[zizmor] ignore superfluous-actions

[ShaharNaveh]

Summary by CodeRabbit

• Chores
  • Updated CI provisioning to install and manage Rust toolchains and components explicitly for more consistent, reproducible builds.
  • Improved CI coverage and testing for WASM targets and adjusted nightly testing configuration for improved reliability.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 1a3c5014-0b14-4de8-a4e7-25274ceb73f1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Replaced the dtolnay/rust-toolchain GitHub Action with explicit rustup commands across CI jobs (stable, lint, miri, wasm, wasm-wasi). Adjusted component installs to use rustup component add and renamed the miri job environment variable from NIGHTLY_CHANNEL to RUSTUP_TOOLCHAIN.

Changes

Cohort / File(s)	Summary
CI Workflow Configuration .github/workflows/ci.yaml	Replaced dtolnay/rust-toolchain action usage with explicit rustup toolchain install and rustup component add commands across stable, lint, miri, wasm, and wasm-wasi jobs. For miri job, renamed env var NIGHTLY_CHANNEL → RUSTUP_TOOLCHAIN and switched component installation to rustup component add miri. Added --target wasm32-wasip1 where required for wasm-wasi steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Pin rust-toolchain action to a commit hash - part 1 #7500: Adjusts dtolnay/rust-toolchain action usage in the same CI workflow.
• Unpin Rust nightly in CI #6022: Modifies miri job toolchain handling and nightly environment variable in the CI workflow.
• fix miri ci #7093: Updates the miri job in .github/workflows/ci.yaml, touching related env/config steps.

Suggested reviewers

• youknowone

Poem

🐰 I hopped through CI with a tap and a grin,

Swapped actions for rustup — let installs begin,
Components now added with crisp, tidy flair,
Miri renamed its channel with gentle care,
CI hums along — carrots for all who dare. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title '[zizmor] ignore superfluous-actions' does not match the actual changes, which involve replacing dtolnay/rust-toolchain actions with direct rustup commands in the CI workflow.	Update the title to accurately reflect the main change, such as 'Use rustup in ci.yaml' or 'Replace dtolnay/rust-toolchain action with direct rustup commands' to match the actual modifications.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/ci.yaml (2)

414-427: ⚠️ Potential issue | 🔴 Critical

Update the miri command to use the correct toolchain variable.

Line 414 defines the job environment variable RUSTUP_TOOLCHAIN: nightly, but Line 427 references the non-existent env.NIGHTLY_CHANNEL. Since RUSTUP_TOOLCHAIN is already set at the job level, the +${{ env.NIGHTLY_CHANNEL }} prefix should be removed entirely—cargo will automatically use the nightly toolchain without it.

🛠️ Proposed fix

       - name: Run tests under miri
-        run: cargo +${{ env.NIGHTLY_CHANNEL }} miri test -p rustpython-vm -- miri_test
+        run: cargo miri test -p rustpython-vm -- miri_test

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yaml around lines 414 - 427, The workflow uses
RUSTUP_TOOLCHAIN: nightly but the "Run tests under miri" step calls cargo with a
non-existent toolchain variable (+${{ env.NIGHTLY_CHANNEL }}); remove the +${{
env.NIGHTLY_CHANNEL }} prefix from the "cargo +... miri test -p rustpython-vm --
miri_test" command so it simply runs "cargo miri test -p rustpython-vm --
miri_test" and relies on the job-level RUSTUP_TOOLCHAIN setting.

---

360-364: ⚠️ Potential issue | 🔴 Critical

Split the rustfmt install into its own step.

This step has both uses and run, which violates GitHub Actions workflow syntax. A single step cannot define both keys. Move rustup component add rustfmt --toolchain=stable into a separate step.

🛠️ Proposed fix

       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}

-        run: rustup component add rustfmt --toolchain=stable
+      - name: Install rustfmt
+        run: rustup component add rustfmt --toolchain=stable

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yaml around lines 360 - 364, The workflow step
currently mixes an action usage and a run command (the step with uses:
actions/setup-python@a309ff8b426b58ec0e45f0f869d46889d02405 and the run: rustup
component add rustfmt --toolchain=stable), which is invalid; fix it by removing
the run from that step and creating a new standalone step that only runs the
command "rustup component add rustfmt --toolchain=stable" (ensure the new step
appears after the setup-python step and uses only the run key), referencing the
existing actions/setup-python step to keep ordering.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/ci.yaml:
- Around line 414-427: The workflow uses RUSTUP_TOOLCHAIN: nightly but the "Run
tests under miri" step calls cargo with a non-existent toolchain variable (+${{
env.NIGHTLY_CHANNEL }}); remove the +${{ env.NIGHTLY_CHANNEL }} prefix from the
"cargo +... miri test -p rustpython-vm -- miri_test" command so it simply runs
"cargo miri test -p rustpython-vm -- miri_test" and relies on the job-level
RUSTUP_TOOLCHAIN setting.
- Around line 360-364: The workflow step currently mixes an action usage and a
run command (the step with uses:
actions/setup-python@a309ff8b426b58ec0e45f0f869d46889d02405 and the run: rustup
component add rustfmt --toolchain=stable), which is invalid; fix it by removing
the run from that step and creating a new standalone step that only runs the
command "rustup component add rustfmt --toolchain=stable" (ensure the new step
appears after the setup-python step and uses only the run key), referencing the
existing actions/setup-python step to keep ordering.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: b9692e1e-c0cf-422a-9d2f-06acfe2af859

📥 Commits

Reviewing files that changed from the base of the PR and between b275a90 and a49d7e5.

📒 Files selected for processing (1)

• .github/workflows/ci.yaml

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yaml (1)

414-427: ⚠️ Potential issue | 🔴 Critical

Update the Miri command to reference the correct environment variable.

Line 427 references env.NIGHTLY_CHANNEL, which is undefined. The job defines RUSTUP_TOOLCHAIN: nightly at line 414. The cargo command will fail when expanded to cargo + (with empty toolchain). Update to use the defined variable:

Suggested fix

-        run: cargo +${{ env.NIGHTLY_CHANNEL }} miri test -p rustpython-vm -- miri_test
+        run: cargo +${{ env.RUSTUP_TOOLCHAIN }} miri test -p rustpython-vm -- miri_test

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yaml around lines 414 - 427, The Miri test step uses an
undefined env var NIGHTLY_CHANNEL; update the "Run tests under miri" step to use
the defined RUSTUP_TOOLCHAIN variable (or the literal "nightly") so the cargo
+<toolchain> invocation expands correctly — change the cargo command that
references env.NIGHTLY_CHANNEL to reference env.RUSTUP_TOOLCHAIN (or hardcode
"nightly") in that step.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yaml:
- Around line 50-53: The Miri job is using an undefined env var `${{
env.NIGHTLY_CHANNEL }}` and several "stable" jobs install stable but don't force
it for subsequent cargo commands; update the Miri step that runs `cargo +${{
env.NIGHTLY_CHANNEL }} miri test` to use a concrete toolchain (either `cargo
+nightly miri test` or `cargo +${{ env.RUSTUP_TOOLCHAIN }} miri test`) and
ensure the MUST-FIX env is `RUSTUP_TOOLCHAIN: nightly` where that job sets it;
for each job that installs `stable` (where `rustup toolchain install stable` is
run) either add `RUSTUP_TOOLCHAIN: stable` at the job-level env or change
subsequent invocations like `cargo clippy`, `cargo shear`, and other `cargo ...`
steps to explicitly run `cargo +stable ...` so they deterministically use the
stable toolchain.

---

Outside diff comments:
In @.github/workflows/ci.yaml:
- Around line 414-427: The Miri test step uses an undefined env var
NIGHTLY_CHANNEL; update the "Run tests under miri" step to use the defined
RUSTUP_TOOLCHAIN variable (or the literal "nightly") so the cargo +<toolchain>
invocation expands correctly — change the cargo command that references
env.NIGHTLY_CHANNEL to reference env.RUSTUP_TOOLCHAIN (or hardcode "nightly") in
that step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 5bda2a95-4ca3-4b4f-9a59-1eb46e269f5e

📥 Commits

Reviewing files that changed from the base of the PR and between a49d7e5 and 211f6e7.

📒 Files selected for processing (1)

• .github/workflows/ci.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Stable provisioning:"
rg -n 'rustup toolchain install stable|rustup component add .*--toolchain=stable' .github/workflows/ci.yaml

echo
echo "Explicit toolchain selection:"
rg -n 'RUSTUP_TOOLCHAIN:|cargo \+stable|rustup (default|override set) stable' .github/workflows/ci.yaml

Repository: RustPython/RustPython

Length of output: 594

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Lines with stable provisioning and surrounding context (10 lines after) ==="
for line in 50 170 251 364 444 519; do
  echo "--- Line $line ---"
  sed -n "${line},$((line+10))p" .github/workflows/ci.yaml
  echo
done

echo "=== Checking for NIGHTLY_CHANNEL definition ==="
rg -n 'NIGHTLY_CHANNEL' .github/workflows/ci.yaml

echo "=== Line 414 context and following 15 lines ==="
sed -n '414,429p' .github/workflows/ci.yaml

Repository: RustPython/RustPython

Length of output: 3382

---

Fix undefined environment variable and explicitly select stable toolchain.

Two related issues:

1. Critical bug at line 427: The Miri job references ${{ env.NIGHTLY_CHANNEL }}, which is never defined. The job sets RUSTUP_TOOLCHAIN: nightly (line 414) but uses the wrong environment variable name. Replace cargo +${{ env.NIGHTLY_CHANNEL }} miri test with either cargo +nightly miri test or cargo +${{ env.RUSTUP_TOOLCHAIN }} miri test.

2. Stable jobs don't deterministically select stable: Lines 50, 170, 251, 364, 444, and 519 provision stable, but the subsequent cargo invocations in those jobs (e.g., cargo clippy, cargo shear) don't explicitly specify the toolchain. These steps will use whatever toolchain is default on the runner image, not the newly installed stable. Add RUSTUP_TOOLCHAIN: stable at the job level, or use cargo +stable ... in subsequent build commands.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yaml around lines 50 - 53, The Miri job is using an
undefined env var `${{ env.NIGHTLY_CHANNEL }}` and several "stable" jobs install
stable but don't force it for subsequent cargo commands; update the Miri step
that runs `cargo +${{ env.NIGHTLY_CHANNEL }} miri test` to use a concrete
toolchain (either `cargo +nightly miri test` or `cargo +${{ env.RUSTUP_TOOLCHAIN
}} miri test`) and ensure the MUST-FIX env is `RUSTUP_TOOLCHAIN: nightly` where
that job sets it; for each job that installs `stable` (where `rustup toolchain
install stable` is run) either add `RUSTUP_TOOLCHAIN: stable` at the job-level
env or change subsequent invocations like `cargo clippy`, `cargo shear`, and
other `cargo ...` steps to explicitly run `cargo +stable ...` so they
deterministically use the stable toolchain.

[youknowone]

any reason to change? dtolnay/rust-toolchain is very well established workflow for many rust projects. it is even more useful when we are targetting (stable - 2) versions unlike now.

[ShaharNaveh]

any reason to change? dtolnay/rust-toolchain is very well established workflow for many rust projects. it is even more useful when we are targetting (stable - 2) versions unlike now.

The initial motivation of this PR was to resolve "note" level warnings from zizmor, as the functionality of dtolnay/rust-toolchain is already present in the runner (by running rustup). but after thinking about it I realized that it reduces our risk of compromise (one less attack surface, in case that action gets compromised somehow), but I'm not sure how worth it tbh. either way, if this is not the way to go, then I'd rather config zizmor to ignore this action as superfluous-actions

[ShaharNaveh]

After reading zizmorcore/zizmor#1817 I've changed my mind. I'll make zizmor to ignore this, and shift this PR to ignore this rule instead