Problem
Multiple CI workflows independently install the Rust toolchain and cargo binaries (cargo-deny, cargo-nextest, etc.). Each install adds 30-60s of wall time per job. With matrix strategies, this compounds — a single PR can spend 5+ minutes just on toolchain/binary installs across jobs.
The cargo-deny workflow recently exposed a version skew issue: the Docker-based EmbarkStudios/cargo-deny-action@v2 bundles its own cargo-deny version, which disagreed with the local developer version. This caused CI-only failures that couldn't be reproduced locally.
Proposed changes
-
Pin cargo-deny version in CI to match local. Either use the action (accept its bundled version and upgrade local to match) or install a specific version with caching. The key invariant: cargo deny check must produce the same result locally and in CI.
-
Cache ~/.cargo/bin across jobs. Use actions/cache keyed on a hash of the required binary versions. First run installs; subsequent runs restore from cache. Applicable to: cargo-deny, cargo-nextest, cargo-audit, and any future cargo install invocations.
-
Consider a shared "setup" composite action. A local .github/actions/setup-rust/action.yml that installs the toolchain + caches binaries, called from every workflow. Single source of truth for toolchain version and binary versions.
Current state
cargo-deny.yml uses EmbarkStudios/cargo-deny-action@v2 (Docker image with bundled binary)ci.yml uses dtolnay/rust-toolchain@master with toolchain: "1.93"rust-toolchain.toml pins 1.93 at the repo root- Local cargo-deny:
0.19.4
- No binary caching anywhere
Acceptance criteria
Priority
Low — this is developer experience / CI speed, not correctness. But it prevents version-skew debugging sessions like the one that prompted this issue.
Problem
Multiple CI workflows independently install the Rust toolchain and cargo binaries (cargo-deny, cargo-nextest, etc.). Each install adds 30-60s of wall time per job. With matrix strategies, this compounds — a single PR can spend 5+ minutes just on toolchain/binary installs across jobs.
The
cargo-denyworkflow recently exposed a version skew issue: the Docker-basedEmbarkStudios/cargo-deny-action@v2bundles its own cargo-deny version, which disagreed with the local developer version. This caused CI-only failures that couldn't be reproduced locally.Proposed changes
Pin cargo-deny version in CI to match local. Either use the action (accept its bundled version and upgrade local to match) or install a specific version with caching. The key invariant:
cargo deny checkmust produce the same result locally and in CI.Cache
~/.cargo/binacross jobs. Useactions/cachekeyed on a hash of the required binary versions. First run installs; subsequent runs restore from cache. Applicable to:cargo-deny,cargo-nextest,cargo-audit, and any futurecargo installinvocations.Consider a shared "setup" composite action. A local
.github/actions/setup-rust/action.ymlthat installs the toolchain + caches binaries, called from every workflow. Single source of truth for toolchain version and binary versions.Current state
cargo-deny.ymlusesEmbarkStudios/cargo-deny-action@v2(Docker image with bundled binary)ci.ymlusesdtolnay/rust-toolchain@masterwithtoolchain: "1.93"rust-toolchain.tomlpins1.93at the repo root0.19.4Acceptance criteria
cargo deny checkproduces identical results locally and in CIrust-toolchain.toml) and respected everywherePriority
Low — this is developer experience / CI speed, not correctness. But it prevents version-skew debugging sessions like the one that prompted this issue.