fix(docker): pin builder to bookworm to avoid glibc runtime mismatch

* fix(docker): pin builder to bookworm for glibc compatibility * ci: skip rust lint on non-Rust PRs and allow 0BSD * ci: pin actionlint action to existing release tag * ci: make docs-only matcher shellcheck-clean --------- Co-authored-by: chumyin <chumyin@users.noreply.github.com>
2026-02-16 04:03:29 +08:00 · 2026-02-16 04:03:29 +08:00 · c80b118963
commit c80b118963
parent 3b7a140aad
4 changed files with 43 additions and 10 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -53,14 +53,18 @@ jobs:
          docs_only=true
          while IFS= read -r file; do
            [ -z "$file" ] && continue
-            case "$file" in
-              docs/*|*.md|*.mdx|LICENSE|.github/ISSUE_TEMPLATE/*|.github/pull_request_template.md)
-                ;;
-              *)
-                docs_only=false
-                break
-                ;;
-            esac
+
+            if [[ "$file" == docs/* ]] \
+              || [[ "$file" == *.md ]] \
+              || [[ "$file" == *.mdx ]] \
+              || [[ "$file" == "LICENSE" ]] \
+              || [[ "$file" == .github/ISSUE_TEMPLATE/* ]] \
+              || [[ "$file" == .github/pull_request_template.md ]]; then
+              continue
+            fi
+
+            docs_only=false
+            break
          done <<< "$CHANGED"

          echo "docs_only=$docs_only" >> "$GITHUB_OUTPUT"
@ -73,12 +77,38 @@ jobs:
    timeout-minutes: 20
    steps:
      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
+      - name: Detect Rust source changes
+        id: rust_changes
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            BASE="${{ github.event.pull_request.base.sha }}"
+            CHANGED="$(git diff --name-only "$BASE" HEAD -- '*.rs' || true)"
+          else
+            CHANGED="$(git diff --name-only "${{ github.event.before }}" HEAD -- '*.rs' || true)"
+          fi
+
+          if [ -z "$CHANGED" ]; then
+            echo "has_rust_changes=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          echo "has_rust_changes=true" >> "$GITHUB_OUTPUT"
      - name: Run rustfmt
+        if: steps.rust_changes.outputs.has_rust_changes == 'true'
        run: cargo fmt --all -- --check
      - name: Run clippy
+        if: steps.rust_changes.outputs.has_rust_changes == 'true'
        run: cargo clippy --all-targets -- -D warnings
+      - name: Skip rust lint (no Rust changes)
+        if: steps.rust_changes.outputs.has_rust_changes != 'true'
+        run: echo "No Rust source changes detected; skipping rustfmt and clippy."

  test:
    name: Test
--- a/.github/workflows/workflow-sanity.yml
+++ b/.github/workflows/workflow-sanity.yml
@ -60,4 +60,4 @@ jobs:
        uses: actions/checkout@v4

      - name: Lint GitHub workflows
-        uses: rhysd/actionlint@v1
+        uses: rhysd/actionlint@v1.7.11
--- a/4
+++ b/4
@ -1,7 +1,9 @@
 # syntax=docker/dockerfile:1

 # ── Stage 1: Build ────────────────────────────────────────────
-FROM rust:1.93-slim AS builder
+# Keep builder and release on Debian 12 to avoid GLIBC ABI drift
+# (`rust:1.93-slim` now tracks Debian 13 and can require newer glibc than distroless Debian 12).
+FROM rust:1.93-slim-bookworm AS builder

 WORKDIR /app

--- a/deny.toml
+++ b/deny.toml
@ -19,6 +19,7 @@ allow = [
    "Zlib",
    "MPL-2.0",
    "CDLA-Permissive-2.0",
+    "0BSD",
 ]
 unused-allowed-license = "allow"