From 643c27f719bc9b8b688b902dd4248f8cd7c1ec6b Mon Sep 17 00:00:00 2001
From: Pierre Warnier <pierre@warnier.net>
Date: Wed, 10 Jun 2026 15:00:14 +0200
Subject: [PATCH] docker: install cargo-deny as a pinned prebuilt binary

The dev images built cargo-deny from source via `cargo install cargo-deny`.
That compiled cargo-deny on every image build (multi-minute) and surfaced
cargo-deny's own `profile.dev.package.{insta,similar}` warnings, which look
like our config but are not.

Install the pinned (0.19.8), checksum-verified prebuilt binary instead. The
static musl build runs on glibc too, so all three images share one asset.
Result: no source compile, no spurious warnings, and a reproducible,
sha256-verified install (vs the previous unpinned `cargo install`). Each
build self-checks with `cargo-deny --version`.

Version/checksum are ARGs so they can be bumped (and tracked by Renovate).
---
 docker/Dockerfile.alpine | 13 ++++++++++++-
 docker/Dockerfile.debian | 13 ++++++++++++-
 docker/Dockerfile.fedora | 15 +++++++++++++--
 3 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/docker/Dockerfile.alpine b/docker/Dockerfile.alpine
index edf6f26..5008311 100644
--- a/docker/Dockerfile.alpine
+++ b/docker/Dockerfile.alpine
@@ -19,9 +19,20 @@ RUN apk add --no-cache \
     curl
 
 RUN rustup component add clippy rustfmt \
-    && cargo install cargo-deny \
     && curl -LsSf https://get.nexte.st/latest/linux-musl | tar zxf - -C /usr/local/cargo/bin
 
+# cargo-deny: pinned, checksum-verified prebuilt binary. The static musl build
+# runs on glibc too, so every image shares one asset. Installing the binary
+# (instead of `cargo install cargo-deny`) skips a multi-minute source compile.
+ARG CARGO_DENY_VERSION=0.19.8
+ARG CARGO_DENY_SHA256=70e769ae3872e34d45132b17040859175e11401dc12dddb0303e0b8c7d088f3f
+RUN curl -LsSf "https://github.com/EmbarkStudios/cargo-deny/releases/download/${CARGO_DENY_VERSION}/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl.tar.gz" -o /tmp/cargo-deny.tar.gz \
+    && echo "${CARGO_DENY_SHA256}  /tmp/cargo-deny.tar.gz" | sha256sum -c - \
+    && tar zxf /tmp/cargo-deny.tar.gz -C /tmp \
+    && install -m 0755 "/tmp/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl/cargo-deny" /usr/local/cargo/bin/cargo-deny \
+    && rm -rf /tmp/cargo-deny.tar.gz "/tmp/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl" \
+    && cargo-deny --version
+
 RUN adduser -D -s /bin/bash testuser \
     && adduser -D -s /bin/sh testuser2 \
     && addgroup testgroup \
diff --git a/docker/Dockerfile.debian b/docker/Dockerfile.debian
index 385d0d7..474f69b 100644
--- a/docker/Dockerfile.debian
+++ b/docker/Dockerfile.debian
@@ -16,9 +16,20 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 RUN rustup component add clippy rustfmt \
-    && cargo install cargo-deny \
     && curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C /usr/local/cargo/bin
 
+# cargo-deny: pinned, checksum-verified prebuilt binary. The static musl build
+# runs on glibc too, so every image shares one asset. Installing the binary
+# (instead of `cargo install cargo-deny`) skips a multi-minute source compile.
+ARG CARGO_DENY_VERSION=0.19.8
+ARG CARGO_DENY_SHA256=70e769ae3872e34d45132b17040859175e11401dc12dddb0303e0b8c7d088f3f
+RUN curl -LsSf "https://github.com/EmbarkStudios/cargo-deny/releases/download/${CARGO_DENY_VERSION}/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl.tar.gz" -o /tmp/cargo-deny.tar.gz \
+    && echo "${CARGO_DENY_SHA256}  /tmp/cargo-deny.tar.gz" | sha256sum -c - \
+    && tar zxf /tmp/cargo-deny.tar.gz -C /tmp \
+    && install -m 0755 "/tmp/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl/cargo-deny" /usr/local/cargo/bin/cargo-deny \
+    && rm -rf /tmp/cargo-deny.tar.gz "/tmp/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl" \
+    && cargo-deny --version
+
 RUN useradd -m -s /bin/bash testuser \
     && useradd -m -s /bin/sh testuser2 \
     && groupadd testgroup \
diff --git a/docker/Dockerfile.fedora b/docker/Dockerfile.fedora
index 0156100..66be5c9 100644
--- a/docker/Dockerfile.fedora
+++ b/docker/Dockerfile.fedora
@@ -24,8 +24,19 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y \
     --component clippy,rustfmt
 ENV PATH="/root/.cargo/bin:${PATH}"
 
-RUN cargo install cargo-deny \
-    && curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C /root/.cargo/bin
+RUN curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C /root/.cargo/bin
+
+# cargo-deny: pinned, checksum-verified prebuilt binary. The static musl build
+# runs on glibc too, so every image shares one asset. Installing the binary
+# (instead of `cargo install cargo-deny`) skips a multi-minute source compile.
+ARG CARGO_DENY_VERSION=0.19.8
+ARG CARGO_DENY_SHA256=70e769ae3872e34d45132b17040859175e11401dc12dddb0303e0b8c7d088f3f
+RUN curl -LsSf "https://github.com/EmbarkStudios/cargo-deny/releases/download/${CARGO_DENY_VERSION}/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl.tar.gz" -o /tmp/cargo-deny.tar.gz \
+    && echo "${CARGO_DENY_SHA256}  /tmp/cargo-deny.tar.gz" | sha256sum -c - \
+    && tar zxf /tmp/cargo-deny.tar.gz -C /tmp \
+    && install -m 0755 "/tmp/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl/cargo-deny" /root/.cargo/bin/cargo-deny \
+    && rm -rf /tmp/cargo-deny.tar.gz "/tmp/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl" \
+    && cargo-deny --version
 
 RUN useradd -m -s /bin/bash testuser \
     && useradd -m -s /bin/sh testuser2 \