Use cargo auditable to include SBOM in uv builds

.github/workflows/build-release-binaries.yml

@@ -97,6 +97,9 @@ jobs:
           architecture: x64
       - name: "Prep README.md"
         run: python scripts/transform_readme.py --target pypi
+      - name: "Install cargo extensions"
+        shell: bash
+        run: scripts/install-cargo-extensions.sh
 
       # uv
       - name: "Build wheels - x86_64"
@@ -105,6 +108,8 @@ jobs:
           maturin-version: v1.12.4
           target: x86_64
           args: --release --locked --out dist --features self-update --compatibility pypi
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - name: "Upload wheels"
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -136,6 +141,8 @@ jobs:
           maturin-version: v1.12.4
           target: x86_64
           args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml --compatibility pypi
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - name: "Upload wheels uv-build"
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -156,6 +163,9 @@ jobs:
           architecture: arm64
       - name: "Prep README.md"
         run: python scripts/transform_readme.py --target pypi
+      - name: "Install cargo extensions"
+        shell: bash
+        run: scripts/install-cargo-extensions.sh
 
       # uv
       - name: "Build wheels - aarch64"
@@ -165,6 +175,8 @@ jobs:
           target: aarch64
           manylinux: 2_17
           args: --release --locked --out dist --features self-update --compatibility pypi
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - name: "Test wheel - aarch64"
         run: |
           pip install ${PACKAGE_NAME} --no-index --find-links dist/ --force-reinstall
@@ -202,6 +214,8 @@ jobs:
           maturin-version: v1.12.4
           target: aarch64
           args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml --compatibility pypi
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - name: "Test wheel - aarch64"
         run: |
           pip install ${PACKAGE_NAME}_build --no-index --find-links crates/uv-build/dist --force-reinstall
@@ -239,6 +253,9 @@ jobs:
           architecture: ${{ matrix.platform.arch }}
       - name: "Prep README.md"
         run: python scripts/transform_readme.py --target pypi
+      - name: "Install cargo extensions"
+        shell: bash
+        run: scripts/install-cargo-extensions.sh
 
       # uv
       - name: "Build wheels"
@@ -247,6 +264,8 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.platform.target }}
           args: --release --locked --out dist --features self-update,windows-gui-bin --compatibility pypi
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.cmd
       - name: "Test wheel"
         shell: bash
         run: |
@@ -285,6 +304,8 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.platform.target }}
           args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml --compatibility pypi
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.cmd
       - name: "Test wheel uv-build"
         shell: bash
         run: |
@@ -328,6 +349,7 @@ jobs:
           # from 64-bit version of the container, breaking the pattern from other builds.
           container: quay.io/pypa/manylinux2014
           manylinux: 2_17
+          docker-options: -e CARGO
           args: --release --locked --out dist --features self-update --compatibility pypi
           # See: https://github.com/sfackler/rust-openssl/issues/2036#issuecomment-1724324145
           before-script-linux: |
@@ -349,8 +371,11 @@ jobs:
                 # If we're running on debian-based system.
                 apt update -y && apt-get install -y libssl-dev openssl pkg-config
             fi
+            # Install cargo extensions as a static musl binary so it runs in any container.
+            scripts/install-cargo-extensions.sh
         env:
           CC: ${{ matrix.cc }}
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - name: "Test wheel"
         if: ${{ startsWith(matrix.target, 'x86_64') }}
         run: |
@@ -391,7 +416,12 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.target }}
           manylinux: 2_17
+          docker-options: -e CARGO
           args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml --compatibility pypi
+          before-script-linux: |
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - name: "Test wheel uv-build"
         if: ${{ startsWith(matrix.target, 'x86_64') }}
         run: |
@@ -445,8 +475,12 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.platform.target }}
           manylinux: ${{ matrix.platform.manylinux }}
-          docker-options: ${{ matrix.platform.maturin_docker_options }}
+          docker-options: -e CARGO ${{ matrix.platform.maturin_docker_options }}
           args: --release --locked --out dist --features self-update --compatibility pypi
+          before-script-linux: |
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
         name: "Test wheel"
         with:
@@ -498,8 +532,12 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.platform.target }}
           manylinux: ${{ matrix.platform.manylinux }}
-          docker-options: ${{ matrix.platform.maturin_docker_options }}
+          docker-options: -e CARGO ${{ matrix.platform.maturin_docker_options }}
           args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml --compatibility pypi
+          before-script-linux: |
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
         name: "Test wheel uv-build"
         with:
@@ -552,9 +590,13 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.platform.target }}
           manylinux: 2_17
-          docker-options: ${{ matrix.platform.maturin_docker_options }}
+          docker-options: -e CARGO ${{ matrix.platform.maturin_docker_options }}
           args: --release --locked --out dist --features self-update --compatibility pypi
           rust-toolchain: ${{ matrix.platform.toolchain || null }}
+          before-script-linux: |
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
         name: "Test wheel"
         with:
@@ -606,8 +648,12 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.platform.target }}
           manylinux: 2_17
-          docker-options: ${{ matrix.platform.maturin_docker_options }}
+          docker-options: -e CARGO ${{ matrix.platform.maturin_docker_options }}
           args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml --compatibility pypi
+          before-script-linux: |
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
         name: "Test wheel uv-build"
         with:
@@ -661,7 +707,7 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.platform.target }}
           manylinux: 2_17
-          docker-options: ${{ matrix.platform.maturin_docker_options }}
+          docker-options: -e CARGO ${{ matrix.platform.maturin_docker_options }}
           args: --release --locked --out dist --features self-update --compatibility pypi
           before-script-linux: |
             if command -v yum &> /dev/null; then
@@ -670,6 +716,9 @@ jobs:
                 yum repolist
                 yum install -y gcc-powerpc64-linux-gnu
             fi
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       # TODO(charlie): Re-enable testing for PPC wheels.
       # - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
       #   name: "Test wheel"
@@ -719,7 +768,7 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.platform.target }}
           manylinux: 2_17
-          docker-options: ${{ matrix.platform.maturin_docker_options }}
+          docker-options: -e CARGO ${{ matrix.platform.maturin_docker_options }}
           args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml --compatibility pypi
           before-script-linux: |
             if command -v yum &> /dev/null; then
@@ -728,6 +777,9 @@ jobs:
                 yum repolist
                 yum install -y gcc-powerpc64-linux-gnu
             fi
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       # TODO(charlie): Re-enable testing for PPC wheels.
       - name: "Upload wheels uv-build"
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -764,8 +816,12 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.platform.target }}
           manylinux: 2_31
-          docker-options: ${{ matrix.platform.maturin_docker_options }}
+          docker-options: -e CARGO ${{ matrix.platform.maturin_docker_options }}
           args: --release --locked --out dist --features self-update --compatibility pypi
+          before-script-linux: |
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
         name: "Test wheel"
         with:
@@ -818,8 +874,12 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.platform.target }}
           manylinux: 2_31
-          docker-options: ${{ matrix.platform.maturin_docker_options }}
+          docker-options: -e CARGO ${{ matrix.platform.maturin_docker_options }}
           args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml --compatibility pypi
+          before-script-linux: |
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
         name: "Test wheel uv-build"
         with:
@@ -871,7 +931,12 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.target }}
           manylinux: musllinux_1_1
+          docker-options: -e CARGO
           args: --release --locked --out dist --features self-update --compatibility pypi
+          before-script-linux: |
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - name: "Test wheel"
         if: matrix.target == 'x86_64-unknown-linux-musl'
         run: |
@@ -918,7 +983,12 @@ jobs:
           maturin-version: v1.12.4
           target: ${{ matrix.target }}
           manylinux: musllinux_1_1
+          docker-options: -e CARGO
           args: --profile minimal-size --locked --out crates/uv-build/dist -m crates/uv-build/Cargo.toml --compatibility pypi
+          before-script-linux: |
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - name: "Test wheel uv-build"
         if: matrix.target == 'x86_64-unknown-linux-musl'
         run: |
@@ -970,8 +1040,12 @@ jobs:
           manylinux: musllinux_1_1
           # Tag the musl builds as manylinux 2_17 fallback cause the aarch64 build only support 2_28
           args: --release --locked --out dist --features self-update --compatibility 2_17 --compatibility pypi
-          docker-options: ${{ matrix.platform.maturin_docker_options }}
+          docker-options: -e CARGO ${{ matrix.platform.maturin_docker_options }}
           rust-toolchain: ${{ matrix.platform.toolchain || null }}
+          before-script-linux: |
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
         name: "Test wheel"
         with:
@@ -1043,8 +1117,12 @@ jobs:
           target: ${{ matrix.platform.target }}
           manylinux: musllinux_1_1
           args: --profile minimal-size --locked ${{ matrix.platform.arch == 'aarch64' && '--compatibility 2_17' || ''}} --out crates/uv-build/dist -m crates/uv-build/Cargo.toml --compatibility pypi
-          docker-options: ${{ matrix.platform.maturin_docker_options }}
+          docker-options: -e CARGO ${{ matrix.platform.maturin_docker_options }}
           rust-toolchain: ${{ matrix.platform.toolchain || null }}
+          before-script-linux: |
+            scripts/install-cargo-extensions.sh
+        env:
+          CARGO: ${{ github.workspace }}/scripts/cargo.sh
       - uses: uraimo/run-on-arch-action@d94c13912ea685de38fccc1109385b83fd79427d # v3.0.1
         name: "Test wheel"
         with:

Dockerfile

@@ -45,11 +45,10 @@ COPY crates crates
 COPY ./Cargo.toml Cargo.toml
 COPY ./Cargo.lock Cargo.lock
 
-# Install patched cargo-auditable with Zig linker support
+# Install cargo-auditable
 RUN cargo install \
-  --git https://github.com/rust-secure-code/cargo-auditable.git \
-  --rev caa964b714d8da6b1139b8e7a0a2ba5979235f22 \
   --locked \
+  --version 0.7.4 \
   cargo-auditable
 
 RUN case "${TARGETPLATFORM}" in \

scripts/cargo.cmd

@@ -0,0 +1,15 @@
+@echo off
+REM Wrapper script that invokes `cargo auditable` instead of plain `cargo`.
+REM
+REM Use `scripts/install-cargo-extensions.sh` to install the dependencies.
+REM
+REM Usage:
+REM
+REM   set CARGO=%CD%\scripts\cargo.cmd
+REM   cargo build --release
+
+if defined REAL_CARGO (
+    "%REAL_CARGO%" auditable %*
+) else (
+    cargo.exe auditable %*
+)

scripts/cargo.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+## Wrapper script that invokes `cargo auditable` instead of plain `cargo`.
+##
+## Use `scripts/install-cargo-extensions.sh` to install the dependencies.
+##
+## Usage:
+##
+##   CARGO="$PWD/scripts/cargo.sh" cargo build --release
+
+set -eu
+
+if [ -n "${REAL_CARGO:-}" ]; then
+    exec "$REAL_CARGO" auditable "$@"
+else
+    exec cargo auditable "$@"
+fi