Public-release hardening: drop neocache, reproducibility & CI fixes

.cargo/audit.toml

@@ -0,0 +1,29 @@
+# cargo-audit configuration.
+#
+# CI runs `cargo audit --deny warnings` so any *new* advisory (vulnerability,
+# unsoundness, or unmaintained crate) fails the build. The entries below are
+# the explicitly-accepted exceptions: each one must have a tracking note and
+# should be revisited on every cargo bump.
+#
+# When adding an entry: include the advisory ID, a one-line reason, and the
+# date it was accepted. When removing: confirm the upstream fix shipped and
+# `cargo audit` returns clean without the ignore.
+
+[advisories]
+ignore = [
+    # RUSTSEC-2024-0436 — `paste` 1.0.15 is unmaintained.
+    # Pulled in transitively via foyer 0.22 -> foyer-memory -> paste. No direct
+    # use; only its proc-macro is invoked at build time. No exposed API surface
+    # at runtime. Re-evaluate when foyer drops paste or migrates to pastey.
+    # Accepted: 2026-05.
+    "RUSTSEC-2024-0436",
+
+    # RUSTSEC-2026-0097 — `rand` is unsound when a custom global logger calls
+    # `rand::rng()` from inside its log handler. We affect three rand versions
+    # (0.8.5 via stretto/caches, 0.9.2 via foyer/twox-hash, 0.10.0 direct).
+    # This benchmark does not install a custom `log` handler and does not call
+    # `rand::rng()` from any logger path, so the unsoundness condition cannot
+    # be triggered here. Re-evaluate when transitive deps move to a fixed rand.
+    # Accepted: 2026-05.
+    "RUSTSEC-2026-0097",
+]

.github/CODEOWNERS

@@ -0,0 +1,27 @@
+# CODEOWNERS for rust-cache-benchmarks
+#
+# GitHub auto-assigns the listed teams as reviewers on every PR (including
+# Dependabot bumps). Order matters: the *last* matching pattern wins.
+#
+# All paths below are owned by @Shopify/rust-cache-benchmarks-maintainers.
+# If that team is renamed, retired, or split, update every line in this file
+# in the same commit — GitHub silently no-ops entries that point at unknown
+# teams, which would leave PRs without a required reviewer.
+
+# Default owner for everything in the repo.
+*                               @Shopify/rust-cache-benchmarks-maintainers
+
+# Benchmark methodology and statistical reporting are the highest-trust
+# surface in this repo. Any change here affects the public comparison and
+# should get an extra reviewer who has context on the published numbers.
+/src/main.rs                    @Shopify/rust-cache-benchmarks-maintainers
+/src/caches/mod.rs              @Shopify/rust-cache-benchmarks-maintainers
+/README.md                      @Shopify/rust-cache-benchmarks-maintainers
+/CONTRIBUTING.md                @Shopify/rust-cache-benchmarks-maintainers
+
+# Security-sensitive files: anyone changing the audit allowlist or the CI
+# pipeline should get a security-aware review.
+/SECURITY.md                    @Shopify/rust-cache-benchmarks-maintainers
+/.cargo/audit.toml              @Shopify/rust-cache-benchmarks-maintainers
+/.github/workflows/             @Shopify/rust-cache-benchmarks-maintainers
+/.github/CODEOWNERS             @Shopify/rust-cache-benchmarks-maintainers

.github/workflows/ci.yml

@@ -15,28 +15,44 @@ env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
 
+# All third-party actions are pinned to a 40-char commit SHA. The trailing
+# comment is the human-readable version Dependabot uses to keep the SHA up to
+# date (see .github/dependabot.yml — ecosystem `github-actions`). Never
+# downgrade these to floating tags or branches such as `@v4` or `@master`: a
+# compromise of the upstream action repo would otherwise execute attacker code
+# inside this workflow with the GITHUB_TOKEN scope.
 jobs:
   check:
-    name: Check
-    runs-on: ubuntu-latest
+    name: Check (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      # Don't let a flake on one OS hide a real bug on the other.
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@master
+        uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master @ 2026-05
         with:
           toolchain: "1.94"
           components: rustfmt, clippy
 
       - name: Cache cargo registry
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/.cargo/registry
             ~/.cargo/git
             target
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: ${{ runner.os }}-cargo-
+          # Keys are scoped by OS, toolchain, and Cargo.lock. The fallback
+          # restore-key is also scoped by toolchain so a cache from a
+          # different Rust version is never partially mounted on top of
+          # this build (which has historically caused mysterious link
+          # errors on macOS runners).
+          key: ${{ runner.os }}-rust-1.94-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-rust-1.94-cargo-
 
       - name: Check formatting
         run: cargo fmt --check
@@ -57,18 +73,20 @@ jobs:
     name: Audit
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@master
+        uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master @ 2026-05
         with:
           toolchain: "1.94"
 
       - name: Cache cargo-audit binary
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/.cargo/bin/cargo-audit
-          key: ${{ runner.os }}-cargo-audit-bin-v1
+          # Cache key includes toolchain so audit binaries built against
+          # an older Rust never silently land in a newer pipeline.
+          key: ${{ runner.os }}-rust-1.94-cargo-audit-bin-v1
 
       - name: Install cargo-audit
         run: |
@@ -77,6 +95,8 @@ jobs:
           fi
 
       - name: Audit dependencies
-        # cargo audit fails on vulnerabilities by default. Warnings (unmaintained
-        # crates, soundness advisories) are reported but do not fail the job.
-        run: cargo audit
+        # `--deny warnings` makes any *new* unmaintained or unsoundness
+        # advisory fail the build. Currently-accepted advisories are listed
+        # explicitly in .cargo/audit.toml with rationale and review dates;
+        # adding a new ignore there is a deliberate, reviewable code change.
+        run: cargo audit --deny warnings

CONTRIBUTING.md

@@ -33,14 +33,21 @@ Thanks for your interest in contributing! `rust-cache-benchmarks` is a benchmark
 
 ## Local checks
 
-CI runs against Rust `1.94`. All of these must pass:
+CI runs against Rust `1.94` (the project's MSRV — see `rust-toolchain.toml`
+and `Cargo.toml`'s `rust-version`). All of these must pass:
 
 ```sh
 cargo fmt --check
 cargo clippy --all-targets --locked -- -D warnings
 cargo build --locked
 cargo build --release --locked
 cargo test --locked
+
+# Supply-chain audit. CI runs this with `--deny warnings`, so any *new*
+# unmaintained or unsoundness advisory will fail the pipeline. Currently
+# accepted advisories are listed in .cargo/audit.toml with rationale.
+# `cargo install --locked cargo-audit` if you don't have it locally.
+cargo audit --deny warnings
 ```
 
 ## Running benchmarks

Cargo.toml

@@ -2,11 +2,22 @@
 name = "cache-bench"
 version = "0.1.0"
 edition = "2021"
+# MSRV. Kept in sync with `rust-toolchain.toml` and the toolchain pinned in
+# `.github/workflows/ci.yml`. Bumping any of the three requires bumping the
+# other two.
+rust-version = "1.94"
 description = "Concurrent in-memory cache benchmarks for Rust"
 license = "MIT"
+readme = "README.md"
 repository = "https://github.com/Shopify/rust-cache-benchmarks"
 homepage = "https://github.com/Shopify/rust-cache-benchmarks"
 authors = ["Shopify Inc."]
+keywords = ["cache", "benchmark", "lru", "concurrent", "performance"]
+categories = ["caching", "development-tools::profiling"]
+# This is a benchmark harness, not a library. Block accidental `cargo publish`
+# from a maintainer's machine or a future release CI — the `cache-bench` name
+# is currently free on crates.io and we do not intend to claim it.
+publish = false
 
 [dependencies]
 schnellru = "0.2.4"
@@ -27,13 +38,17 @@ clru = "0.6.3"
 lru-mem = "0.3.0"
 sieve-cache = "1.1.6"
 caches = "0.3.0"
-# Pinned to a commit SHA so `cargo update` cannot silently roll the
-# benchmark forward to a future neocache release with different
-# performance characteristics. Bump deliberately when re-baselining.
-neocache = { git = "https://github.com/Shopify/neocache", rev = "3c87b8fde4fab6eb3e9285c05df5ab8ae0cf498c" }
 rand_distr = "0.6"
 parking_lot = "0.12"
 
+# `neocache` is intentionally not a dependency of this public repository.
+# The upstream crate lives in a private Shopify repo, so any reference to
+# it (even an `optional = true` git dependency) is recorded in `Cargo.lock`
+# and forces `cargo` to fetch the source on every build — which fails with
+# `failed to authenticate when downloading repository` on any clone
+# without Shopify git credentials, including public CI runners. See the
+# `Per-cache configuration deviations` section of `README.md`.
+
 [profile.release]
 opt-level = 3
 lto = "fat"