chore[ci]: pin all nightly toolchain ci runs

joseph-isaacs · joseph-isaacs · commit 1342e9b58354 · 2026-02-12T12:56:02.000Z
Signed-off-by: Joe Isaacs &lt;joe.isaacs@live.co.uk&gt;
diff --git a/.github/AGENTS.md b/.github/AGENTS.md
@@ -0,0 +1,5 @@
+Nightly Rust toolchain is pinned via `NIGHTLY_TOOLCHAIN` env var in each workflow file — update all instances when changing the version.
+For action inputs: `toolchain: ${{ env.NIGHTLY_TOOLCHAIN }}`
+For shell commands: `cargo +$NIGHTLY_TOOLCHAIN ...`
+
+All files under `.github/` are linted by `yamllint --strict -c .yamllint.yaml`.
diff --git a/.github/CLAUDE.md b/.github/CLAUDE.md
@@ -0,0 +1 @@
+AGENTS.md
diff --git a/.github/workflows/close-fixed-fuzzer-issues.yml b/.github/workflows/close-fixed-fuzzer-issues.yml
@@ -15,6 +15,9 @@ permissions:
   contents: read
   actions: read
 
+env:
+  NIGHTLY_TOOLCHAIN: nightly-2026-02-05
+
 jobs:
   close-fixed:
     name: "Retest ${{ matrix.target }}"
@@ -40,7 +43,7 @@ jobs:
       - uses: ./.github/actions/setup-rust
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          toolchain: nightly
+          toolchain: ${{ env.NIGHTLY_TOOLCHAIN }}
 
       - name: Install llvm
         uses: aminya/setup-cpp@v1
diff --git a/.github/workflows/fuzz-coverage.yml b/.github/workflows/fuzz-coverage.yml
@@ -5,6 +5,9 @@ on:
     - cron: "0 6 * * *"  # daily at 6am UTC
   workflow_dispatch: { }
 
+env:
+  NIGHTLY_TOOLCHAIN: nightly-2026-02-05
+
 jobs:
   coverage:
     name: "Coverage: ${{ matrix.fuzz_target }}"
@@ -29,16 +32,16 @@ jobs:
       - uses: ./.github/actions/setup-rust
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          toolchain: nightly
+          toolchain: ${{ env.NIGHTLY_TOOLCHAIN }}
           components: clippy, rustfmt, llvm-tools
 
       - name: Ensure llvm-tools are installed
         run: |
-          rustup component add llvm-tools --toolchain nightly || \
-            rustup component add llvm-tools-preview --toolchain nightly
+          rustup component add llvm-tools --toolchain $NIGHTLY_TOOLCHAIN || \
+            rustup component add llvm-tools-preview --toolchain $NIGHTLY_TOOLCHAIN
 
           # Verify llvm-profdata is accessible (cargo-fuzz needs it for coverage merging)
-          LLVM_PROFDATA="$(rustc +nightly --print sysroot)/lib/rustlib/$(rustc +nightly -vV | sed -n 's|host: ||p')/bin/llvm-profdata"
+          LLVM_PROFDATA="$(rustc +$NIGHTLY_TOOLCHAIN --print sysroot)/lib/rustlib/$(rustc +$NIGHTLY_TOOLCHAIN -vV | sed -n 's|host: ||p')/bin/llvm-profdata"
           if [ ! -f "$LLVM_PROFDATA" ]; then
             echo "ERROR: llvm-profdata not found at $LLVM_PROFDATA"
             echo "Listing bin directory:"
@@ -72,7 +75,7 @@ jobs:
       - name: Generate coverage data
         run: |
           RUSTFLAGS="--cfg vortex_nightly" \
-            cargo +nightly fuzz coverage --release --debug-assertions \
+            cargo +$NIGHTLY_TOOLCHAIN fuzz coverage --release --debug-assertions \
             ${{ matrix.fuzz_target }} \
             -- -rss_limit_mb=4096
 
@@ -81,9 +84,9 @@ jobs:
           COVERAGE_DIR="fuzz/coverage/${{ matrix.fuzz_target }}"
 
           # llvm tools are installed via rustup's llvm-tools component
-          LLVM_TOOLS_BIN="$(rustc +nightly --print sysroot)/lib/rustlib/$(rustc +nightly -vV | sed -n 's|host: ||p')/bin"
+          LLVM_TOOLS_BIN="$(rustc +$NIGHTLY_TOOLCHAIN --print sysroot)/lib/rustlib/$(rustc +$NIGHTLY_TOOLCHAIN -vV | sed -n 's|host: ||p')/bin"
 
-          TARGET_TRIPLE=$(rustc +nightly -vV | sed -n 's|host: ||p')
+          TARGET_TRIPLE=$(rustc +$NIGHTLY_TOOLCHAIN -vV | sed -n 's|host: ||p')
 
           # cargo-fuzz coverage places the binary at:
           #   target/<triple>/coverage/<triple>/release/<fuzz_target>
diff --git a/.github/workflows/fuzzer-fix-automation.yml b/.github/workflows/fuzzer-fix-automation.yml
@@ -18,6 +18,9 @@ on:
         required: true
         type: number
 
+env:
+  NIGHTLY_TOOLCHAIN: nightly-2026-02-05
+
 jobs:
   attempt-fix:
     name: "Attempt to Fix Fuzzer Crash"
@@ -57,7 +60,7 @@ jobs:
         uses: ./.github/actions/setup-rust
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          toolchain: nightly
+          toolchain: ${{ env.NIGHTLY_TOOLCHAIN }}
           enable-sccache: "false"
 
       - name: Install llvm
@@ -158,7 +161,7 @@ jobs:
           echo "Building fuzzer target: ${{ steps.extract.outputs.target }} (debug mode for faster build)"
 
           # Build the fuzzer target in debug mode (faster than release)
-          if RUSTFLAGS="--cfg vortex_nightly" cargo +nightly fuzz build --dev --sanitizer=none "${{ steps.extract.outputs.target }}" 2>&1 | tee fuzzer_build.log; then
+          if RUSTFLAGS="--cfg vortex_nightly" cargo +$NIGHTLY_TOOLCHAIN fuzz build --dev --sanitizer=none "${{ steps.extract.outputs.target }}" 2>&1 | tee fuzzer_build.log; then
             echo "✅ Fuzzer target built successfully"
             echo "build_success=true" >> $GITHUB_OUTPUT
           else
@@ -178,7 +181,7 @@ jobs:
           echo "Attempting to reproduce crash with fuzzer (debug mode)..."
 
           # Run fuzzer with crash file (debug mode, no sanitizer, full backtrace)
-          RUSTFLAGS="--cfg vortex_nightly" RUST_BACKTRACE=full timeout 30s cargo +nightly fuzz run --dev --sanitizer=none "${{ steps.extract.outputs.target }}" "${{ steps.download.outputs.crash_file_path }}" -- -runs=1 -rss_limit_mb=0 2>&1 | tee crash_reproduction.log
+          RUSTFLAGS="--cfg vortex_nightly" RUST_BACKTRACE=full timeout 30s cargo +$NIGHTLY_TOOLCHAIN fuzz run --dev --sanitizer=none "${{ steps.extract.outputs.target }}" "${{ steps.download.outputs.crash_file_path }}" -- -runs=1 -rss_limit_mb=0 2>&1 | tee crash_reproduction.log
 
           FUZZ_EXIT_CODE=${PIPESTATUS[0]}
 
diff --git a/.github/workflows/minimize_fuzz_corpus_workflow.yml b/.github/workflows/minimize_fuzz_corpus_workflow.yml
@@ -28,6 +28,9 @@ on:
       R2_FUZZ_SECRET_ACCESS_KEY:
         required: true
 
+env:
+  NIGHTLY_TOOLCHAIN: nightly-2026-02-05
+
 jobs:
   minimize:
     name: "Minimize ${{ inputs.fuzz_target }}"
@@ -54,7 +57,7 @@ jobs:
       - uses: ./.github/actions/setup-rust
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          toolchain: nightly
+          toolchain: ${{ env.NIGHTLY_TOOLCHAIN }}
 
       - name: Install cargo fuzz
         run: cargo install --locked cargo-fuzz
@@ -89,7 +92,7 @@ jobs:
           MINIMIZED_DIR="${CORPUS_DIR}_minimized"
           mkdir -p "$MINIMIZED_DIR"
           RUSTFLAGS="--cfg vortex_nightly" \
-            cargo +nightly fuzz cmin $FEATURES_FLAG \
+            cargo +$NIGHTLY_TOOLCHAIN fuzz cmin $FEATURES_FLAG \
             ${{ inputs.fuzz_target }} "$CORPUS_DIR" -- "$MINIMIZED_DIR"
           rm -rf "$CORPUS_DIR"
           mv "$MINIMIZED_DIR" "$CORPUS_DIR"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -8,6 +8,9 @@ on:
   release:
     types: [published]
 
+env:
+  NIGHTLY_TOOLCHAIN: nightly-2026-02-05
+
 jobs:
   package:
     uses: ./.github/workflows/package.yml
@@ -36,7 +39,7 @@ jobs:
 
       - name: Release
         run: |
-          cargo +nightly publish -Zpublish-timeout --no-verify --allow-dirty --workspace
+          cargo +$NIGHTLY_TOOLCHAIN publish -Zpublish-timeout --no-verify --allow-dirty --workspace
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
diff --git a/.github/workflows/run-fuzzer.yml b/.github/workflows/run-fuzzer.yml
@@ -43,6 +43,9 @@ on:
       R2_FUZZ_SECRET_ACCESS_KEY:
         required: true
 
+env:
+  NIGHTLY_TOOLCHAIN: nightly-2026-02-05
+
 jobs:
   fuzz:
     name: "Run ${{ inputs.fuzz_target }}"
@@ -68,7 +71,7 @@ jobs:
       - uses: ./.github/actions/setup-rust
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          toolchain: nightly
+          toolchain: ${{ env.NIGHTLY_TOOLCHAIN }}
 
       - name: Install llvm
         uses: aminya/setup-cpp@v1
@@ -119,7 +122,7 @@ jobs:
             FEATURES_FLAG="--features ${{ inputs.extra_features }}"
           fi
           RUSTFLAGS="--cfg vortex_nightly" RUST_BACKTRACE=1 \
-            cargo +nightly fuzz run --release --debug-assertions \
+            cargo +$NIGHTLY_TOOLCHAIN fuzz run --release --debug-assertions \
             $FEATURES_FLAG \
             ${{ inputs.fuzz_target }} -- \
             -max_total_time=${{ inputs.max_time }} -rss_limit_mb=0 \
diff --git a/.github/workflows/wasm-fuzz.yml b/.github/workflows/wasm-fuzz.yml
@@ -17,6 +17,7 @@ permissions:
 
 env:
   CARGO_TERM_COLOR: always
+  NIGHTLY_TOOLCHAIN: nightly-2026-02-05
 
 jobs:
   wasm-fuzz:
@@ -29,14 +30,14 @@ jobs:
       - uses: ./.github/actions/setup-rust
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          toolchain: nightly
+          toolchain: ${{ env.NIGHTLY_TOOLCHAIN }}
           targets: "wasm32-wasip1"
           components: "rust-src"
           enable-sccache: "false"
 
       - name: Build WASM fuzz target
         run: |
-          cargo +nightly build \
+          cargo +$NIGHTLY_TOOLCHAIN build \
             --manifest-path fuzz/Cargo.toml \
             --target wasm32-wasip1 \
             --no-default-features \
