feat(cargo): support sparse registry indices #20375
Conversation
tofay
force-pushed
the
sparse-registry-cargo
branch
from
83edcee
to
09dfe93
Compare
| Renovate can update dependencies hosted on a private sparse crate registry (<https://doc.rust-lang.org/beta/cargo/reference/registry-index.html#sparse-protocol>). | ||
| Since sparse registries are HTTP based, authentication for Renovate can be configured via additional hostRules. | ||
|
|
||
| Renovate can only update Cargo lockfiles for projects using dependencies from sparse registries if the local Rust toolchain has the sparse-registry feature enabled (i.e beta/nightly/or 1.68 or later - 1.68 is due for release on March 9th 2023). |
There was a problem hiding this comment.
| Renovate can only update Cargo lockfiles for projects using dependencies from sparse registries if the local Rust toolchain has the sparse-registry feature enabled (i.e beta/nightly/or 1.68 or later - 1.68 is due for release on March 9th 2023). | |
| Before Renovate can update Cargo lockfiles for projects using dependencies from sparse registries you must: | |
| - Use Rust `1.68` or later | |
| - Enable the `sparse-registry` feature in your local Rust toolchain |
How about something like this?
The current sentence is too long, and has too much information in one go. So we should split things up into smaller parts. 😉
There was a problem hiding this comment.
Perhaps omit all mention of the sparse-registry feature, which is actually a compilation flag so unlikely something most users can control?
So:
"Before Renovate can update Cargo lockfiles for projects using dependencies from sparse registries you must use Rust 1.68 or later"
The only oddity with that is that Rust 1.68 isn't out yet, but anyone using sparse registries before then is likely using a beta/nightly toolchain, or a self-built with sparse-registry built in (I fall into this camp :)), and can figure out how to get it working.
There was a problem hiding this comment.
Perhaps omit all mention of the sparse-registry feature, which is actually a compilation flag so unlikely something most users can control?
It sounds we have two groups of people here:
- General public who uses Renovate to update Rust dependencies
- Maintainers of Rust repositories who want Renovate to work properly for their published packages
Sounds like the compilation flag sparse-registry is aimed at number 2 then?
I'll let the Renovate maintainers decide what to keep in the docs and what to drop. 😉
The only oddity with that is that Rust 1.68 isn't out yet, but anyone using sparse registries before then is likely using a beta/nightly toolchain, or a self-built with sparse-registry built in (I fall into this camp :)), and can figure out how to get it working.
I'm okay with mentioning the Rust version 1.68 ahead of time. Are you sure that the sparse-registry feature will be included in version 1.68?
There was a problem hiding this comment.
Are you sure that the sparse-registry feature will be included in version 1.68?
Yes, at least that's still the current plan: https://blog.rust-lang.org/inside-rust/2023/01/30/cargo-sparse-protocol.html
Co-authored-by: HonkingGoose <[email protected]>
|
@Turbo87 could you please review? |
|
related discussion |
|
closing as #21187 has landed |
Changes
Allow Renovate to update dependencies from private sparse Rust crate registries.
Context
Sparse registries, documented at https://doc.rust-lang.org/nightly/cargo/reference/registry-index.html#sparse-protocol, use a HTTP file based index rather than git. Per https://blog.rust-lang.org/inside-rust/2023/01/30/cargo-sparse-protocol.html they will stabilize in the next Rust release (1.68). I use them at work, and have started using renovate to keep Rust dependencies up to date.
The directory structure of sparse registries (in particular the index suffixing e.g
fo/ob/foobar) is identical to existing registries. Given that renovate already uses HTTP file based access to the crates.io index on github, this PR mainly consists of detecting thesparse+` prefix of index URLs and reusing the crates-io code path.(I've not touched on authentication here as sparse registries aren't necessarily authenticated. I am running renovate self hosted and have this code working against authenticated sparse registries by:
)
I found #18941 when looking for related issues, though the changes in that draft PR looked specific to JFrog artifactory.
Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via:
I've been running this self-hosted against a few dozen private Azure DevOps repositories that use dependencies from a sparse registry for a couple of weeks, and had PRs raised succesfully.