chore: build hygiene — MSRV job, cache scoping, dep dedup#73
Merged
pratyush618 merged 4 commits intomainfrom Apr 24, 2026
Merged
chore: build hygiene — MSRV job, cache scoping, dep dedup#73pratyush618 merged 4 commits intomainfrom
pratyush618 merged 4 commits intomainfrom
Conversation
Aligns with the rest of the crypto stack (digest / block-buffer / sha2 / sha1 / rsa / p256 / ecdsa), removing duplicate compilations. Also drops an unused `Sha2Digest` import surfaced by the rebuild.
New job verifies the declared rust-version = "1.75" actually compiles. Matrix and MSRV caches now save only on main (PRs read-only) with a shared key across Python versions — the old setup was writing ~6 GB of per-PR caches and nearing the 10 GB repo quota.
CI verified that a transitive dep (ravif 0.13 via the image crate) needs edition2024, which stabilised in 1.85. The 1.75 claim was inherited from earlier in the project and never verified.
Without a committed lockfile the MSRV job resolves fresh deps on every run and drifts with upstream crate releases. Committing Cargo.lock plus `cargo check --locked` makes the MSRV stable until a deliberate `cargo update`. 1.88 is the current floor across the resolved tree (image 0.25.10, darling 0.23, time 0.3.47, libloading 0.9 all require it).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three small build-hygiene wins bundled together — all pure config / deps, zero runtime behaviour change.
Cache quota
Cache storage on this repo was at 9.33 GB of 10 GB before this PR. The test matrix was writing 6 fresh caches per commit (3 OSes × 2 Python versions) because every combination had its own key and every run saved.
Fix:
Swatinem/rust-cachegets ashared-keyacross Python versions (pyo3 / abi3 builds don't vary by Python minor) plussave-if: ${{ github.ref == 'refs/heads/main' }}so PRs read the main-branch cache but don't write new ones. New MSRV job uses the same scoping.Expected steady-state: one authoritative cache per OS, refreshed on each main commit.
MSRV verification
We declare
rust-version = "1.75"in[workspace.package]but nothing verified it. Newmsrvjob installs 1.75 viadtolnay/rust-toolchainand runscargo check --workspace. UsesRUSTUP_TOOLCHAIN=1.75env override sorust-toolchain.toml(which pins contributors to stable) doesn't take precedence in CI.RustCrypto dedup
paperjam-corehadmd-5 = "0.11"while the rest of the crypto stack (digest / block-buffer / sha2 / sha1 / rsa / p256 / ecdsa) sat on 0.10. Result: duplicateblock-buffer 0.10 + 0.12,digest 0.10 + 0.11,md-5 0.10 + 0.11in the dep tree. Pinningmd-5 = "0.10"collapses all three duplicates. The md-5 0.10 → 0.11 API change is a no-op for how we use it.Also drops an unused
sha2::digest::Digest as Sha2Digestimport that the rebuild flagged.Test plan
cargo tree --workspace --duplicates | grep md-5— no duplicatescargo test --workspace— 16 Rust tests pass (4 xlsx + 5 mcp + 7 zip_safety)pre-commit run --all-files— every hook passes