refactor: kind of everything

.cargo/config.toml

@@ -0,0 +1,2 @@
+[alias]
+xtask = "run -p xtask --"

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -10,7 +10,6 @@ body:
         Before submitting, please search existing issues to avoid duplicates. If a similar issue exists, comment there instead of opening a new one.
 
         To help us resolve the issue efficiently, please provide the necessary details below.
-
   - type: textarea
     id: bug-description
     attributes:
@@ -19,7 +18,6 @@ body:
       placeholder: Provide a clear and concise description of the problem, including what you expected to happen and what actually occurred.
     validations:
       required: true
-
   - type: textarea
     id: environment
     attributes:

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -9,15 +9,13 @@ body:
         A clear and concise description of what the problem is.
     validations:
       required: true
-
   - type: textarea
     attributes:
       label: Describe the solution you'd like
       description: |
         A clear and concise description of what you'd like to happen.
     validations:
       required: true
-
   - type: textarea
     attributes:
       label: Additional context

.github/actions/rust-toolchain-yq/action.yml

@@ -0,0 +1,82 @@
+name: "Rust toolchain (from rust-toolchain.toml)"
+description: "Installs yq, reads rust-toolchain.toml, and installs that Rust toolchain via dtolnay/rust-toolchain."
+inputs:
+  targets:
+    description: "Comma-separated Rust target triples to install"
+    required: false
+    default: ""
+  components:
+    description: "Comma-separated Rust components to install"
+    required: false
+    default: ""
+outputs:
+  toolchain:
+    description: "Resolved toolchain channel"
+    value: ${{ steps.get_toolchain.outputs.toolchain }}
+runs:
+  using: "composite"
+  steps:
+    - name: Install yq (mikefarah)
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        version="v4.50.1"
+
+        os="${RUNNER_OS}"     # Linux|macOS|Windows
+        arch="${RUNNER_ARCH}" # X64|ARM64
+
+        case "${os}" in
+          Linux) platform="linux"; ext="" ;;
+          macOS) platform="darwin"; ext="" ;;
+          Windows) platform="windows"; ext=".exe" ;;
+          *) echo "Unsupported runner OS: ${os}" >&2; exit 1 ;;
+        esac
+
+        case "${arch}" in
+          X64) cpu="amd64" ;;
+          ARM64) cpu="arm64" ;;
+          *) echo "Unsupported runner arch: ${arch}" >&2; exit 1 ;;
+        esac
+
+        url="https://github.com/mikefarah/yq/releases/download/${version}/yq_${platform}_${cpu}${ext}"
+
+        install_dir="${RUNNER_TEMP}/yq"
+        mkdir -p "${install_dir}"
+        bin="${install_dir}/yq${ext}"
+
+        echo "Downloading ${url}" >&2
+
+        if [[ "${os}" == "Windows" ]]; then
+          powershell -NoProfile -Command "Invoke-WebRequest -Uri '${url}' -OutFile '${bin}'"
+        else
+          curl -fsSL "${url}" -o "${bin}"
+        fi
+
+        if [[ "${os}" != "Windows" ]]; then
+          chmod +x "${bin}"
+        fi
+
+        echo "${install_dir}" >> "${GITHUB_PATH}"
+
+        "${bin}" --version
+    - name: Get toolchain from rust-toolchain.toml
+      id: get_toolchain
+      shell: bash
+      run: |
+        ext=""
+        if [[ "${RUNNER_OS}" == "Windows" ]]; then
+          ext=".exe"
+        fi
+        toolchain="$(${RUNNER_TEMP}/yq/yq${ext} -r '.toolchain.channel' rust-toolchain.toml)"
+        if [[ -z "${toolchain}" || "${toolchain}" == "null" ]]; then
+          echo "Could not determine toolchain from rust-toolchain.toml" >&2
+          exit 1
+        fi
+        echo "toolchain=${toolchain}" >> "${GITHUB_OUTPUT}"
+    - name: Install Rust toolchain
+      uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561
+      with:
+        toolchain: ${{ steps.get_toolchain.outputs.toolchain }}
+        targets: ${{ inputs.targets }}
+        components: ${{ inputs.components }}

.github/dependabot.yml

@@ -10,24 +10,22 @@ updates:
         update-types:
           - patch
           - minor
+    cooldown:
+      default-days: 7
   - package-ecosystem: github-actions
     directory: "/"
     schedule:
       interval: weekly
-  - package-ecosystem: npm
-    directory: "/vscode"
-    schedule:
-      interval: weekly
     groups:
       version:
         applies-to: version-updates
         update-types:
           - patch
           - minor
-    ignore:
-      - dependency-name: "@types/vscode"
-  - package-ecosystem: docker
-    directory: "/"
+    cooldown:
+      default-days: 7
+  - package-ecosystem: npm
+    directory: "/vscode"
     schedule:
       interval: weekly
     groups:
@@ -36,8 +34,10 @@ updates:
         update-types:
           - patch
           - minor
-  - package-ecosystem: npm
-    directory: "/scripts"
+    cooldown:
+      default-days: 7
+  - package-ecosystem: docker
+    directory: "/"
     schedule:
       interval: weekly
     groups:
@@ -46,4 +46,5 @@ updates:
         update-types:
           - patch
           - minor
-          - major
+    cooldown:
+      default-days: 7

.github/workflows/build.yaml → .github/workflows/build.yml

@@ -1,41 +1,41 @@
 name: Build RustOwl
-
 on:
   push:
     branches: ["main"]
-  pull_request:
-    types: ["labeled"]
   workflow_dispatch:
   workflow_call:
     outputs:
       run_id:
         description: Run ID of this workflow
         value: ${{ github.run_id }}
-
 jobs:
   rustowl:
-    if: github.event.action != 'labeled' || github.event.label.name == 'do-build-check'
     strategy:
       matrix:
-        os:
-          - ubuntu-24.04
-          - ubuntu-24.04-arm
-          - macos-15
-          - macos-13
-          - windows-2022
-          - windows-11-arm
-
+        include:
+          - os: ubuntu-24.04
+            target: x86_64-unknown-linux-gnu
+          - os: ubuntu-24.04-arm
+            target: aarch64-unknown-linux-gnu
+          - os: macos-15
+            target: aarch64-apple-darwin
+          - os: macos-15-intel
+            target: x86_64-apple-darwin
+          - os: windows-2022
+            target: x86_64-pc-windows-msvc
+          - os: windows-11-arm
+            target: aarch64-pc-windows-msvc
     runs-on: ${{ matrix.os }}
     permissions:
       contents: write
     defaults:
       run:
         shell: bash
-
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
-
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       # Using fat LTO causes failure to link on Windows ARM
       - name: Set build profile
         run: |
@@ -44,56 +44,47 @@ jobs:
           else
             echo "build_profile=release" >> $GITHUB_ENV
           fi
-
       # uname on Windows on ARM returns "x86_64"
       - name: Set ARCH flag for Windows on ARM
         if: matrix.os == 'windows-11-arm'
         run: echo "TOOLCHAIN_ARCH=aarch64" >> $GITHUB_ENV
-
       - name: setup env
         run: |
-          host_tuple="$(./scripts/build/toolchain eval 'echo $HOST_TUPLE')"
-          echo "host_tuple=$host_tuple" >> $GITHUB_ENV
-          toolchain="$(./scripts/build/toolchain eval 'echo $RUSTOWL_TOOLCHAIN')"
+          toolchain="$(cargo xtask toolchain sh -lc 'echo $RUSTOWL_TOOLCHAIN')"
           echo "toolchain=$toolchain" >> $GITHUB_ENV
 
-          ([[ "$host_tuple" == *msvc* ]] && echo "exec_ext=.exe" || echo "exec_ext=") >> $GITHUB_ENV
-          ([[ "$host_tuple" == *windows* ]] && echo "is_windows=true" || echo "is_windows=false") >> $GITHUB_ENV
-          ([[ "$host_tuple" == *linux* ]] && echo "is_linux=true" || echo "is_linux=false") >> $GITHUB_ENV
-
+          ([[ "${{ matrix.target }}" == *msvc* ]] && echo "exec_ext=.exe" || echo "exec_ext=") >> $GITHUB_ENV
+          ([[ "${{ matrix.target }}" == *windows* ]] && echo "is_windows=true" || echo "is_windows=false") >> $GITHUB_ENV
+          ([[ "${{ matrix.target }}" == *linux* ]] && echo "is_linux=true" || echo "is_linux=false") >> $GITHUB_ENV
       - name: Install zig
         if: ${{ env.is_linux == 'true' }}
-        uses: mlugg/setup-zig@v2
+        uses: mlugg/setup-zig@e7d1537c378b83b8049f65dda471d87a2f7b2df2 # v2.2.0
         with:
           version: 0.13.0
-
       - name: Build
         run: |
           if [[ "${{ env.is_linux }}" == "true" ]]; then
-            ./scripts/build/toolchain cargo install --locked cargo-zigbuild
-            ./scripts/build/toolchain cargo zigbuild --target ${{ env.host_tuple }}.2.17 --profile=${{ env.build_profile }}
+            cargo xtask toolchain cargo install --locked cargo-zigbuild
+            cargo xtask toolchain cargo zigbuild --target ${{ matrix.target }}.2.17 --profile=${{ env.build_profile }}
           else
-            ./scripts/build/toolchain cargo build --target ${{ env.host_tuple }} --profile=${{ env.build_profile }}
+            cargo xtask toolchain cargo build --target ${{ matrix.target }} --profile=${{ env.build_profile }}
           fi
-
       - name: Check the functionality
         run: |
-          ./target/${{ env.host_tuple }}/${{ env.build_profile }}/rustowl${{ env.exec_ext }} check ./perf-tests/dummy-package
-
+          ./target/${{ matrix.target }}/${{ env.build_profile }}/rustowl${{ env.exec_ext }} check ./perf-tests/dummy-package
       - name: Set archive name
         run: |
           if [[ "${{ env.is_windows }}" == "true" ]]; then
-            echo "archive_name=rustowl-${{ env.host_tuple }}.zip" >> $GITHUB_ENV
+            echo "archive_name=rustowl-${{ matrix.target }}.zip" >> $GITHUB_ENV
           else
-            echo "archive_name=rustowl-${{ env.host_tuple }}.tar.gz" >> $GITHUB_ENV
+            echo "archive_name=rustowl-${{ matrix.target }}.tar.gz" >> $GITHUB_ENV
           fi
-
       - name: Setup archive artifacts
         run: |
           rm -rf rustowl && mkdir -p rustowl/sysroot/${{ env.toolchain }}/bin
 
-          cp target/${{ env.host_tuple }}/${{ env.build_profile }}/rustowl${{ env.exec_ext }} ./rustowl/
-          cp target/${{ env.host_tuple }}/${{ env.build_profile }}/rustowlc${{ env.exec_ext }} ./rustowl/sysroot/${{ env.toolchain }}/bin
+          cp target/${{ matrix.target }}/${{ env.build_profile }}/rustowl${{ env.exec_ext }} ./rustowl/
+          cp target/${{ matrix.target }}/${{ env.build_profile }}/rustowlc${{ env.exec_ext }} ./rustowl/sysroot/${{ env.toolchain }}/bin
 
           cp README.md ./rustowl
           cp LICENSE ./rustowl
@@ -112,44 +103,38 @@ jobs:
             cd ..
           fi
 
-          cp ./rustowl/rustowl${{ env.exec_ext }} ./rustowl-${{ env.host_tuple }}${{ env.exec_ext }}
-
+          cp ./rustowl/rustowl${{ env.exec_ext }} ./rustowl-${{ matrix.target }}${{ env.exec_ext }}
       - name: Upload
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
-          name: rustowl-runtime-${{ env.host_tuple }}
+          name: rustowl-runtime-${{ matrix.target }}
           path: |
-            rustowl-${{ env.host_tuple }}${{ env.exec_ext }}
+            rustowl-${{ matrix.target }}${{ env.exec_ext }}
             ${{ env.archive_name }}
-
   vscode:
-    if: github.event.action != 'labeled' || github.event.label.name == 'do-build-check'
     runs-on: ubuntu-latest
     permissions:
       contents: write
-
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
-
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: 20
-
       - name: Setup PNPM And Install dependencies
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
           package_json_file: ./vscode/package.json
           run_install: |
             - cwd: ./vscode
-
       - name: Create VSIX
         run: pnpm build
         working-directory: ./vscode
-
       - name: Upload
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: rustowl-vscode
           path: vscode/**/*.vsix

.github/workflows/changelog.yml

@@ -1,25 +1,22 @@
 name: Generate Changelog
-
 on:
   workflow_dispatch:
-
 jobs:
   changelogen:
     runs-on: ubuntu-latest
     permissions:
       contents: write
       pull-requests: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
-
+          persist-credentials: false
       - run: |
           docker pull quay.io/git-chglog/git-chglog:latest
           docker run -v "$PWD":/workdir quay.io/git-chglog/git-chglog --tag-filter-pattern '^v\d+\.\d+\.\d+$' -o CHANGELOG.md
-
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
         with:
           add-paths: |
             CHANGELOG.md