diff --git a/Dockerfile b/Dockerfile index 14afe8d..9435874 100644 --- a/Dockerfile +++ b/Dockerfile @@ -213,13 +213,24 @@ RUN curl -fsSL https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --p # at runtime). The /caches/cargo/bin/ dir IS volume-shadowed by the host bind # mount, so cargo install artifacts there disappear inside the live container. USER root -RUN /home/crafter/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo install \ - --locked --root /usr/local cargo-deny \ - && chmod 755 /usr/local/bin/cargo-deny -# cargo-audit was historically here but its `git2` C-binding dep needs -# libgit2-sys which fails in this base. cargo-deny supersedes it for our -# use: `cargo deny check advisories` does the same RustSec-DB scan that -# cargo-audit does. The rust audit recipe uses cargo-deny accordingly. +# Install cargo-deny via the prebuilt linux x86_64 binary from its GitHub +# release — way more reliable than `cargo install` (which has flaked on +# both cargo-audit's libgit2-sys dep AND on quote's build script under +# the /caches/cargo volume contention). cargo-deny supersedes cargo-audit +# for our purposes: `cargo deny check advisories` runs the same RustSec +# advisory DB scan that cargo-audit does. +RUN ARCH="$(dpkg --print-architecture)" \ + && case "$ARCH" in \ + amd64) DENY_TARGET=x86_64-unknown-linux-musl ;; \ + arm64) DENY_TARGET=aarch64-unknown-linux-musl ;; \ + *) echo "unsupported arch $ARCH for cargo-deny" && exit 1 ;; \ + esac \ + && DENY_VERSION=0.16.4 \ + && curl -fsSL "https://github.com/EmbarkStudios/cargo-deny/releases/download/${DENY_VERSION}/cargo-deny-${DENY_VERSION}-${DENY_TARGET}.tar.gz" -o /tmp/cargo-deny.tgz \ + && tar -xzf /tmp/cargo-deny.tgz -C /tmp \ + && cp "/tmp/cargo-deny-${DENY_VERSION}-${DENY_TARGET}/cargo-deny" /usr/local/bin/cargo-deny \ + && chmod 755 /usr/local/bin/cargo-deny \ + && rm -rf /tmp/cargo-deny.tgz "/tmp/cargo-deny-${DENY_VERSION}-${DENY_TARGET}" USER crafter # ============================================================