Cargo instructions should be validated when read from git messages

[roharvey]

I found this problem via a dependabot PR message, copied into the third line of the commit message.

With:

    EmitBuilder::builder()
        .quiet()
        .all_git()
        .emit()?;
    Ok(())

and a commit message generated from dependabot groups like:

    Merge pull request #123 from myorg/dependabot/cargo/deps-5f40290522

    cargo: bump the deps group with 6 updates

we had a build failure:

error: invalid output in build script of `server v0.1.0 (/usr/src/crates/server)`: `cargo: bump the deps group with 6 updates`
Expected a line with `cargo:key=value` with an `=` character, but none was found.

I don't think this should cause an error since it comes from git. At least a simple check could be done to ensure it fits a regex before creating an error, but ultimately it would be safer to compare to cargo options.

The best workaround for us was to change all_git() to git_sha(false), but only because we weren't using other git features.

vergen = { version = "8.2.4", features = ["build", "git", "git2"] }

[Imberflur]

With the way cargo parses cargo:rustc-env=KEY=VALUE only the part of the value before the first newline will be included in the env var anyway. So a potential solution would be to just preemptively truncate at the first newline.

Alternatively, or as a future enhancement, newlines could be encoded and then later decoded when reading the env var. Or ideally cargo could provide support for build scripts emitting env var values that contain newlines.