From fdbc95f686190bfef3131efde06b649e4127b5e5 Mon Sep 17 00:00:00 2001 From: Daniel Elsner Date: Fri, 24 Apr 2026 18:29:07 +0200 Subject: [PATCH 01/12] build: Use cargo-auditable for rust build --- .github/workflows/build.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0728d82..fdb85c0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,13 +57,19 @@ jobs: environments: build - name: Set version run: pixi run -e build set-version + - name: Install cargo-auditable + if: ${{ !contains(matrix.os, 'ubuntu') }} + run: cargo install cargo-auditable - name: Build wheel uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 + env: + RUSTC_WORKSPACE_WRAPPER: cargo-auditable with: command: build args: --out dist --release -i python3.10 manylinux: auto sccache: true + before-script-linux: cargo install cargo-auditable - name: Check package run: pixi run -e build check-wheel - name: Upload package From d5e2d2bd0bfccd2b78c30553c305cbb48c5d0baa Mon Sep 17 00:00:00 2001 From: Daniel Elsner Date: Fri, 24 Apr 2026 21:19:09 +0200 Subject: [PATCH 02/12] Use cargo-auditable only on release --- .github/workflows/build.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fdb85c0..81436f8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,18 +58,20 @@ jobs: - name: Set version run: pixi run -e build set-version - name: Install cargo-auditable - if: ${{ !contains(matrix.os, 'ubuntu') }} + if: ${{ github.event_name == 'release' && !contains(matrix.os, 'ubuntu') }} run: cargo install cargo-auditable - name: Build wheel uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 env: - RUSTC_WORKSPACE_WRAPPER: cargo-auditable + # cargo-auditable and sccache both wrap rustc and cannot be composed. + # Only embed audit metadata for release builds; use sccache otherwise. + RUSTC_WORKSPACE_WRAPPER: ${{ github.event_name == 'release' && 'cargo-auditable' || '' }} with: command: build args: --out dist --release -i python3.10 manylinux: auto - sccache: true - before-script-linux: cargo install cargo-auditable + sccache: ${{ github.event_name != 'release' }} + before-script-linux: ${{ github.event_name == 'release' && 'cargo install cargo-auditable' || '' }} - name: Check package run: pixi run -e build check-wheel - name: Upload package From e9eaf49483a76bcff11fe48956931bf03c9aa037 Mon Sep 17 00:00:00 2001 From: Daniel Elsner Date: Mon, 27 Apr 2026 10:19:44 +0200 Subject: [PATCH 03/12] Test for pr as well --- .github/workflows/build.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 81436f8..2fb6fa9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,20 +58,19 @@ jobs: - name: Set version run: pixi run -e build set-version - name: Install cargo-auditable - if: ${{ github.event_name == 'release' && !contains(matrix.os, 'ubuntu') }} - run: cargo install cargo-auditable + if: ${{ !contains(matrix.os, 'ubuntu') }} + run: cargo install cargo-auditable@0.7.4 --locked - name: Build wheel uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 env: # cargo-auditable and sccache both wrap rustc and cannot be composed. - # Only embed audit metadata for release builds; use sccache otherwise. - RUSTC_WORKSPACE_WRAPPER: ${{ github.event_name == 'release' && 'cargo-auditable' || '' }} + RUSTC_WORKSPACE_WRAPPER: cargo-auditable with: command: build args: --out dist --release -i python3.10 manylinux: auto - sccache: ${{ github.event_name != 'release' }} - before-script-linux: ${{ github.event_name == 'release' && 'cargo install cargo-auditable' || '' }} + sccache: false + before-script-linux: cargo install cargo-auditable@0.7.4 --locked - name: Check package run: pixi run -e build check-wheel - name: Upload package From f213d44f225896571ee0ee29774b411126d2fea4 Mon Sep 17 00:00:00 2001 From: Daniel Elsner Date: Mon, 27 Apr 2026 11:18:46 +0200 Subject: [PATCH 04/12] Override CARGO instead --- .github/workflows/build.yml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2fb6fa9..c0ca54e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,20 +57,32 @@ jobs: environments: build - name: Set version run: pixi run -e build set-version - - name: Install cargo-auditable - if: ${{ !contains(matrix.os, 'ubuntu') }} - run: cargo install cargo-auditable@0.7.4 --locked + - name: Install cargo-auditable (macOS) + if: ${{ contains(matrix.os, 'macos') }} + run: | + cargo install cargo-auditable@0.7.4 --locked + printf '#!/bin/sh\nexec cargo auditable "$@"\n' > /usr/local/bin/cargo-auditable-wrapper + chmod +x /usr/local/bin/cargo-auditable-wrapper + - name: Install cargo-auditable (Windows) + if: ${{ contains(matrix.os, 'windows') }} + run: | + cargo install cargo-auditable@0.7.4 --locked + Set-Content -Path "C:\Windows\System32\cargo-auditable-wrapper.cmd" -Value "@cargo auditable %*" - name: Build wheel uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 env: - # cargo-auditable and sccache both wrap rustc and cannot be composed. - RUSTC_WORKSPACE_WRAPPER: cargo-auditable + # cargo-auditable is a cargo subcommand wrapper, not a rustc shim. + # Set CARGO to a thin wrapper that prepends "auditable" to every invocation. + CARGO: cargo-auditable-wrapper with: command: build args: --out dist --release -i python3.10 manylinux: auto sccache: false - before-script-linux: cargo install cargo-auditable@0.7.4 --locked + before-script-linux: | + cargo install cargo-auditable@0.7.4 --locked + printf '#!/bin/sh\nexec cargo auditable "$@"\n' > /usr/local/bin/cargo-auditable-wrapper + chmod +x /usr/local/bin/cargo-auditable-wrapper - name: Check package run: pixi run -e build check-wheel - name: Upload package From d168bdf4d1b77025a736c7f132683de62d64153a Mon Sep 17 00:00:00 2001 From: Daniel Elsner Date: Mon, 27 Apr 2026 14:05:33 +0200 Subject: [PATCH 05/12] Fixes --- .github/workflows/build.yml | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c0ca54e..a6bed30 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,23 +57,19 @@ jobs: environments: build - name: Set version run: pixi run -e build set-version - - name: Install cargo-auditable (macOS) - if: ${{ contains(matrix.os, 'macos') }} + - name: Install cargo-auditable + shell: bash run: | - cargo install cargo-auditable@0.7.4 --locked - printf '#!/bin/sh\nexec cargo auditable "$@"\n' > /usr/local/bin/cargo-auditable-wrapper - chmod +x /usr/local/bin/cargo-auditable-wrapper - - name: Install cargo-auditable (Windows) - if: ${{ contains(matrix.os, 'windows') }} - run: | - cargo install cargo-auditable@0.7.4 --locked - Set-Content -Path "C:\Windows\System32\cargo-auditable-wrapper.cmd" -Value "@cargo auditable %*" + if [[ "$RUNNER_OS" == "Linux" ]]; then + # before-script-linux installs cargo-auditable inside the manylinux container. + # Set CARGO on the host here so maturin-action passes it into the container. + echo "CARGO=/usr/local/bin/cargo-auditable" >> "$GITHUB_ENV" + else + cargo install cargo-auditable@0.7.4 --locked + echo "CARGO=$(which cargo-auditable)" >> "$GITHUB_ENV" + fi - name: Build wheel uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 - env: - # cargo-auditable is a cargo subcommand wrapper, not a rustc shim. - # Set CARGO to a thin wrapper that prepends "auditable" to every invocation. - CARGO: cargo-auditable-wrapper with: command: build args: --out dist --release -i python3.10 @@ -81,8 +77,7 @@ jobs: sccache: false before-script-linux: | cargo install cargo-auditable@0.7.4 --locked - printf '#!/bin/sh\nexec cargo auditable "$@"\n' > /usr/local/bin/cargo-auditable-wrapper - chmod +x /usr/local/bin/cargo-auditable-wrapper + cp ~/.cargo/bin/cargo-auditable /usr/local/bin/cargo-auditable - name: Check package run: pixi run -e build check-wheel - name: Upload package From 85a26b2e6272b5bd29fb0c66d662f54df50d569c Mon Sep 17 00:00:00 2001 From: Daniel Elsner Date: Mon, 27 Apr 2026 14:54:31 +0200 Subject: [PATCH 06/12] Try with wrapper --- .github/workflows/build.yml | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a6bed30..c1e985d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,13 +60,26 @@ jobs: - name: Install cargo-auditable shell: bash run: | + # cargo-auditable must be invoked as "cargo auditable " (subcommand form), not as a + # direct CARGO replacement — the latter does not support "cargo rustc --profile". + # A thin wrapper script bridges the gap by forwarding all args through the subcommand. if [[ "$RUNNER_OS" == "Linux" ]]; then - # before-script-linux installs cargo-auditable inside the manylinux container. - # Set CARGO on the host here so maturin-action passes it into the container. - echo "CARGO=/usr/local/bin/cargo-auditable" >> "$GITHUB_ENV" + # before-script-linux handles installation inside the manylinux container. + # Set CARGO on the host so maturin-action passes it into the container. + echo "CARGO=/usr/local/bin/cargo-auditable-wrapper" >> "$GITHUB_ENV" + elif [[ "$RUNNER_OS" == "Windows" ]]; then + REAL_CARGO="$(cygpath -w "$(which cargo)")" + cargo install cargo-auditable@0.7.4 --locked + WRAPPER="C:/cargo-auditable-wrapper.cmd" + printf '@"%s" auditable %%*\n' "$REAL_CARGO" > "$WRAPPER" + echo "CARGO=$(cygpath -w "$WRAPPER")" >> "$GITHUB_ENV" else cargo install cargo-auditable@0.7.4 --locked - echo "CARGO=$(which cargo-auditable)" >> "$GITHUB_ENV" + REAL_CARGO="$(which cargo)" + WRAPPER="/usr/local/bin/cargo-auditable-wrapper" + printf '#!/bin/sh\nREAL_CARGO="%s"\nexec "$REAL_CARGO" auditable "$@"\n' "$REAL_CARGO" > "$WRAPPER" + chmod +x "$WRAPPER" + echo "CARGO=$WRAPPER" >> "$GITHUB_ENV" fi - name: Build wheel uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 @@ -77,7 +90,9 @@ jobs: sccache: false before-script-linux: | cargo install cargo-auditable@0.7.4 --locked - cp ~/.cargo/bin/cargo-auditable /usr/local/bin/cargo-auditable + REAL_CARGO="$(which cargo)" + printf '#!/bin/sh\nREAL_CARGO="%s"\nexec "$REAL_CARGO" auditable "$@"\n' "$REAL_CARGO" > /usr/local/bin/cargo-auditable-wrapper + chmod +x /usr/local/bin/cargo-auditable-wrapper - name: Check package run: pixi run -e build check-wheel - name: Upload package From fe3fc99a590f8ede2e8069e0d00e3c17b317a505 Mon Sep 17 00:00:00 2001 From: Daniel Elsner Date: Mon, 27 Apr 2026 18:17:45 +0200 Subject: [PATCH 07/12] Add cargo env to container env --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c1e985d..70e3ae4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -88,6 +88,7 @@ jobs: args: --out dist --release -i python3.10 manylinux: auto sccache: false + docker-options: "-e CARGO=${{ env.CARGO }}" before-script-linux: | cargo install cargo-auditable@0.7.4 --locked REAL_CARGO="$(which cargo)" From a7f208a2ea95f5676022c042e784f37d0d6f81dd Mon Sep 17 00:00:00 2001 From: Daniel Elsner Date: Tue, 28 Apr 2026 08:32:45 +0200 Subject: [PATCH 08/12] Try simplified --- .github/workflows/build.yml | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 70e3ae4..1713509 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -60,26 +60,19 @@ jobs: - name: Install cargo-auditable shell: bash run: | - # cargo-auditable must be invoked as "cargo auditable " (subcommand form), not as a - # direct CARGO replacement — the latter does not support "cargo rustc --profile". - # A thin wrapper script bridges the gap by forwarding all args through the subcommand. - if [[ "$RUNNER_OS" == "Linux" ]]; then - # before-script-linux handles installation inside the manylinux container. - # Set CARGO on the host so maturin-action passes it into the container. - echo "CARGO=/usr/local/bin/cargo-auditable-wrapper" >> "$GITHUB_ENV" - elif [[ "$RUNNER_OS" == "Windows" ]]; then - REAL_CARGO="$(cygpath -w "$(which cargo)")" + # cargo-auditable must be invoked as "cargo auditable ", not as a direct CARGO + # replacement — the latter does not support "cargo rustc --profile". A wrapper delegates + # to the real cargo via PATH (no recursion risk since CARGO is set via env, not PATH). + if [[ "$RUNNER_OS" != "Linux" ]]; then cargo install cargo-auditable@0.7.4 --locked - WRAPPER="C:/cargo-auditable-wrapper.cmd" - printf '@"%s" auditable %%*\n' "$REAL_CARGO" > "$WRAPPER" - echo "CARGO=$(cygpath -w "$WRAPPER")" >> "$GITHUB_ENV" + fi + if [[ "$RUNNER_OS" == "Windows" ]]; then + printf '@cargo auditable %%*\n' > "C:/cargo-auditable-wrapper.cmd" + echo "CARGO=C:\\cargo-auditable-wrapper.cmd" >> "$GITHUB_ENV" else - cargo install cargo-auditable@0.7.4 --locked - REAL_CARGO="$(which cargo)" - WRAPPER="/usr/local/bin/cargo-auditable-wrapper" - printf '#!/bin/sh\nREAL_CARGO="%s"\nexec "$REAL_CARGO" auditable "$@"\n' "$REAL_CARGO" > "$WRAPPER" - chmod +x "$WRAPPER" - echo "CARGO=$WRAPPER" >> "$GITHUB_ENV" + printf '#!/bin/sh\nexec cargo auditable "$@"\n' > /usr/local/bin/cargo-auditable-wrapper + chmod +x /usr/local/bin/cargo-auditable-wrapper + echo "CARGO=/usr/local/bin/cargo-auditable-wrapper" >> "$GITHUB_ENV" fi - name: Build wheel uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 @@ -91,8 +84,7 @@ jobs: docker-options: "-e CARGO=${{ env.CARGO }}" before-script-linux: | cargo install cargo-auditable@0.7.4 --locked - REAL_CARGO="$(which cargo)" - printf '#!/bin/sh\nREAL_CARGO="%s"\nexec "$REAL_CARGO" auditable "$@"\n' "$REAL_CARGO" > /usr/local/bin/cargo-auditable-wrapper + printf '#!/bin/sh\nexec cargo auditable "$@"\n' > /usr/local/bin/cargo-auditable-wrapper chmod +x /usr/local/bin/cargo-auditable-wrapper - name: Check package run: pixi run -e build check-wheel From 36b45694b98a10f4232979bf21414f27fcae35fd Mon Sep 17 00:00:00 2001 From: Daniel Elsner Date: Tue, 28 Apr 2026 10:59:25 +0200 Subject: [PATCH 09/12] Apply suggestions from code review Co-authored-by: Daniel Elsner --- .github/workflows/build.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1713509..6a15112 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,6 +59,7 @@ jobs: run: pixi run -e build set-version - name: Install cargo-auditable shell: bash + if: github.event_name == 'release' run: | # cargo-auditable must be invoked as "cargo auditable ", not as a direct CARGO # replacement — the latter does not support "cargo rustc --profile". A wrapper delegates @@ -80,12 +81,12 @@ jobs: command: build args: --out dist --release -i python3.10 manylinux: auto - sccache: false - docker-options: "-e CARGO=${{ env.CARGO }}" + sccache: github.event_name != 'release' + # NOTE: We also need to set up cargo-auditable inside the docker container + # where the linux build is performed. + docker-options: case(github.event_name == 'release', "-e CARGO=${{ env.CARGO }}", '') before-script-linux: | - cargo install cargo-auditable@0.7.4 --locked - printf '#!/bin/sh\nexec cargo auditable "$@"\n' > /usr/local/bin/cargo-auditable-wrapper - chmod +x /usr/local/bin/cargo-auditable-wrapper + ${{ case(github.event_name == 'release', 'cargo install cargo-auditable@0.7.4 --locked && printf '#!/bin/sh\nexec cargo auditable "$@"\n' > /usr/local/bin/cargo-auditable-wrapper && chmod +x /usr/local/bin/cargo-auditable-wrapper', '') }} - name: Check package run: pixi run -e build check-wheel - name: Upload package From d50313dd3d3a029617310a3c043a6a0f04fff084 Mon Sep 17 00:00:00 2001 From: Daniel Elsner Date: Tue, 28 Apr 2026 11:02:11 +0200 Subject: [PATCH 10/12] Apply suggestion from @delsner --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6a15112..ddd9c29 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -86,7 +86,7 @@ jobs: # where the linux build is performed. docker-options: case(github.event_name == 'release', "-e CARGO=${{ env.CARGO }}", '') before-script-linux: | - ${{ case(github.event_name == 'release', 'cargo install cargo-auditable@0.7.4 --locked && printf '#!/bin/sh\nexec cargo auditable "$@"\n' > /usr/local/bin/cargo-auditable-wrapper && chmod +x /usr/local/bin/cargo-auditable-wrapper', '') }} + ${{ case(github.event_name == 'release', 'cargo install cargo-auditable@0.7.4 --locked && printf ''#!/bin/sh\nexec cargo auditable "$@"\n'' > /usr/local/bin/cargo-auditable-wrapper && chmod +x /usr/local/bin/cargo-auditable-wrapper', '') }} - name: Check package run: pixi run -e build check-wheel - name: Upload package From 0f31f45f367c549c0f4493f46f5fe407ca3edbd0 Mon Sep 17 00:00:00 2001 From: Daniel Elsner Date: Tue, 28 Apr 2026 11:04:07 +0200 Subject: [PATCH 11/12] Apply suggestions from code review Co-authored-by: Daniel Elsner --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ddd9c29..1806462 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -81,10 +81,10 @@ jobs: command: build args: --out dist --release -i python3.10 manylinux: auto - sccache: github.event_name != 'release' + sccache: ${{ github.event_name != 'release' }} # NOTE: We also need to set up cargo-auditable inside the docker container # where the linux build is performed. - docker-options: case(github.event_name == 'release', "-e CARGO=${{ env.CARGO }}", '') + docker-options: ${{ case(github.event_name == 'release', "-e CARGO=${{ env.CARGO }}", '') }} before-script-linux: | ${{ case(github.event_name == 'release', 'cargo install cargo-auditable@0.7.4 --locked && printf ''#!/bin/sh\nexec cargo auditable "$@"\n'' > /usr/local/bin/cargo-auditable-wrapper && chmod +x /usr/local/bin/cargo-auditable-wrapper', '') }} - name: Check package From e03e8bf5bb350650c0652f2cc7f7572e28da2e0d Mon Sep 17 00:00:00 2001 From: Daniel Elsner Date: Tue, 28 Apr 2026 11:08:36 +0200 Subject: [PATCH 12/12] Apply suggestion from @delsner --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1806462..d14dcb5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -84,7 +84,7 @@ jobs: sccache: ${{ github.event_name != 'release' }} # NOTE: We also need to set up cargo-auditable inside the docker container # where the linux build is performed. - docker-options: ${{ case(github.event_name == 'release', "-e CARGO=${{ env.CARGO }}", '') }} + docker-options: ${{ case(github.event_name == 'release', format('-e CARGO={0}', env.CARGO), '') }} before-script-linux: | ${{ case(github.event_name == 'release', 'cargo install cargo-auditable@0.7.4 --locked && printf ''#!/bin/sh\nexec cargo auditable "$@"\n'' > /usr/local/bin/cargo-auditable-wrapper && chmod +x /usr/local/bin/cargo-auditable-wrapper', '') }} - name: Check package