Tooling: workflows-rustup check forbids rustup target/component add in workflows

`rust-toolchain.toml` at the workspace root is the single source of truth for which rustup targets and components the project needs. A workflow that also runs `rustup target add X` duplicates that source — and the duplicate gets out of sync silently. This is the bug class we just hit in the v0.20.0 release: `apps/desktop/rust-toolchain.toml` was out of scope when the release workflow ran `rustup target add x86_64-apple-darwin` from the repo root, so the target landed on a different toolchain than `pnpm tauri build` actually used.

The structural fix (rust-toolchain.toml at workspace root, `targets = [...]` declared there) landed in commit `41e999ab`. This check is the regression guard: any new `rustup target add` or `rustup component add` line in any workflow fails the check with a hint to declare it in rust-toolchain.toml instead.

Allowed by design:

- `rustup install`, `rustup update`, `rustup toolchain install`, `rustup show`: install / sync whole channels, not orthogonal to the toolchain file.
- `# allowed-rustup-add: <reason>` end-of-line opt-out with a non-empty reason. The reason renders in `--verbose` so future readers see the justification.
- Full-line YAML comments mentioning the phrase in prose. The scanner skips lines whose first non-whitespace char is `#`.

Tests:

- 10 table-driven cases pin the rules: target-add flagged, component-add flagged, chained-command flagged, install / update / toolchain-install / show all accepted, opt-out with reason accepted, empty opt-out reason still flagged, prose-only comment not flagged.

Wired in as `workflows-rustup` (nickname `rustup-add`), `IsFast: true`, no deps. Passes today (cmdr has no `rustup target add` left in any workflow).

Author: vdavid

scripts/check/CLAUDE.md

@@ -226,7 +226,7 @@ before tests.
 | Website    | Docker   | docker-build                                                                                                                                                                                                              |
 | API server | TS       | oxfmt, eslint, typecheck, tests                                                                                                                                                                                           |
 | Scripts    | Go       | gofmt, go-vet, staticcheck, ineffassign, misspell, gocyclo, nilaway, deadcode, go-tests, govulncheck                                                                                                                      |
-| Other      | Metrics  | file-length (warn-only), CLAUDE.md-reminder (warn-only), changelog-commit-links                                                                                                                                           |
+| Other      | Metrics  | file-length (warn-only), CLAUDE.md-reminder (warn-only), changelog-commit-links, workflows-rustup (forbids `rustup target/component add` in workflows)                                                                    |
 | Other      | Security | workflows-hardening (SHA-pinning, no `pull_request_target`, job-scoped `id-token: write`)                                                                                                                                 |
 
 ## Output format

scripts/check/checks/desktop-workflows-rustup.go

@@ -0,0 +1,129 @@
+package checks
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"sort"
+	"strings"
+)
+
+// RunWorkflowsRustup ensures `rust-toolchain.toml` stays the single source of
+// truth for which rustup targets / components the project needs. Workflows that
+// also `rustup target add X` (or `rustup component add X`) duplicate that
+// source — and the duplicate gets out of sync silently.
+//
+// The bug this guards against (May 2026, v0.20.0 release): the release workflow
+// ran `rustup target add x86_64-apple-darwin` from the repo root, but
+// `rust-toolchain.toml` was at `apps/desktop/`. So `rustup target add` touched
+// the runner's default toolchain instead of the pinned channel
+// `pnpm tauri build` used inside `apps/desktop/`. Result: every non-aarch64
+// release build failed at "Target x86_64-apple-darwin is not installed".
+//
+// The structural fix is to move `rust-toolchain.toml` to the workspace root
+// (done in commit `41e999ab`) AND declare `targets = [...]` there. This check
+// adds the regression guard: any new `rustup target add` / `rustup component
+// add` in a workflow re-introduces the divergence risk, so the check fails.
+//
+// `rustup install`, `rustup update`, `rustup toolchain install`, `rustup show`
+// stay allowed — they don't add anything orthogonal to the toolchain file.
+//
+// Opt-out: append `# allowed-rustup-add: <reason>` to the line. Empty reasons
+// are rejected.
+func RunWorkflowsRustup(ctx *CheckContext) (CheckResult, error) {
+	wfDir := filepath.Join(ctx.RootDir, ".github", "workflows")
+	entries, err := os.ReadDir(wfDir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return Skipped("no .github/workflows/"), nil
+		}
+		return CheckResult{}, fmt.Errorf("failed to read workflows dir: %w", err)
+	}
+
+	var files []string
+	for _, e := range entries {
+		if e.IsDir() {
+			continue
+		}
+		name := e.Name()
+		if strings.HasSuffix(name, ".yml") || strings.HasSuffix(name, ".yaml") {
+			files = append(files, filepath.Join(wfDir, name))
+		}
+	}
+	sort.Strings(files)
+
+	var violations []string
+	scanned := 0
+	for _, f := range files {
+		v, err := scanWorkflowForRustup(f, ctx.RootDir)
+		if err != nil {
+			return CheckResult{}, err
+		}
+		violations = append(violations, v...)
+		scanned++
+	}
+
+	if len(violations) > 0 {
+		return CheckResult{}, fmt.Errorf(
+			"`rustup target add` / `rustup component add` found in workflows; declare in rust-toolchain.toml instead\n%s",
+			indentOutput(strings.Join(violations, "\n")))
+	}
+
+	result := Success(fmt.Sprintf("%d %s, no `rustup target/component add` lines",
+		scanned, Pluralize(scanned, "workflow", "workflows")))
+	result.Total = scanned
+	return result, nil
+}
+
+// Matches `rustup target add` or `rustup component add` anywhere on a line,
+// catching both `run: rustup target add X` and shell continuations / `&&`
+// chains. Whitespace between tokens is forgiving. The `#` lookahead is not
+// strict — we strip trailing comments before the match in the scanner.
+var rustupAddRE = regexp.MustCompile(`\brustup\s+(target|component)\s+add\b`)
+
+// Opt-out marker. Must include a non-empty reason after the colon.
+var rustupAddAllowedRE = regexp.MustCompile(`#\s*allowed-rustup-add:\s*(\S.*)`)
+
+func scanWorkflowForRustup(path, repoRoot string) ([]string, error) {
+	rel, _ := filepath.Rel(repoRoot, path)
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, fmt.Errorf("open %s: %w", rel, err)
+	}
+	defer f.Close()
+
+	var violations []string
+	scanner := bufio.NewScanner(f)
+	// Workflow yaml lines can be long (compose-style chained runs); raise the
+	// buffer above bufio's 64 KB default to cover the worst case.
+	scanner.Buffer(make([]byte, 0, 64*1024), 1024*1024)
+	lineNo := 0
+	for scanner.Scan() {
+		lineNo++
+		line := scanner.Text()
+		// Skip whole-line YAML comments. A line whose first non-whitespace
+		// character is `#` is a comment and can mention `rustup target add` in
+		// prose without being a command (for example, "the previous rustup
+		// target add step was removed; see rust-toolchain.toml").
+		trimmed := strings.TrimLeft(line, " \t")
+		if strings.HasPrefix(trimmed, "#") {
+			continue
+		}
+		if !rustupAddRE.MatchString(line) {
+			continue
+		}
+		// Opt-out: line ends with `# allowed-rustup-add: <reason>`.
+		if m := rustupAddAllowedRE.FindStringSubmatch(line); m != nil && strings.TrimSpace(m[1]) != "" {
+			continue
+		}
+		violations = append(violations, fmt.Sprintf(
+			"%s:%d: %s\n    declare the target/component in rust-toolchain.toml instead, OR add `# allowed-rustup-add: <reason>`",
+			rel, lineNo, strings.TrimSpace(line)))
+	}
+	if err := scanner.Err(); err != nil {
+		return nil, fmt.Errorf("scan %s: %w", rel, err)
+	}
+	return violations, nil
+}

scripts/check/checks/desktop-workflows-rustup_test.go

@@ -0,0 +1,140 @@
+package checks
+
+import (
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestScanWorkflowForRustup(t *testing.T) {
+	tmp := t.TempDir()
+	wfDir := filepath.Join(tmp, ".github", "workflows")
+
+	cases := []struct {
+		name    string
+		content string
+		want    []string // substrings expected in each violation
+	}{
+		{
+			name: "rustup target add flagged",
+			content: `name: x
+jobs:
+  build:
+    steps:
+      - run: rustup target add x86_64-apple-darwin
+`,
+			want: []string{"rustup target add x86_64-apple-darwin"},
+		},
+		{
+			name: "rustup component add flagged",
+			content: `name: x
+jobs:
+  build:
+    steps:
+      - run: rustup component add clippy
+`,
+			want: []string{"rustup component add clippy"},
+		},
+		{
+			name: "rustup target add inside chained command flagged",
+			content: `name: x
+jobs:
+  build:
+    steps:
+      - run: |
+          rustup update stable && rustup target add x86_64-unknown-linux-gnu
+`,
+			want: []string{"rustup target add x86_64-unknown-linux-gnu"},
+		},
+		{
+			name: "rustup install accepted (whole toolchains, not redundant with toml)",
+			content: `name: x
+jobs:
+  build:
+    steps:
+      - run: rustup install 1.95.0
+`,
+			want: nil,
+		},
+		{
+			name: "rustup update accepted",
+			content: `name: x
+jobs:
+  build:
+    steps:
+      - run: rustup update stable
+`,
+			want: nil,
+		},
+		{
+			name: "rustup toolchain install accepted",
+			content: `name: x
+jobs:
+  build:
+    steps:
+      - run: rustup toolchain install nightly
+`,
+			want: nil,
+		},
+		{
+			name: "rustup show accepted",
+			content: `name: x
+jobs:
+  build:
+    steps:
+      - run: rustup show
+`,
+			want: nil,
+		},
+		{
+			name: "opt-out with reason accepted",
+			content: `name: x
+jobs:
+  build:
+    steps:
+      - run: rustup target add wasm32-unknown-unknown # allowed-rustup-add: wasm builds only happen here, separate from main toolchain
+`,
+			want: nil,
+		},
+		{
+			name: "opt-out with empty reason still flagged",
+			content: `name: x
+jobs:
+  build:
+    steps:
+      - run: rustup target add wasm32-unknown-unknown # allowed-rustup-add:
+`,
+			want: []string{"rustup target add wasm32-unknown-unknown"},
+		},
+		{
+			name: "comment mentioning rustup target add (not an actual command) not flagged",
+			content: `name: x
+jobs:
+  build:
+    steps:
+      # The previous rustup target add step was removed; see rust-toolchain.toml
+      - run: echo ok
+`,
+			want: nil,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			writeWorkflow(t, wfDir, "test.yml", tc.content)
+			got, err := scanWorkflowForRustup(filepath.Join(wfDir, "test.yml"), tmp)
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if len(got) != len(tc.want) {
+				t.Fatalf("got %d violations, want %d:\n  got: %v\n  want: %v",
+					len(got), len(tc.want), got, tc.want)
+			}
+			for i, expected := range tc.want {
+				if !strings.Contains(got[i], expected) {
+					t.Errorf("violation %d does not contain %q:\n  %s", i, expected, got[i])
+				}
+			}
+		})
+	}
+}

scripts/check/checks/registry.go

@@ -559,6 +559,16 @@ var AllChecks = []CheckDefinition{
 		IsFast:      true,
 		Run:         RunWorkflowsHardening,
 	},
+	{
+		ID:          "workflows-rustup",
+		Nickname:    "rustup-add",
+		DisplayName: "workflows / rustup add",
+		App:         AppOther,
+		Tech:        "📏 Metrics",
+		DependsOn:   nil,
+		IsFast:      true,
+		Run:         RunWorkflowsRustup,
+	},
 }
 
 // GetCheckByID returns a check definition by its ID or nickname.