CI: add Rust SDK checks

[dreveman]

Only FYI and don't prevent CI from being green.

Fixes: #3497

[LalitMaganti]

LGTM from my side but since this is a new Action, would ask Primiano also to comment on this just to double check I haven't missed anything from the security perspective.

[dreveman]

LGTM from my side but since this is a new Action, would ask Primiano also to comment on this just to double check I haven't missed anything from the security perspective.

Will do. No rush do merge this. But I uploaded #3513 in case you want to get a release out and have crates published before. As I've unfortunately not been able to claim the names without the -sdk suffix at this time.

[LalitMaganti]

Not particularly in a rush to get the release out. I think we can wait a few more days. Honestly renaming the crates sounds like a good idea anyway though given the situation. I'll LGTM that but let's wait a few more days to hear back.

[primiano]

Security-wise it seems alright

My only question is: how long does this take? Would it be possible / worth using caching for the installation of the toolchain like we do for our other prebuilts?

A bit lukewarm on the nightly format-check. That bot is doomed to become red and get ignored. Maybe it's better if for now this is only done locally.

You could (ask AI to) update our tools/format-sources, and create a tools/code_format_rust.py which runs only if the toolchain is installed.

Also separately we should probably have a --rust option to tools/install-build-deps which installs the relevant binaries to build rust (can do in a separate PR)

[dreveman]

Security-wise it seems alright

My only question is: how long does this take? Would it be possible / worth using caching for the installation of the toolchain like we do for our other prebuilts?

I don't know about installation of the toolchain but building and running it only takes a couple of minutes locally. I'll look at caching things once I know how long it takes in CI. Having trouble just testing it right now. Do I need the change to be approved before it runs more CI jobs?

A bit lukewarm on the nightly format-check. That bot is doomed to become red and get ignored. Maybe it's better if for now this is only done locally.

It uses a pinned version of nightly to ensure that the correct format doesn't change over time. I added some comments about this but can also remove the test for now if you prefer that?

You could (ask AI to) update our tools/format-sources, and create a tools/code_format_rust.py which runs only if the toolchain is installed.

Also separately we should probably have a --rust option to tools/install-build-deps which installs the relevant binaries to build rust (can do in a separate PR)

Yes, didn't know if you'd be OK with that but I think it would be a good idea to have install-build-deps be able to pull down the specific rust toolchains needed to build and test the rust SDK. Updating format-sources makes sense too. I'll work on both of these tasks as follow up changes.

[dreveman]

hm, looks like I'm getting this error: https://github.com/google/perfetto/actions/runs/19079295703

[Invalid workflow file: .github/workflows/analyze.yml#L121](https://github.com/google/perfetto/actions/runs/19079295703/workflow)
The workflow is not valid. .github/workflows/analyze.yml (Line: 121, Col: 3): Error calling workflow 'google/perfetto/.github/workflows/rust-sdk-tests.yml@6de8b6d108f4610b5ff74c2d050ab87a0b472dd9'. The workflow is requesting 'contents: read', but is only allowed 'contents: none'.

[primiano]

hm, looks like I'm getting this error: https://github.com/google/perfetto/actions/runs/19079295703

[Invalid workflow file: .github/workflows/analyze.yml#L121](https://github.com/google/perfetto/actions/runs/19079295703/workflow)
The workflow is not valid. .github/workflows/analyze.yml (Line: 121, Col: 3): Error calling workflow 'google/perfetto/.github/workflows/rust-sdk-tests.yml@6de8b6d108f4610b5ff74c2d050ab87a0b472dd9'. The workflow is requesting 'contents: read', but is only allowed 'contents: none'.

Hmm

1. Any idea why do you need contents: read? what happens if you remove it altogether?
2. If you end up needing it, my theory is that needs to be granted also to the "caller" workflow (analyze.yml). I guess github is preventing that a called workflow can end up acquiring extra privileges that the caller didn't want to grant

[primiano]

I kicked off a rerun of the jobs to see if it works.
The comment from the security bot is interesting, it suggests we should use contents:read... but than it's what broke.

Out of curiosity did you try adding contents:read to both analyze.yml and the rust workflow?

[dreveman]

pull-requests: read seems to be working but this is running into some other confusing bindgen issues that I've never seen before and I need to figure out how to reproduce locally. I'm going to rebase this on https://github.com/google/perfetto/pull/3644 first and then investigate it more.