Skip to content

chore: update dependencies #92

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

chore: update dependencies #92

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d6d328f
chore: update dependencies
reneleonhardt Oct 13, 2025
db10bdd
ci: simplify env
reneleonhardt Oct 13, 2025
798e77c
review: update github-actions and pip only once per month
reneleonhardt Oct 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
version: 2
updates:
- package-ecosystem: cargo
directory: /
schedule:
interval: weekly
Comment on lines +3 to +6
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will presumably make Cargo manage the dependencies for all crates. This is not desirable, as most are generated from templates that Dependabot can't update.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what you mean, dependabot can't manage external crates outside of this repository by creating pull requests inside your repository 😄

directory: / will update all workspace members.
As they are not submodules, they are managed and committed in this repository.

For example, when you bump pqcrypto-traits to 0.3.6, one week later dependabot will create a pull request to update all dependent crates you forgot to update.

But of course it would be much easier if no versions would be declared anyway as all dependencies are using path = already, without version = every crate would always use the latest version of all other crates.

I can't see any reason, but if you really want to exclude some workspace members from being updated, then instead of directory: / (which updates all members) you could explicitly list the members to be updated:

  directories:
  - pqcrypto
  - pqcrypto-classicmceliece
  - pqcrypto-falcon
  - pqcrypto-hqc
  - pqcrypto-internals
  - pqcrypto-mldsa
  - pqcrypto-mlkem
  - pqcrypto-sphincsplus
  - pqcrypto-traits

Copy link
Member

@thomwiggers thomwiggers Oct 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

none of those folders (excepting -traits and -internals) can be managed by Dependabot, because they'd be overwriten by the code in Cargo.toml.j2 from the pqcrypto-template folders.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe there is your answer 😄
Remove version from the template and only let dependabot "manage" non-templated crates?
Or maybe don't let dependabot update any crates because no external dependencies are being used anywhere?

- package-ecosystem: github-actions
directory: /
schedule:
interval: monthly
- package-ecosystem: gitsubmodule
directory: /
schedule:
interval: weekly
- package-ecosystem: pip
directory: /
schedule:
interval: monthly
46 changes: 16 additions & 30 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,13 @@ on:

name: Continuous integration

env:
CARGO_INCREMENTAL: 0
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
# 20 MiB stack
RUST_MIN_STACK: 20971520

jobs:
ci:
runs-on: ubuntu-latest
Expand All @@ -13,24 +20,16 @@ jobs:
- stable
- beta
- nightly
env:
CARGO_TERM_COLOR: always
# 20 MiB stack
RUST_MIN_STACK: 20971520

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
submodules: true

- name: Install Rust
- name: Install Rust ${{ matrix.rust }}
run: |
rustup set auto-self-update disable
rustup toolchain install ${{ matrix.rust }} --profile minimal --component rustfmt,clippy
rustup default ${{ matrix.rust }}
echo CARGO_TERM_COLOR=always >> $GITHUB_ENV
echo CARGO_INCREMENTAL=0 >> $GITHUB_ENV
echo RUST_BACKTRACE=1 >> $GITHUB_ENV

- name: build with cryptographically-insecure turned on (if available)
run: cargo build --features cryptographically-insecure
Expand All @@ -55,13 +54,9 @@ jobs:
- stable
- beta
- nightly
env:
CARGO_TERM_COLOR: always
# 20 MiB stack
RUST_MIN_STACK: 20971520

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
submodules: true

Expand All @@ -70,15 +65,12 @@ jobs:
rustup set auto-self-update disable
rustup toolchain install ${{ matrix.rust }} --profile minimal --component rustfmt,clippy
rustup target add aarch64-linux-android
echo CARGO_TERM_COLOR=always >> $GITHUB_ENV
echo CARGO_INCREMENTAL=0 >> $GITHUB_ENV
echo RUST_BACKTRACE=1 >> $GITHUB_ENV

- name: Setup Android SDK
uses: android-actions/setup-android@07976c6290703d34c16d382cb36445f98bb43b1f #3.2.0
uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 #3.2.2

- name: Setup Android NDK
run: sdkmanager "ndk;26.1.10909125"
run: sdkmanager "ndk;29.0.14206865"

- name: Compile for Android
run: |
Expand All @@ -94,11 +86,8 @@ jobs:
# - stable
# - beta
# - nightly
# env:
# # 20 MiB stack
# RUST_MIN_STACK: 20971520
# steps:
# - uses: actions/checkout@v4
# - uses: actions/checkout@v5
# with:
# submodules: true

Expand All @@ -107,19 +96,16 @@ jobs:
# rustup set auto-self-update disable
# rustup toolchain install ${{ matrix.rust }} --profile minimal --component rustfmt clippy
# rustup default ${{ matrix.rust }}
# echo CARGO_TERM_COLOR=always >> $GITHUB_ENV
# echo CARGO_INCREMENTAL=0 >> $GITHUB_ENV
# echo RUST_BACKTRACE=1 >> $GITHUB_ENV

# - name: Install WASI
# run: cargo install cargo-wasi
# - name: Install wasmtime
# run: curl https://wasmtime.dev/install.sh -sSf | bash
# - name: Install WASI SDK
# run: |
# wget https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-12/wasi-sysroot-12.0.tar.gz
# tar -xvzf wasi-sysroot-12.0.tar.gz
# rm wasi-sysroot-12.0.tar.gz
# wget https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-27/wasi-sysroot-27.0.tar.gz
# tar -xvzf wasi-sysroot-27.0.tar.gz
# rm wasi-sysroot-27.0.tar.gz
# - name: Run tests
# run: |
# export WASI_SDK_DIR="$(pwd)/wasi-sysroot"
Expand Down
Loading