This should also help fixing these spurious "cannot package because some
excluded file is untracked" issues.
### Tasks
* [x] step-by-step conversion of `vcs.rs`
* [x] use proper feature toggle
* [x] ~~cleanup~~ final check by myself
* [ ] ~~move split & rename into its own commit. Probably squash all
changes except for the gix upgrade.~~
- I like to have the major stages of this PR conserved.
* [x] upgrade to a gix release including
https://github.com/GitoxideLabs/gitoxide/pull/2016
- This was done in `master` already.
* [x] fix tests by fixing `gix` - `submodules()` call isn't bare-repo
safe.
* [x] fix failure on Windows
- `gix status` seems to go through a symlink, arriving at the wrong
conclusion, on Windows.
* [x] fix performance regression on `aws-sdk-rust`.
### Notes for the Reviewer
* This implementation is both faster and more correct, thus affects
#15416 and #14955.
Related to https://github.com/GitoxideLabs/gitoxide/issues/106.
This is achieved by allowing `gix status` to only run in the
package root, while running it another time just on the few files
that are interesting outside of the package root.
This saves a lot of time compared to the previous implementation,
which ran the status on the entire repository.
This should also help fixing these spurious "cannot package because
some excluded file is untracked" issues.
Remove the respective `git2` implementation at the same time
as there seems to be no need for it.
### What does this PR try to resolve?
The type is
```c
typedef struct {
const gchar *name;
SecretSchemaFlags flags;
SecretSchemaAttribute attributes[32];
/* <private> */
gint reserved;
gpointer reserved1;
gpointer reserved2;
gpointer reserved3;
gpointer reserved4;
gpointer reserved5;
gpointer reserved6;
gpointer reserved7;
} SecretSchema;
```
so the current object we give it is 8 pointers too short
It's incredibly lucky that libsecret, at this time, only uses
`reserved`, and not in any of the functions we call
Also, some obvious cleanups while I was there and comparing with [my
implementation](https://github.com/nabijaczleweli/cargo-update/blob/v17.0.0/src/ops/mod.rs#L1443)
from [cargo-update
17.0.0](https://github.com/nabijaczleweli/cargo-update/releases/v17.0.0).
### How to test and review this PR?
Observe
https://sources.debian.org/src/libsecret/0.20.5-3/libsecret/secret-schema.h/#L43
I suppose?
The type is
typedef struct {
const gchar *name;
SecretSchemaFlags flags;
SecretSchemaAttribute attributes[32];
/* <private> */
gint reserved;
gpointer reserved1;
gpointer reserved2;
gpointer reserved3;
gpointer reserved4;
gpointer reserved5;
gpointer reserved6;
gpointer reserved7;
} SecretSchema;
so the current object we give it is 8 pointers too short
It's incredibly lucky that libsecret, at this time,
only uses reserved, and not in any of the functions we call
### What does this PR try to resolve?
This is not necessary, as 32 is the default, and actually of the wrong
type now since it's a number now.
When planning to make these type mismatches error in
https://github.com/rust-lang/rust/pull/144218, cargo would fail here, so
I just removed it.
This custom target test very much shows how Cargo should be a subtree,
in this case it was fine because there's a compatible fix that I can
push now, otherwise it would have been very annoying.
### How to test and review this PR?
If the test suite passes, it works
This is not necessary, as 32 is the default, and actually of the wrong
type now since it's a number now.
When planning to make these type mismatches error, cargo would fail
here, so I just removed it.
This custom target test very much shows how Cargo should be a subtree,
in this case it was fine because there's a compatible fix that I can
push now, otherwise it would have been very annoying.
### What does this PR try to resolve?
Information about artifact dependencies is already available through
`cargo metadata`, and therefore also through serializing and re-parsing
`dependency.serialized()` using `serde_json::to_value` +
`serde_json::from_value`. This PR makes the same information available
directly through the library API of `cargo::core::Dependency`.
I ran into these private methods while working on
https://github.com/rust-lang/cargo/issues/15751.
### How to test and review this PR?
`cargo check`
The `[hints]` table in a `Cargo.toml` manifest provides optional
information that Cargo can use for building the package, and will use
even when using the package as a dependency. All hints can be safely
ignored, and Cargo only warns about unknown hints, but does not error.
This allows packages to use hints without depending on new Cargo.
Add a `mostly-unused` hint, which allows a package to hint that most
users of the package will not use most of its items. This is useful for
improving the build performance of crates with large dependencies.
Crates can override this hint using `hint-mostly-unused = false` in
their profile for a dependency.
---
In the future, this same mechanism could be used for other hints, such
as
`min-opt-level`.
### How to test and review this PR?
This PR is built atop https://github.com/rust-lang/cargo/pull/15643 .
I'd
suggest reviewing that PR separately, then just reviewing the new
commits in
this PR.
The new "hints" testsuite module demonstrates the expected behavior of
hints.
Like https://github.com/rust-lang/cargo/pull/15643 , the nightly-only
tests
will only pass once https://github.com/rust-lang/rust/pull/135656 has
been
merged into Rust.
The `[hints]` table in a `Cargo.toml` manifest provides optional
information that Cargo can use for building the package, and will use
even when using the package as a dependency. All hints can be safely
ignored, and Cargo only warns about unknown hints, but does not error.
This allows packages to use hints without depending on new Cargo.
Add a `mostly-unused` hint, which allows a package to hint that most
users of the package will not use most of its items. This is useful for
improving the build performance of crates with large dependencies.
Crates can override this hint using `hint-mostly-unused = false` in
their profile for a dependency.
These tests show what prior versions of Cargo will do with hints.
The subsequent addition of support for hints will modify these tests to
reflect the corresponding changes to Cargo.
Hi Everyone!
This is PR for the implementation of the first milestone of [GSoC
Project : Build Script
Delegation](https://summerofcode.withgoogle.com/programs/2025/projects/nUt4PdAA)
This will provide actual implementation for #15630
### What does this PR try to resolve?
Now, multiple build scripts are parsed, this PR aims to implement the
functioning the feature. This PR will allow users to use multiple build
scripts, and is backward compatible with single script as well as
boolean values.
**Motivation :** This will help users to maintain separate smaller and
cleaner build scripts instead of one large build script. This is also
necessary for build script delegation.
Deferred
- Accessing each build script's `OUT_DIR`: This will be handled in a
follow up PR. For now, each build script writes to its own `OUT_DIR` and
`OUT_DIR` for the regular build targets is set to the build script with
the **lexicographically largest** name..
- User control over which build script wins in a conflict. This will be
handled in a follow up PR. If two build scripts write to the same env
variable, which gets applied to the binary? Currently, its the build
script with the **lexicographically largest** name. This makes it
deterministic. With some futzing, users can control this for now.
However, with build script delegation, users won't be able to control
this. We likely want it based off of the order the user assigns into the
build script array.
- Something about linking a C library is actually preferring
**lexicographically smallest** name. We should handle conflicts
consistently. We need to dig into what parts are doing it based on
smallest and make sure that whatever priority scheme we use for env
variables applies here as well.
### How to test and review this PR?
There is a feature gate `multiple-build-scripts` that can be passed via
`cargo-features` in `Cargo.toml`. So, you have to add
```toml
cargo-features = ["multiple-build-scripts"]
```
Preferably on the top of the `Cargo.toml` and use nightly toolchain to
use the feature
### What does this PR try to resolve?
For numbers, see https://epage.github.io/blog/2025/07/toml-09/
Further areas for improvement:
- Enable `fast_hash` (see #15649)
- Only track spans for local manifests, allowing us to skip the
`make_owned` call for most packages
### How to test and review this PR?
This PR marks several tests within cache_lock.rs as unsupported on the
AIX platform. The tests relies on flock() behaviour that is not
supported on AIX.
### What does this PR try to resolve?
A user will now be able to use flags like `--workspace` with `cargo
publish`.
`cargo package` will now also work with those flags without having to
pass `--no-verify --exclude-lockfile`.
Many release tools have come out that solve this problem. They will
still need a lot of the logic that went into that for other parts of the
release process.
However, a cargo-native solution allows for:
- Verification during dry-run
- Better strategies for waiting for the publish timeout
`cargo publish` is non-atomic at this time.
If there is a server side error, network error, or rate limit during the
publish, the workspace will be left in a partially published state.
Verification is done before any publishing so that won't affect things.
There are multiple strategies we can employ for improving this over
time, including
- atomic publish
- `--idempotent` (#13397)
- leave this to release tools to manage
This includes support for `--dry-run` verification. As release tools
didn't have a way to do this before, users may be surprised at how slow
this is because a `cargo build` is done instead of a `cargo check`. This
is being tracked in #14941.
This adds to `cargo package` the `--registry` and `--index` flags to
help with resolving dependencies when depending on a package being
packaged at that moment.
These flags are only needed when a `cargo package --workspace` operation
would have failed before due to inability to find a locally created
dependency.
Regarding the publish timeout, `cargo publish --workspace` publishes
packages in batches and we only timeout if nothing in the batch has
finished being published within the timeout, deferring the rest to the
next wait-for-publish. So for example, if you have packages `a`, `b`,
`c` then we'll wait up to 60 seconds and if only `a` and `b` were ready
in that time, we'll then wait another 60 seconds for `c`.
During testing, users ran into issues with `.crate` checksums:
- ~~#15647~~ Fixed for `cargo publish --dry-run` in #15711
- But `cargo package` still has the problem
- #14396 (not been able to reproduce)
- #15622 (reproducible with consecutive `cargo publish` calls)
Fixes#1169Fixes#10948
### How to test and review this PR?
By stabilizing this, Cargo's behavior becomes dependent on an overlay
registry.
When generating a lockfile or verifying a package, we overlay the
locally generated `.crate` files on top of the registry so the registry
appears as it would and everything works.
If there is a conflict with a version, the local version wins which is
important for the dry-run mode of release tools as they won't have
bumped the version yet.
Our concern for the overlay registry is dependency confusion attacks.
Considering this is not accessible for general user operations, this
should be fine.
