search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.52k stars 942 forks source link

Update rust-toolchain #1702

Open 1tgr opened 4 years ago

1tgr commented 4 years ago

Can Dependabot update the rust-toolchain file, if it exists?

It should at least update stable to latest stable, and ideally update nightly to latest nightly and beta to latest beta. Updating nightly to stable (eg an unstable feature got stabilised) should probably be a manual change.

jbreitbart commented 3 years ago

rustup now supports rust-toolchain files that look like

[toolchain]
channel = "nightly-2020-11-25"
components = [ "rustfmt", "rust-src", "llvm-tools-preview"]
targets = [ "x86_64-unknown-hermit" ]

take from https://github.com/hermitcore/rusty-hermit/blob/master/rust-toolchain

The project uses features only available in the nightly version of the rust compiler, but if we set the channel directly to 'nightly' the CI will download the latest version, which means it uses a different compiler/format checker/... every day. Just a few days ago there was a change in rustfmt, which resulted in every pull request to fail as the latest version of rustfmt wanted to format parts of the code differently.

If we could use dependabot to update the rust-toolchain file once a week that would be great :smile:

// CC @stlankes

stlankes commented 3 years ago

Yes, the usage of dependabot will be great. Can you that? You are the dependabot expert...

jurre commented 3 years ago

I think technically it'll be possible, but it will require adding support at all levels of dependabot. I don't think we'll be able to prioritize it in the near future unfortunately.

Having said that, what would be some good resources to read up on rust-toolchain, what it does and how we could check for new versions etc?

jbreitbart commented 3 years ago

rust-toolchain is used by rustup. See [0] if you are looking for information on what rustup does. [1] is the link directly to the rust-toolchain file section. I am not aware of any exact specification on the file, but I think @ebroto added support for the TOML syntax to rustup, maybe he can provide some further details.

[0] https://rust-lang.github.io/rustup/index.html [1] https://rust-lang.github.io/rustup/overrides.html#the-toolchain-file

davepacheco commented 2 years ago

This would be very useful!

haraldreingruber-dedalus commented 2 years ago

I also think this would be very interesting. Right now we use the lastest stable toolchain, which causes us every once in a while fixing new clippy warnings when they are added.... It would be nice to have a fixed version configured, and dependabot letting us know if a new version can be updated without any issues or not.

JamieMagee commented 2 months ago

I'm going to share some of the research I was able to find on datasources for updating rust-toolchain.toml:

Dependabot would need to update the channel property in rust-toolchain.toml. channel is formatted as^1:

<channel>[-<date>][-<host>]

<channel>       = stable|beta|nightly|<major.minor>|<major.minor.patch>
<date>          = YYYY-MM-DD
<host>          = <target-triple>

Semver versions can be found from the git tags in https://github.com/rust-lang/rust ^2. Full information on dated channels can be found at the following URLs:

However, we only likely need the date itself, which can be found at:

Another potential avenue for both semver and channel version data is the Rust manifest list^3. It's a single source for all of this information.

RobJellinghaus commented 2 months ago

Note that for internal consumption in Azure DevOps, we will need to be able to configure Dependabot to be able to use our internal msrustup toolchain installer (which supports Azure authentication), and to install the internal Microsoft toolchain which we require for production Rust binaries.

So Dependabot will need some configuration mechanism to allow the information sources you mention to be configured appropriately, such that public Dependabot would use the public rust-lang channels as you suggest, whereas Azure DevOps Dependabot would be configured to use internal channels to get the same information.

In general, "support configuration for using internal Microsoft Rust toolchain and toolchain installer" is its own feature, which overlaps with the general feature for installing toolchains dynamically within Dependabot. @abdulapopoola is going to connect me with that ongoing work.

abdulapopoola commented 2 months ago

Tagging @jakecoffman and @jurre , I suspect this will need proxy changes?