Merge branch 'main' into squad/1061-fix-flaky-gdb-test

Author: jsturtevant

.github/workflows/ValidatePullRequest.yml

@@ -15,6 +15,7 @@ concurrency:
 
 permissions:
   contents: write
+  pull-requests: read
 
 jobs:
   docs-pr:
@@ -40,9 +41,24 @@ jobs:
             return all_file_count === docs_file_count;
           result-encoding: string
 
+  # Update guest Cargo.lock files for Dependabot PRs.
+  # Dependabot only updates the root Cargo.lock, leaving the guest crate
+  # Cargo.lock files stale. This job updates them before code-checks runs
+  # `cargo fetch --locked` so that the first CI run succeeds.
+  update-guest-locks:
+    if: >-
+      github.event.pull_request.user.login == 'dependabot[bot]' &&
+      github.actor == 'dependabot[bot]'
+    uses: ./.github/workflows/dep_update_guest_locks.yml
+    secrets: inherit
+
   # Build guests once, upload as artifacts for other jobs to download
   build-guests:
-    needs: docs-pr
+    needs: [docs-pr, update-guest-locks]
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
     strategy:
       fail-fast: true
       matrix:
@@ -55,7 +71,11 @@ jobs:
 
   # Code checks (fmt, clippy, MSRV) - runs in parallel with build-guests
   code-checks:
-    needs: docs-pr
+    needs: [docs-pr, update-guest-locks]
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
     uses: ./.github/workflows/dep_code_checks.yml
     secrets: inherit
     with:
@@ -66,6 +86,10 @@ jobs:
     needs:
       - docs-pr
       - build-guests
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
     strategy:
       fail-fast: true
       matrix:
@@ -85,6 +109,10 @@ jobs:
     needs:
       - docs-pr
       - build-guests
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
     strategy:
       fail-fast: true
       matrix:
@@ -104,6 +132,10 @@ jobs:
     needs:
       - docs-pr
       - build-guests
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
     strategy:
       fail-fast: true
       matrix:
@@ -120,6 +152,10 @@ jobs:
     needs:
       - docs-pr
       - build-guests
+    # Required because update-guest-locks is skipped on non-dependabot PRs,
+    # and a skipped dependency transitively skips all downstream jobs.
+    # See: https://github.com/actions/runner/issues/2205
+    if: ${{ !cancelled() && !failure() }}
     uses: ./.github/workflows/dep_fuzzing.yml
     with:
       targets: '["fuzz_host_print", "fuzz_guest_call", "fuzz_host_call", "fuzz_guest_estimate_trace_event", "fuzz_guest_trace"]' # Pass as a JSON array
@@ -148,6 +184,7 @@ jobs:
   report-ci-status:
     needs:
       - docs-pr
+      - update-guest-locks
       - build-guests
       - code-checks
       - build-test

.github/workflows/dep_code_checks.yml

@@ -64,7 +64,11 @@ jobs:
             src/tests/rust_guests/witguest -> target
 
       - name: Ensure up-to-date Cargo.lock
-        run: cargo fetch --locked
+        run: |
+          cargo fetch --locked
+          cargo fetch --manifest-path src/tests/rust_guests/simpleguest/Cargo.toml --locked
+          cargo fetch --manifest-path src/tests/rust_guests/dummyguest/Cargo.toml --locked
+          cargo fetch --manifest-path src/tests/rust_guests/witguest/Cargo.toml --locked
 
       - name: fmt
         run: just fmt-check
@@ -128,7 +132,11 @@ jobs:
             src/tests/rust_guests/witguest -> target
 
       - name: Ensure up-to-date Cargo.lock
-        run: cargo fetch --locked
+        run: |
+          cargo fetch --locked
+          cargo fetch --manifest-path src/tests/rust_guests/simpleguest/Cargo.toml --locked
+          cargo fetch --manifest-path src/tests/rust_guests/dummyguest/Cargo.toml --locked
+          cargo fetch --manifest-path src/tests/rust_guests/witguest/Cargo.toml --locked
 
       - name: fmt
         run: just fmt-check

.github/workflows/dep_update_guest_locks.yml

@@ -0,0 +1,177 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+# This reusable workflow updates the Cargo.lock files in guest crates when
+# Dependabot updates dependencies. Without this, Dependabot PRs only update the
+# root Cargo.lock, leaving the guest crate Cargo.lock files stale.
+#
+# See: https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions
+
+name: Update Guest Cargo.lock for Dependabot PRs
+
+on:
+  workflow_call:
+
+env:
+  CARGO_TERM_COLOR: always
+
+permissions:
+  contents: read
+  pull-requests: read
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  update-guest-locks:
+    runs-on: [self-hosted, Linux, X64, "1ES.Pool=hld-kvm-amd"]
+    timeout-minutes: 15
+    steps:
+      # Fetch metadata about the Dependabot PR
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      # Only proceed for cargo ecosystem updates
+      - name: Check if cargo update
+        id: check-ecosystem
+        run: |
+          if [ "${{ steps.metadata.outputs.package-ecosystem }}" = "cargo" ]; then
+            echo "is_cargo=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "is_cargo=false" >> "$GITHUB_OUTPUT"
+            echo "Skipping non-cargo dependency update"
+          fi
+
+      # Get GitHub App token for pushing commits back to the PR
+      # Uses the same app as auto-merge-dependabot.yml
+      - name: Get GitHub App token
+        if: steps.check-ecosystem.outputs.is_cargo == 'true'
+        uses: actions/create-github-app-token@v2
+        id: get-app-token
+        with:
+          app-id: ${{ secrets.DEPENDABOT_APP_ID }}
+          private-key: ${{ secrets.DEPENDABOT_APP_KEY }}
+          permission-contents: write
+
+      - name: Checkout PR branch
+        if: steps.check-ecosystem.outputs.is_cargo == 'true'
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.get-app-token.outputs.token }}
+          ref: ${{ github.head_ref }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup Rust toolchain
+        if: steps.check-ecosystem.outputs.is_cargo == 'true'
+        uses: hyperlight-dev/ci-setup-workflow@v1.8.0
+        with:
+          rust-toolchain: "1.89"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Fix cargo home permissions
+        if: steps.check-ecosystem.outputs.is_cargo == 'true'
+        run: |
+          sudo chown -R $(id -u):$(id -g) /opt/cargo || true
+
+      - name: Update simpleguest Cargo.lock
+        if: steps.check-ecosystem.outputs.is_cargo == 'true'
+        working-directory: src/tests/rust_guests/simpleguest
+        run: cargo fetch
+
+      - name: Update dummyguest Cargo.lock
+        if: steps.check-ecosystem.outputs.is_cargo == 'true'
+        working-directory: src/tests/rust_guests/dummyguest
+        run: cargo fetch
+
+      - name: Update witguest Cargo.lock
+        if: steps.check-ecosystem.outputs.is_cargo == 'true'
+        working-directory: src/tests/rust_guests/witguest
+        run: cargo fetch
+
+      # Commits created via the Git Data API are automatically signed/verified
+      # by GitHub when authenticated as a GitHub App and no custom author or
+      # committer info is provided.
+      #
+      # References:
+      # - Signature verification for bots:
+      #   https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#signature-verification-for-bots
+      # - How to Use Commit Signing with GitHub Apps:
+      #   https://github.com/orgs/community/discussions/50055
+      # - Git Data API (Create a commit):
+      #   https://docs.github.com/en/rest/git/commits#create-a-commit
+      - name: Commit and push changes via API
+        if: steps.check-ecosystem.outputs.is_cargo == 'true'
+        env:
+          GH_TOKEN: ${{ steps.get-app-token.outputs.token }}
+          APP_SLUG: ${{ steps.get-app-token.outputs.app-slug }}
+          DEPENDENCY_NAMES: ${{ steps.metadata.outputs.dependency-names }}
+          BRANCH: ${{ github.head_ref }}
+          REPO: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+
+          # Check if there are any changes to the guest Cargo.lock files
+          if git diff --quiet -- src/tests/rust_guests/*/Cargo.lock; then
+            echo "No changes to guest Cargo.lock files"
+            exit 0
+          fi
+
+          echo "Guest Cargo.lock files have changed, committing via API..."
+
+          # Get app identity for DCO sign-off trailer
+          # Use the app-slug output from create-github-app-token (the /app API
+          # endpoint requires JWT auth, not an installation token).
+          app_slug="${APP_SLUG}"
+          app_user_id=$(gh api "/users/${app_slug}[bot]" --jq .id)
+
+          # Get current branch HEAD and its tree
+          HEAD_SHA=$(gh api "/repos/${REPO}/git/ref/heads/${BRANCH}" --jq .object.sha)
+          BASE_TREE=$(gh api "/repos/${REPO}/git/commits/${HEAD_SHA}" --jq .tree.sha)
+
+          # Build tree entries with file content for each changed Cargo.lock.
+          # The tree API accepts "content" directly and creates blobs for us,
+          # avoiding the need for separate blob creation API calls.
+          TREE_JSON="[]"
+          for file in $(git diff --name-only -- src/tests/rust_guests/*/Cargo.lock); do
+            TREE_JSON=$(jq \
+              --arg path "$file" \
+              --arg content "$(cat "$file")" \
+              '. + [{"path": $path, "mode": "100644", "type": "blob", "content": $content}]' \
+              <<< "$TREE_JSON")
+          done
+
+          # Create a new tree with the updated files
+          NEW_TREE=$(jq -n \
+            --arg base "$BASE_TREE" \
+            --argjson tree "$TREE_JSON" \
+            '{"base_tree": $base, "tree": $tree}' | \
+            gh api "/repos/${REPO}/git/trees" --input - --jq .sha)
+
+          # Build commit message with DCO sign-off
+          SIGNOFF="${app_slug}[bot] <${app_user_id}+${app_slug}[bot]@users.noreply.github.com>"
+          COMMIT_MSG=$(printf '%s\n\n%s\n%s\n\n%s' \
+            "chore: update guest Cargo.lock files" \
+            "Automatically updated by dependabot-update-guest-locks workflow." \
+            "Triggered by: ${DEPENDENCY_NAMES}" \
+            "Signed-off-by: ${SIGNOFF}")
+
+          # Create commit via API — GitHub signs it automatically since we
+          # authenticate as the App and omit custom author/committer info.
+          NEW_COMMIT=$(jq -n \
+            --arg msg "$COMMIT_MSG" \
+            --arg tree "$NEW_TREE" \
+            --arg parent "$HEAD_SHA" \
+            '{"message": $msg, "tree": $tree, "parents": [$parent]}' | \
+            gh api "/repos/${REPO}/git/commits" --input - --jq .sha)
+
+          # Update branch ref to point to the new commit
+          gh api "/repos/${REPO}/git/refs/heads/${BRANCH}" \
+            -X PATCH \
+            -f sha="${NEW_COMMIT}"
+
+          echo "Successfully committed and pushed changes"

Cargo.lock

@@ -102,6 +102,9 @@ test-like-ci config=default-target hypervisor="kvm":
 code-checks-like-ci config=default-target hypervisor="kvm":
     @# Ensure up-to-date Cargo.lock
     cargo fetch --locked
+    cargo fetch --manifest-path src/tests/rust_guests/simpleguest/Cargo.toml --locked
+    cargo fetch --manifest-path src/tests/rust_guests/dummyguest/Cargo.toml --locked
+    cargo fetch --manifest-path src/tests/rust_guests/witguest/Cargo.toml --locked
 
     @# fmt
     just fmt-check

Justfile

@@ -16,7 +16,7 @@ workspace = true
 
 [dependencies]
 flatbuffers = { version = "25.12.19", default-features = false }
-anyhow = { version = "1.0.101", default-features = false }
+anyhow = { version = "1.0.102", default-features = false }
 log = "0.4.29"
 tracing = { version = "0.1.44", optional = true }
 arbitrary = {version = "1.4.2", optional = true, features = ["derive"]}

src/hyperlight_common/Cargo.toml

@@ -19,7 +19,7 @@ proc-macro = true
 wasmparser = { version = "0.244.0" }
 quote = { version = "1.0.44" }
 proc-macro2 = { version = "1.0.106" }
-syn = { version = "2.0.114" }
+syn = { version = "2.0.117" }
 itertools = { version = "0.14.0" }
 prettyplease = { version = "0.2.37" }
 hyperlight-component-util = { workspace = true }

src/hyperlight_component_macro/Cargo.toml

@@ -18,7 +18,7 @@ name = "hyperlight_component_util"
 wasmparser = { version = "0.244.0" }
 quote = { version = "1.0.44" }
 proc-macro2 = { version = "1.0.106" }
-syn = { version = "2.0.114" }
+syn = { version = "2.0.117" }
 itertools = { version = "0.14.0" }
 prettyplease = { version = "0.2.37" }
-log = { version = "0.4" }
+tracing = { version = "0.1.44", features = ["log"]}