ci: fix miri/fuzzing EXDEV by pinning RUSTUP_HOME/CARGO_HOME to /tmp

[27Bslash6]

Summary

• security-medium's miri-subset job has been red on main for 12 days (since 2026-05-16, e.g. run 26572369632)
• Root cause: rustup toolchain install nightly --component miri fails on the self-hosted cachekit ARC runner with Invalid cross-device link (os error 18) because ~/.rustup/tmp and ~/.rustup/toolchains/... land on different filesystem layers in the ephemeral pod (Invalid cross-device link (os error 18) when upgrading on a docker OverlayFS  rust-lang/rustup#1239)
• security-deep's miri-full and fuzzing jobs install nightly the same way and have the same latent bug (silently broken on the nightly cron)

Fix

Pin RUSTUP_HOME=/tmp/rustup and CARGO_HOME=/tmp/cargo for only the three affected jobs. This is the same workaround already used by fuzz-smoke.yml (lines 17-20) and acknowledged in a comment at security-deep.yml:27-28.

Scoping the env at job level (not workflow level) keeps cargo-geiger and kani-verification using the pre-shipped stable toolchain in the runner image — no wasted re-downloads.

Test plan

• Security Medium workflow goes green on this branch
• Confirm cargo-geiger / Unsafe Code Tracking still uses the cached stable toolchain (not regressed)
• Next nightly Security Deep run picks up the fix and miri-full + fuzzing jobs pass install step

refs rust-lang/rustup#1239

Summary by CodeRabbit

• Chores
  • Updated CI/security workflow configurations to improve build process reliability during toolchain setup.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5e246b09-0d88-4e58-8b59-f8fd1b6a9525

📥 Commits

Reviewing files that changed from the base of the PR and between c201ab9 and f7657a3.

📒 Files selected for processing (2)

• .github/workflows/security-deep.yml
• .github/workflows/security-medium.yml

---

📝 Walkthrough

Walkthrough

This PR adds per-job environment variable overrides in three Rust-based GitHub Actions workflow jobs to prevent rustup EXDEV (cross-device link) errors. Both security-deep.yml and security-medium.yml workflows now set RUSTUP_HOME and CARGO_HOME to /tmp paths in their respective jobs.

Changes

Rustup EXDEV Fix Across Workflows

Layer / File(s)	Summary
Environment overrides for rustup/cargo directories in security workflow jobs .github/workflows/security-deep.yml, .github/workflows/security-medium.yml	The fuzzing and miri-full jobs in security-deep.yml, and the miri-subset job in security-medium.yml each receive RUSTUP_HOME: /tmp/rustup and CARGO_HOME: /tmp/cargo env overrides to ensure consistent temporary filesystem usage and prevent cross-device link failures during nightly toolchain staging.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• cachekit-io/cachekit-py#101: Both PRs modify .github/workflows/security-deep.yml to address rustup toolchain installation issues with environment overrides.
• cachekit-io/cachekit-py#113: Both PRs update GitHub Actions workflows to set RUSTUP_HOME/CARGO_HOME to shared writable /tmp locations to prevent rustup EXDEV failures.

Poem

🐰 A rabbit hops through /tmp with glee,
No cross-device links shall block the spree!
Rustup stages swift, no EXDEV in sight,
Security workflows now run just right! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: fixing EXDEV errors by pinning RUSTUP_HOME/CARGO_HOME to /tmp for miri and fuzzing jobs in CI workflows.
Description check	✅ Passed	The PR description is comprehensive and addresses the template requirements well, including detailed motivation, root cause analysis, the fix approach, and a test plan; however, the Type of Change checkbox is not explicitly marked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/ci-fix-miri-exdev-rustup-home

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0