ci: enforce Pinned-Dependencies check in CI for PRs

.github/actions/cache/action.yml

@@ -8,12 +8,19 @@
 
 name: Cache
 description: 'Caches cargo dependencies'
+outputs:
+  cache-hit:
+    description: "Cache Hit"
+    value: ${{ steps.cache.outputs.cache-hit }}
 runs:
   using: composite
   steps:
     - uses: actions/cache@v4
+      id: cache
       with:
         path: |
           ~/.cargo/
         key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}
+        restore-keys: |
+          ${{ runner.os }}-cargo-
 

.github/workflows/ci.yml

@@ -10,16 +10,13 @@ name: Build & Tests
 
 on:
   pull_request:
-  push:
-    branches:
-      - main
-      - v0.6.x
   merge_group:
 
 permissions: read-all
 
 env:
   CARGO_TERM_COLOR: always
+  RUST_BACKTRACE: 1
   RUSTFLAGS: -Dwarnings
   RUSTDOCFLAGS: -Dwarnings
   # `ZC_NIGHTLY_XXX` are flags that we add to `XXX` only on the nightly
@@ -56,10 +53,6 @@ jobs:
           # which a particular feature is supported.
           "zerocopy-core-error",
           "zerocopy-diagnostic-on-unimplemented",
-          "zerocopy-generic-bounds-in-const-fn",
-          "zerocopy-target-has-atomics",
-          "zerocopy-aarch64-simd",
-          "zerocopy-panic-in-const-and-vec-try-reserve"
         ]
         target: [
           "i686-unknown-linux-gnu",
@@ -93,14 +86,6 @@ jobs:
             features: "--all-features"
           - toolchain: "zerocopy-diagnostic-on-unimplemented"
             features: "--all-features"
-          - toolchain: "zerocopy-generic-bounds-in-const-fn"
-            features: "--all-features"
-          - toolchain: "zerocopy-target-has-atomics"
-            features: "--all-features"
-          - toolchain: "zerocopy-aarch64-simd"
-            features: "--all-features"
-          - toolchain: "zerocopy-panic-in-const-and-vec-try-reserve"
-            features: "--all-features"
           # Exclude any combination for the zerocopy-derive crate which
           # uses zerocopy features.
           - crate: "zerocopy-derive"
@@ -117,36 +102,6 @@ jobs:
             toolchain: "zerocopy-core-error"
           - crate: "zerocopy-derive"
             toolchain: "zerocopy-diagnostic-on-unimplemented"
-          - crate: "zerocopy-derive"
-            toolchain: "zerocopy-generic-bounds-in-const-fn"
-          - crate: "zerocopy-derive"
-            toolchain: "zerocopy-target-has-atomics"
-          - crate: "zerocopy-derive"
-            toolchain: "zerocopy-aarch64-simd"
-          - crate: "zerocopy-derive"
-            toolchain: "zerocopy-panic-in-const-and-vec-try-reserve"
-          # Exclude non-aarch64 targets from the `zerocopy-aarch64-simd`
-          # toolchain.
-          - toolchain: "zerocopy-aarch64-simd"
-            target: "i686-unknown-linux-gnu"
-          - toolchain: "zerocopy-aarch64-simd"
-            target: "x86_64-unknown-linux-gnu"
-          - toolchain: "zerocopy-aarch64-simd"
-            target: "arm-unknown-linux-gnueabi"
-          - toolchain: "zerocopy-aarch64-simd"
-            target: "powerpc-unknown-linux-gnu"
-          - toolchain: "zerocopy-aarch64-simd"
-            target: "powerpc64-unknown-linux-gnu"
-          - toolchain: "zerocopy-aarch64-simd"
-            target: "riscv64gc-unknown-linux-gnu"
-          - toolchain: "zerocopy-aarch64-simd"
-            target: "s390x-unknown-linux-gnu"
-          - toolchain: "zerocopy-aarch64-simd"
-            target: "x86_64-pc-windows-msvc"
-          - toolchain: "zerocopy-aarch64-simd"
-            target: "thumbv6m-none-eabi"
-          - toolchain: "zerocopy-aarch64-simd"
-            target: "wasm32-wasi"
           # Exclude most targets targets from the `zerocopy-core-error`
           # toolchain since the `zerocopy-core-error` feature is unrelated to
           # compilation target. This only leaves i686 and x86_64 targets.
@@ -190,28 +145,6 @@ jobs:
             target: "thumbv6m-none-eabi"
           - toolchain: "zerocopy-diagnostic-on-unimplemented"
             target: "wasm32-wasi"
-          # Exclude most targets targets from the
-          # `zerocopy-generic-bounds-in-const-fn` toolchain since the
-          # `zerocopy-generic-bounds-in-const-fn` feature is unrelated to
-          # compilation target. This only leaves i686 and x86_64 targets.
-          - toolchain: "zerocopy-generic-bounds-in-const-fn"
-            target: "arm-unknown-linux-gnueabi"
-          - toolchain: "zerocopy-generic-bounds-in-const-fn"
-            target: "aarch64-unknown-linux-gnu"
-          - toolchain: "zerocopy-generic-bounds-in-const-fn"
-            target: "powerpc-unknown-linux-gnu"
-          - toolchain: "zerocopy-generic-bounds-in-const-fn"
-            target: "powerpc64-unknown-linux-gnu"
-          - toolchain: "zerocopy-generic-bounds-in-const-fn"
-            target: "riscv64gc-unknown-linux-gnu"
-          - toolchain: "zerocopy-generic-bounds-in-const-fn"
-            target: "s390x-unknown-linux-gnu"
-          - toolchain: "zerocopy-generic-bounds-in-const-fn"
-            target: "x86_64-pc-windows-msvc"
-          - toolchain: "zerocopy-generic-bounds-in-const-fn"
-            target: "thumbv6m-none-eabi"
-          - toolchain: "zerocopy-generic-bounds-in-const-fn"
-            target: "wasm32-wasi"
           # Exclude `thumbv6m-none-eabi` combined with any feature that implies
           # the `std` feature since `thumbv6m-none-eabi` does not include a
           # pre-compiled std.
@@ -243,7 +176,7 @@ jobs:
     name: Build & Test (${{ matrix.crate }} / ${{ matrix.toolchain }} / ${{ matrix.features }} / ${{ matrix.target }})
 
     steps:
-    - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Populate cache
       uses: ./.github/actions/cache
@@ -259,7 +192,7 @@ jobs:
         set -eo pipefail
         # Override the exising `syn` dependency with one which requires an exact
         # version.
-        cargo add -p zerocopy-derive 'syn@=2.0.46'
+        cargo add -p zerocopy-derive 'syn@=2.0.79'
 
     - name: Configure environment variables
       run: |
@@ -321,7 +254,7 @@ jobs:
           components: clippy, rust-src ${{ matrix.toolchain == 'nightly' && ', miri' || '' }}
 
     - name: Rust Cache
-      uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
+      uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5
       with:
         key: "${{ matrix.target }}"
 
@@ -557,7 +490,7 @@ jobs:
     runs-on: ubuntu-latest        
     name: 'Run tests under Kani'
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: model-checking/kani-github-action@f838096619a707b0f6b2118cf435eaccfa33e51f # v1.1
         with:
           # Use `--features __internal_use_only_features_that_work_on_stable`
@@ -575,6 +508,77 @@ jobs:
           # `roll-pinned-toolchain-versions.yml`.
           kani-version: 0.55.0
 
+  unsafe_fields:
+    runs-on: ubuntu-latest
+    needs: generate_cache
+    strategy:
+      # By default, this is set to `true`, which means that a single CI job
+      # failure will cause all outstanding jobs to be canceled. This slows down
+      # development because it means that errors need to be encountered and
+      # fixed one at a time.
+      fail-fast: false
+      matrix:
+        toolchain: [
+          "msrv",
+          "stable",
+          "nightly",
+        ]
+        features: [
+          "",
+          "--features zerocopy_0_8",
+        ]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Configure environment variables
+        run: |
+          set -eo pipefail
+          ZC_TOOLCHAIN="$(./cargo.sh --version ${{ matrix.toolchain }})"
+          echo "ZC_TOOLCHAIN=$ZC_TOOLCHAIN" >> $GITHUB_ENV
+      - name: Install stable Rust for use in 'cargo.sh'
+        uses: dtolnay/rust-toolchain@00b49be78f40fba4e87296b2ead62868750bdd83 # stable
+        with:
+          toolchain: stable
+      - name: Install Rust with nightly toolchain (${{ env.ZC_TOOLCHAIN }}) and target aarch64_be-unknown-linux-gnu
+        uses: dtolnay/rust-toolchain@00b49be78f40fba4e87296b2ead62868750bdd83 # stable
+        with:
+          toolchain: ${{ env.ZC_TOOLCHAIN }}
+          components: clippy, rust-src
+      - name: Check
+        run: ./cargo.sh +${{ matrix.toolchain }} check --package unsafe-fields ${{ matrix.features }} --verbose
+      - name: Check tests
+        run: ./cargo.sh +${{ matrix.toolchain }} check --tests --package unsafe-fields ${{ matrix.features }} --verbose
+      - name: Build
+        run: ./cargo.sh +${{ matrix.toolchain }} build --package unsafe-fields ${{ matrix.features }} --verbose
+      - name: Run tests
+        run: ./cargo.sh +${{ matrix.toolchain }} test --package unsafe-fields ${{ matrix.features }} --verbose
+      - name: Clippy
+        run: ./cargo.sh +${{ matrix.toolchain }} clippy --package unsafe-fields ${{ matrix.features }} --verbose
+        # See comment in next step for why we only run on nightly.
+        if: matrix.toolchain == 'nightly'
+      - name: Clippy tests
+        run: ./cargo.sh +${{ matrix.toolchain }} clippy --package unsafe-fields --tests ${{ matrix.features }} --verbose
+        # Clippy improves the accuracy of lints over time, and fixes bugs. Only
+        # running Clippy on nightly allows us to avoid having to write code
+        # which is compatible with older versions of Clippy, which sometimes
+        # requires hacks to work around limitations that are fixed in more
+        # recent versions.
+        if: matrix.toolchain == 'nightly'
+      - name: Cargo doc
+        # We pass --document-private-items and --document-hidden items to ensure
+        # that documentation always builds even for these items. This makes
+        # future changes to make those items public/non-hidden more painless.
+        # Note that --document-hidden-items is unstable; if a future release
+        # breaks or removes it, we can just update CI to no longer pass that
+        # flag.
+        run: |
+          # Include arguments passed during docs.rs deployments to make sure those
+          # work properly.
+          set -eo pipefail
+          METADATA_DOCS_RS_RUSTDOC_ARGS="$(cargo metadata --format-version 1 | \
+            jq -r ".packages[] | select(.name == \"unsafe-fields\").metadata.docs.rs.\"rustdoc-args\"[]" | tr '\n' ' ')"
+          export RUSTDOCFLAGS="${{ matrix.toolchain == 'nightly' && '-Z unstable-options --document-hidden-items $METADATA_DOCS_RS_RUSTDOC_ARGS'|| '' }} $RUSTDOCFLAGS"
+          ./cargo.sh +${{ matrix.toolchain }} doc --document-private-items --package unsafe-fields --all-features
+
   # NEON intrinsics are currently broken on big-endian platforms. [1] This test ensures
   # that we don't accidentally attempt to compile these intrinsics on such platforms. We
   # can't use this as part of the build matrix because rustup doesn't support the
@@ -585,7 +589,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Build (zerocopy / nightly / --simd / aarch64_be-unknown-linux-gnu)
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Configure environment variables
         run: |
           set -eo pipefail
@@ -594,7 +598,7 @@ jobs:
           echo "RUSTFLAGS=$RUSTFLAGS" >> $GITHUB_ENV
           echo "ZC_TOOLCHAIN=$ZC_TOOLCHAIN" >> $GITHUB_ENV
       - name: Rust Cache
-        uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
+        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5
         with:
           key: aarch64_be-unknown-linux-gnu
       - name: Install stable Rust for use in 'cargo.sh'
@@ -613,7 +617,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Check Rust formatting
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Check Rust formatting
         run: ./ci/check_fmt.sh
 
@@ -622,7 +626,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Check README.md
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Populate cache
         uses: ./.github/actions/cache
@@ -635,7 +639,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Check crate versions match
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Populate cache
         uses: ./.github/actions/cache
@@ -650,12 +654,13 @@ jobs:
     runs-on: ubuntu-latest
     name: Generate cache
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Populate cache
+      - id: populate-cache
         uses: ./.github/actions/cache
 
       - name: Download dependencies
+        if: steps.populate-cache.outputs.cache-hit != 'true'
         run: |
           # Ensure all dependencies are downloaded - both for our crates and for
           # tools we use in CI. We don't care about these tools succeeding for
@@ -681,7 +686,7 @@ jobs:
           #
           # TODO(#1595): Debug why this step is still necessary after #1564 and
           # maybe remove it.
-          cargo add -p zerocopy-derive 'syn@=2.0.46' &> /dev/null
+          cargo add -p zerocopy-derive 'syn@=2.0.79' &> /dev/null
 
           cargo check --workspace --tests            &> /dev/null &
           cargo metadata                             &> /dev/null &
@@ -698,7 +703,7 @@ jobs:
     steps:
       - name: Install yq (for YAML parsing)
         run: go install github.com/mikefarah/yq/v4@latest
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run check
         run: ./ci/check_all_toolchains_tested.sh
 
@@ -708,7 +713,7 @@ jobs:
     steps:
       - name: Install yq (for YAML parsing)
         run: go install github.com/mikefarah/yq/v4@latest
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run dependency check
         run: ./ci/check_job_dependencies.sh
 
@@ -718,7 +723,7 @@ jobs:
     steps:
       - name: Install yq (for YAML parsing)
         run: go install github.com/mikefarah/yq/v4@latest
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run dependency check
         # Ensure that Git hooks execute successfully.
         #
@@ -738,7 +743,7 @@ jobs:
       # https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/troubleshooting-required-status-checks#handling-skipped-but-required-checks
       if: failure()
       runs-on: ubuntu-latest
-      needs: [build_test, kani,check_be_aarch64 , check_fmt, check_readme, check_versions, generate_cache, check-all-toolchains-tested, check-job-dependencies, run-git-hooks]
+      needs: [build_test, kani,check_be_aarch64, check_fmt, check_readme, check_versions, generate_cache, check-all-toolchains-tested, check-job-dependencies, run-git-hooks, unsafe_fields]
       steps:
         - name: Mark the job as failed
           run: exit 1

.github/workflows/dependency-review.yml

@@ -30,6 +30,6 @@ jobs:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0

.github/workflows/docs.yml

@@ -27,7 +27,7 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Configure environment variables
         run: |
           set -eo pipefail

.github/workflows/release-crate-version.yml

@@ -26,7 +26,7 @@ jobs:
     name: Release new crate versions
     steps:
       - name: Checkout code
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.inputs.branch }}
           persist-credentials: false

.github/workflows/roll-pinned-toolchain-versions.yml

@@ -35,11 +35,11 @@ jobs:
       fail-fast: false
       matrix:
         toolchain: ["stable", "nightly"]
-        branch: ["main"]
+        branch: ["main", "v0.8.x"]
     name: Roll pinned toolchain ${{ matrix.toolchain }} version on ${{ matrix.branch }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ matrix.branch }}
           persist-credentials: false
@@ -148,7 +148,7 @@ jobs:
     name: Roll pinned Kani version
     steps:
       - name: Checkout code
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ matrix.branch }}
           persist-credentials: false