Harden cross command construction

.github/actions/rust-build-release/src/main.py

@@ -501,19 +501,30 @@ def _normalize_features(features: str) -> str:
     return ",".join(normalized)
 
 
+def _assert_cross_command_has_no_toolchain_override(cmd: cabc.Sequence[object]) -> None:
+    # Cross must not be given a +<toolchain>; rely on rust-toolchain.toml /
+    # rustup override.
+    if any(isinstance(arg, str) and arg.startswith("+") for arg in cmd[1:3]):
+        message = "cross command must not include a +<toolchain> override"
+        raise ValueError(message)
+
+
 def _build_cross_command(
     decision: _CrossDecision, target_to_build: str, manifest_path: Path, features: str
 ) -> SupportsFormulate:
     cross_executable = decision.cross_path or "cross"
     executor = local[cross_executable]
-    build_cmd = executor[
+    cmd: list[object] = [
+        cross_executable,
         "build",
         "--manifest-path",
         str(manifest_path),
         "--release",
         "--target",
         target_to_build,
     ]
+    _assert_cross_command_has_no_toolchain_override(cmd)
+    build_cmd = executor[cmd[1:]]
     normalized_features = _normalize_features(features)
     if normalized_features:
         build_cmd = build_cmd["--features", normalized_features]
@@ -667,6 +678,7 @@ def main(
             build_cmd = typ.cast("_SupportsEnvFormulate", build_cmd).with_env(
                 RUSTUP_TOOLCHAIN=toolchain_name
             )
+        typer.echo(f"::debug:: cross argv: {build_cmd}")
     else:
         build_cmd = _build_cargo_command(
             decision.cargo_toolchain_spec, target_to_build, manifest_argument, features

.github/actions/rust-build-release/tests/test_commands.py

@@ -0,0 +1,145 @@
+"""Regression tests for rust-build-release command construction."""
+
+from __future__ import annotations
+
+import importlib.util
+import os
+import typing as typ
+from pathlib import Path
+
+import pytest
+from plumbum.commands.processes import ProcessExecutionError
+from rust_build_release_test_helpers import assert_no_toolchain_override
+
+SRC_DIR = Path(__file__).resolve().parents[1] / "src"
+REPO_ROOT = Path(__file__).resolve().parents[4]
+
+if typ.TYPE_CHECKING:
+    from types import ModuleType
+
+
+def _make_cross_executable(tmp_path: Path) -> Path:
+    cross_path = tmp_path / "cross"
+    cross_path.write_text("#!/bin/sh\n", encoding="utf-8")
+    cross_path.chmod(cross_path.stat().st_mode | os.X_OK)
+    return cross_path
+
+
+def _load_main_module(monkeypatch: pytest.MonkeyPatch) -> ModuleType:
+    monkeypatch.setenv("GITHUB_ACTION_PATH", str(REPO_ROOT))
+    monkeypatch.syspath_prepend(str(SRC_DIR))
+
+    import packaging
+    import packaging.version as packaging_version
+
+    spec = importlib.util.spec_from_file_location(
+        "rbr_main_commands", SRC_DIR / "main.py"
+    )
+    if spec is None or spec.loader is None:
+        msg = f"failed to load main.py from {SRC_DIR}"
+        raise RuntimeError(msg)
+
+    module = importlib.util.module_from_spec(spec)
+    try:
+        spec.loader.exec_module(module)
+    finally:
+        if getattr(packaging, "version", None) is packaging_version:
+            delattr(packaging, "version")
+    return module
+
+
+def test_build_cross_command_never_injects_toolchain_override(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    """Cross commands start with cross build and omit +toolchain arguments."""
+    main_module = _load_main_module(monkeypatch)
+    cross_path = _make_cross_executable(tmp_path)
+    decision = main_module._CrossDecision(
+        cross_path=str(cross_path),
+        cross_version="0.2.5",
+        use_cross=True,
+        cargo_toolchain_spec="+bogus-nightly",
+        use_cross_local_backend=False,
+        docker_present=True,
+        podman_present=False,
+        has_container=True,
+        container_engine="docker",
+        requires_cross_container=False,
+    )
+
+    cmd = main_module._build_cross_command(
+        decision,
+        "aarch64-unknown-linux-gnu",
+        tmp_path / "Cargo.toml",
+        "",
+    )
+
+    parts = list(cmd.formulate())
+    assert parts[0] == "cross"
+    assert_no_toolchain_override(parts)
+
+
+def test_cross_container_fallback_keeps_cargo_toolchain_override(
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    """The container-error fallback remains cargo-only and keeps +toolchain."""
+    main_module = _load_main_module(monkeypatch)
+    calls: list[list[str]] = []
+
+    def fake_run_cmd(cmd: object) -> None:
+        formulated = list(cmd.formulate())
+        if formulated:
+            formulated[0] = Path(formulated[0]).name
+        calls.append(formulated)
+
+    monkeypatch.setattr(main_module, "run_cmd", fake_run_cmd)
+    decision = main_module._CrossDecision(
+        cross_path="/usr/bin/cross",
+        cross_version="0.2.5",
+        use_cross=True,
+        cargo_toolchain_spec="+bogus-nightly",
+        use_cross_local_backend=False,
+        docker_present=True,
+        podman_present=False,
+        has_container=True,
+        container_engine="docker",
+        requires_cross_container=False,
+    )
+    exc = ProcessExecutionError(["cross", "build"], 125, "", "")
+
+    main_module._handle_cross_container_error(
+        exc,
+        decision,
+        "aarch64-unknown-linux-gnu",
+        tmp_path / "Cargo.toml",
+        "",
+    )
+
+    assert calls == [
+        [
+            "cargo",
+            "+bogus-nightly",
+            "build",
+            "--manifest-path",
+            str(tmp_path / "Cargo.toml"),
+            "--release",
+            "--target",
+            "aarch64-unknown-linux-gnu",
+        ]
+    ]
+
+
+def test_cross_command_guard_rejects_toolchain_override(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """The cross argv guard catches accidental +toolchain injection."""
+    main_module = _load_main_module(monkeypatch)
+    with pytest.raises(
+        ValueError,
+        match=r"cross command must not include a \+<toolchain> override",
+    ):
+        main_module._assert_cross_command_has_no_toolchain_override(
+            ["cross", "+bogus-nightly", "build"]
+        )

Makefile

@@ -16,6 +16,10 @@ clean: ## Remove transient artefacts
 BUILD_JOBS ?=
 MDLINT ?= markdownlint
 NIXIE ?= nixie
+ACTION_VALIDATOR_CANDIDATES := $(wildcard $(HOME)/.cargo/bin/action-validator /usr/local/bin/action-validator /usr/bin/action-validator)
+ACTION_VALIDATOR ?= $(if $(ACTION_VALIDATOR_CANDIDATES),$(firstword $(ACTION_VALIDATOR_CANDIDATES)),action-validator)
+RUFF_CANDIDATES := $(wildcard $(CURDIR)/.venv/bin/ruff $(HOME)/.local/bin/ruff /usr/local/bin/ruff /usr/bin/ruff)
+RUFF ?= $(if $(RUFF_CANDIDATES),$(firstword $(RUFF_CANDIDATES)),uv tool run ruff)
 RUFF_FIX_RULES ?= D202,I001
 
 test: .venv ## Run tests
@@ -30,9 +34,9 @@ endif
 	uv sync --group dev
 
 lint: ## Check test scripts and actions
-	uvx ruff check
+	$(RUFF) check
 	find .github/actions -type f \( -name 'action.yml' -o -name 'action.yaml' \) -print0 \
-	| xargs -r -0 -n1 action-validator
+	| xargs -r -0 -n1 $(ACTION_VALIDATOR)
 
 typecheck: .venv ## Run static type checking with Ty
 	./.venv/bin/ty check \
@@ -58,12 +62,12 @@ typecheck: .venv ## Run static type checking with Ty
 		--extra-search-path .github/actions/macos-package/scripts \
 		.github/actions/macos-package/scripts
 fmt: ## Format Python files and auto-fix selected lint rules
-	uvx ruff format
-	uvx ruff check --select $(RUFF_FIX_RULES) --fix
+	$(RUFF) format
+	$(RUFF) check --select $(RUFF_FIX_RULES) --fix
 
 check-fmt: ## Check Python formatting without modifying files
-	uvx ruff format --check
-	uvx ruff check --select $(RUFF_FIX_RULES)
+	$(RUFF) format --check
+	$(RUFF) check --select $(RUFF_FIX_RULES)
 
 markdownlint: ## Lint Markdown files
 	find . -type f -name '*.md' -not -path './target/*' -print0 | xargs -0 -- $(MDLINT)