ci: silence cargo-deny toolchain-override stack trace (#81)#167
Merged
StefanSteiner merged 1 commit intoJun 29, 2026
Merged
Conversation
The EmbarkStudios/cargo-deny-action@v2 image ships a pre-installed `stable` toolchain, but its `rustup show` step evaluates rust-toolchain.toml's override before that toolchain is registered, emitting a non-fatal but alarming 'override toolchain ... is not installed' stack trace on every CI run. Pinning RUSTUP_TOOLCHAIN=stable on the deny job bypasses the override probe so the log stays clean. Enforcement is unchanged: `cargo deny check --all-features --workspace` still runs against the full workspace (verified locally: advisories / bans / licenses / sources all ok). The bitflags duplicate-version warning (Finding 2) is left as-is — it's an upstream-blocked `warn`, not a failure.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #81 (Finding 1).
Problem
The
cargo-denyCI job emits an alarming — but non-fatal — stack trace on every run:The
EmbarkStudios/cargo-deny-action@v2image ships a pre-installedstabletoolchain, but itsrustup showstep evaluatesrust-toolchain.toml's override before that toolchain is registered.rustup showexits non-zero with the trace; the action doesn't propagate the code, then installsstableand runs cleanly. The job is green — the trace is just ~20 lines of noise per run.Fix
Pin
RUSTUP_TOOLCHAIN: stableas a job-level env on thedenyjob (Option 1 from the issue — the smallest patch). This bypasses therust-toolchain.tomloverride probe inside the action's container, so the log stays clean.Enforcement unchanged
cargo deny check --all-features --workspacestill runs against the full workspace. Verified locally withRUSTUP_TOOLCHAIN=stable cargo deny check:Scope
Finding 1 only. Finding 2 (the
bitflags1.x/2.x duplicate-versionwarn) is left as-is — it's upstream-blocked (plotters→core-graphicsstill pinsbitflags 1.3.2) and the issue marks it optional. No license/advisory enforcement change.🤖 Generated with Claude Code