PR base commit is available locally for diffing in
pull_request_target.
Reviewed changes
Copilot reviewed 1 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| Cargo.lock | Root workspace lockfile refreshed to latest compatible dependency versions. |
| bindings/ffi/Cargo.lock | Binding lockfile refreshed to keep in sync with workspace dependency updates. |
| bindings/java/Cargo.lock | Binding lockfile refreshed to keep in sync with workspace dependency updates. |
| bindings/python/Cargo.lock | Binding lockfile refreshed to keep in sync with workspace dependency updates. |
| bindings/ruby/Cargo.lock | Binding lockfile refreshed to keep in sync with workspace dependency updates. |
| bindings/wasm/Cargo.lock | Binding lockfile refreshed to keep in sync with workspace dependency updates. |
| .github/workflows/dependabot-refresh-cargo-lockfiles.yml | Workflow adjusted to always refresh all lockfiles and to fetch the PR base commit for diffing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Updates Rust dependencies across the workspace and all binding crates, and fixes the dependabot-refresh-cargo-lockfiles workflow so Dependabot PRs don’t end up with skewed Cargo.lock versions across directories (while also hardening the workflow against expression injection).
Changes:
- Bulk refresh
Cargo.lockin the root workspace and each binding crate (ffi/java/python/ruby/wasm). - Update the Dependabot lockfile-refresh workflow to refresh all lockfiles whenever any Cargo manifest/lockfile changes are detected (including
tests/ensure_no_std). - Add defense-in-depth validation and clearer security boundary documentation in the workflow.
Reviewed changes
Copilot reviewed 1 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| Cargo.lock | Refresh root workspace lockfile to latest compatible dependency graph. |
| bindings/ffi/Cargo.lock | Refresh FFI binding lockfile to match updated dependency graph. |
| bindings/java/Cargo.lock | Refresh Java binding lockfile to match updated dependency graph. |
| bindings/python/Cargo.lock | Refresh Python binding lockfile to match updated dependency graph. |
| bindings/ruby/Cargo.lock | Refresh Ruby binding lockfile (notably includes bindgen/rb-sys updates). |
| bindings/wasm/Cargo.lock | Refresh WASM binding lockfile (incl. wasm-bindgen/wit-bindgen updates). |
| .github/workflows/dependabot-refresh-cargo-lockfiles.yml | Refresh all lockfiles unconditionally on Cargo changes; add SHA/ref validation and security commentary. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Addressed the two unresolved review comments:
|
anakrish
force-pushed
the
update-rust-deps
branch
2 times, most recently
from
a3f0231 to
3123c04
Compare
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Bulk-updates Rust dependencies while fixing the dependabot-refresh-cargo-lockfiles workflow so dependabot PRs don’t fail due to lockfile skew, and adds defense-in-depth hardening against expression injection in the workflow.
Changes:
- Refreshed
Cargo.lockfiles across the workspace/bindings to align dependency versions. - Updated the refresh workflow to regenerate all Cargo lockfiles upon any Cargo manifest/lockfile change (including
tests/ensure_no_std). - Hardened workflow handling of PR refs/SHAs (validation + safer fetch/diff/push patterns).
Comments suppressed due to low confidence (1)
.github/workflows/dependabot-refresh-cargo-lockfiles.yml:128
- If the refresh step produces no lockfile changes (e.g., everything is already up to date),
lockfileswill be empty andgit commitwill fail with “nothing to commit” (due toset -e), breaking the workflow. Add an explicit guard to exit successfully when${#lockfiles[@]}is0(or conditionally run commit/push only whengit diff --cached --quietis false after staging).
mapfile -t lockfiles < <(git ls-files -m -o --exclude-standard -- ':(glob)**/Cargo.lock')
for lockfile in "${lockfiles[@]}"; do
git add "$lockfile"
done
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
anakrish
force-pushed
the
update-rust-deps
branch
3 times, most recently
from
912c86c to
8877788
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 7 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Re: cargo metadata doesn't propagate version bumps Good catch. Switched from
Also removed the separate |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 7 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 7 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Dependabot security updates bypass the grouped-updates config and
create per-directory PRs (one per Cargo.lock). This causes version
skew — e.g. rand gets bumped in bindings/ruby but stays old elsewhere,
breaking the build.
Fix by unconditionally refreshing all lockfiles whenever any Cargo
manifest or lockfile changes, rather than only the affected directory.
Also harden the workflow against expression injection:
- Move head.ref and base_ref to env vars (not inline ${{ }})
- Validate refs via git check-ref-format --branch
- Validate SHA format (hex, 40 chars) before use
- Fetch base branch by ref (not bare SHA) for reliable diffing
- Add security boundary comment on untrusted code checkout
- Add version comment on pinned checkout action SHA
Ref: dependabot/dependabot-core#7547
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 7 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 7 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
.github/workflows/dependabot-refresh-cargo-lockfiles.yml:1
- With
persist-credentials: false, the checkout step will not configure credentials fororigin, and the latergit pushdoes not set up authentication. Also,GH_TOKENis an environment variable for GitHub CLI, butgit pushwill not automatically use it. As written, the push step is likely to fail with an authentication error. Recommendation: explicitly configure git credentials for the push (e.g., set theoriginHTTPS URL to include the token / configurehttp.*.extraheader), or enable persisted credentials inactions/checkoutfor this job if that matches the intended security posture.
# Copyright (c) Microsoft Corporation. All rights reserved.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
Bulk-update all Rust dependencies to their latest compatible versions and fix the
dependabot-refresh-cargo-lockfilesworkflow to prevent build failures on dependabot PRs.Also hardens the workflow against expression injection vulnerabilities.
Problem
Dependabot security updates bypass the
groups/directoriesconfiguration and createone PR per Cargo.lock (e.g. PRs #678–#682 each bump
randin a single binding directory).The existing refresh workflow only updated lockfiles for directories already changed in the PR,
so the other lockfiles remained at the old version — causing version skew and build failures.
Ref: dependabot/dependabot-core#7547
Changes
1. Dependency update (
Cargo.lock× 6)cargo updateacross root workspace and all bindings (ffi, java, python, ruby, wasm).Supersedes individual dependabot PRs #678–#682.
2. Workflow fix: refresh ALL lockfiles
When any Cargo manifest or lockfile change is detected, refresh all lockfiles
unconditionally (including
tests/ensure_no_std), rather than only the affected directory.3. Workflow security hardening
head.reffrom inline${{ }}interpolation to
env:variable withgit check-ref-format --branchvalidationbefore use in
git pushbase_reftoenv:withgit check-ref-formatvalidationhead.shatoenv:with hex-40 regex validationrefs/heads/${BASE_REF}) instead of bare SHA forreliable diffing
pull_request_targetcheckout stepactions/checkoutSHATesting
cargo checkpasses for root workspace and all bindings (ruby expected to fail locallywithout a Ruby installation)