2 Commits

Author SHA1 Message Date
Pierre Warnier 04427511e1 docker: install cargo-deny as a pinned prebuilt binary (#175)
The dev images built cargo-deny from source via `cargo install cargo-deny`.
That compiled cargo-deny on every image build (multi-minute) and surfaced
cargo-deny's own `profile.dev.package.{insta,similar}` warnings, which look
like our config but are not.

Install the pinned (0.19.8), checksum-verified prebuilt binary instead. The
static musl build runs on glibc too, so all three images share one asset.
Result: no source compile, no spurious warnings, and a reproducible,
sha256-verified install (vs the previous unpinned `cargo install`). Each
build self-checks with `cargo-deny --version`.

Version/checksum are ARGs so they can be bumped (and tracked by Renovate).
2026-06-10 15:06:33 +02:00
Pierre Warnier 97130fea20 scaffold: workspace, shadow-core, passwd tool, Docker test matrix
Cargo workspace with three-layer architecture mirroring uutils conventions:
- shadow-core: /etc/passwd and /etc/shadow parsers, atomic file writes,
  username validation, error types, feature-gated module stubs (PAM,
  SELinux, group, gshadow, login.defs, subid, nscd, lock, uid_alloc)
- uu_passwd: tool skeleton with clap CLI, uumain/uu_app pattern
- multicall binary: argv[0] dispatch with --list support

Docker test matrix (Debian Trixie, Alpine musl, Fedora SELinux):
all three pass clippy -D warnings, 21 tests, and cargo fmt --check.

21 unit tests covering:
- passwd/shadow file parsing and roundtrip serialization
- atomic file write with fsync + rename + failure rollback
- username validation rules (length, charset, edge cases)
- clap command definition
2026-03-23 11:57:10 +01:00