From f55c72aa34369786b20917d6ddc4c33529e21d93 Mon Sep 17 00:00:00 2001
From: Anthony Oteri <4360016+anthonyoteri@users.noreply.github.com>
Date: Wed, 13 May 2026 14:24:32 -0400
Subject: [PATCH] fix: resolve CI check failures

- Replace serde_yml with serde_norway (RUSTSEC-2025-0068: serde_yml is
  unsound and archived; serde_norway is the recommended maintained fork)
- Remove unused toml dependency (was resolving to v1.1.2 which requires
  edition2024/Rust 1.85, breaking the MSRV 1.80 check)
- Run cargo fmt to fix formatting diffs caught by lint job
- Fix cog commit check to use from_latest_tag so pre-conventional-commits
  history does not cause the check to fail
- Remove semver job: dredge is a binary-only crate with no lib target,
  cargo-semver-checks cannot check it
---
 .github/workflows/ci.yml | 25 +++----------------------
 Cargo.toml               |  3 +--
 src/api.rs               |  6 +++++-
 src/commands.rs          |  6 ++----
 src/error.rs             |  7 +++++--
 5 files changed, 16 insertions(+), 31 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 10cbd82..18e8b07 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -69,9 +69,9 @@ jobs:
         uses: cocogitto/cocogitto-action@v3
         with:
           check: true
-          # On PRs check only the commits introduced by the PR.
-          # On pushes to master check only commits since the previous HEAD.
-          from: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || github.event.before }}
+          # Only check commits reachable from the latest tag so that old
+          # non-conventional commits in history do not fail the check.
+          from_latest_tag: true
 
   deny:
     name: Cargo deny
@@ -99,23 +99,4 @@ jobs:
       - name: Check MSRV builds
         run: cargo check
 
-  semver:
-    name: Semver compatibility
-    runs-on: ubuntu-latest
-    # Only meaningful on PRs — compares the PR branch against the published
-    # crate version to catch accidental breaking API changes.
-    if: github.event_name == 'pull_request'
 
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Install stable toolchain
-        uses: dtolnay/rust-toolchain@stable
-
-      - name: Cache dependencies
-        uses: Swatinem/rust-cache@v2
-
-      - name: Check semver compatibility
-        uses: obi1kenobi/cargo-semver-checks-action@v2
-        with:
-          package: dredge-tool
diff --git a/Cargo.toml b/Cargo.toml
index 441570e..dd0089e 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -33,11 +33,10 @@ indoc = "2.0"
 log = "0.4"
 reqwest = { version = "0.12", features = ["json", "gzip", "multipart", "native-tls-vendored"] }
 serde = { version = "1.0", features = ["derive"] }
-serde_yml = "0.0.12"
 thiserror = "2.0"
-toml = "1.0"
 url = { version = "2.5", features = ["serde"] }
 tokio = { version = "1.52", features = ["macros"] }
+serde_norway = "0.9.42"
 
 [dev-dependencies]
 mockito = "1.7"
diff --git a/src/api.rs b/src/api.rs
index 2a16d52..565c16a 100644
--- a/src/api.rs
+++ b/src/api.rs
@@ -553,7 +553,11 @@ mod tests {
         let registry_url = Url::parse(&server.url()).expect("Failed to parse registry URL");
         server
             .mock("GET", path)
-            .with_status(http::status::StatusCode::INTERNAL_SERVER_ERROR.as_u16().into())
+            .with_status(
+                http::status::StatusCode::INTERNAL_SERVER_ERROR
+                    .as_u16()
+                    .into(),
+            )
             .create();
 
         let url = registry_url.join(path).expect("Failed to join URL");
diff --git a/src/commands.rs b/src/commands.rs
index 925fe6e..d686370 100644
--- a/src/commands.rs
+++ b/src/commands.rs
@@ -192,9 +192,7 @@ pub async fn show_handler(
     let headers = resp.headers();
     let digest = headers
         .get("docker-content-digest")
-        .ok_or_else(|| {
-            ApiError::UnexpectedResponse("Missing docker-content-digest header".into())
-        })?
+        .ok_or_else(|| ApiError::UnexpectedResponse("Missing docker-content-digest header".into()))?
         .to_str()?
         .to_owned();
 
@@ -216,7 +214,7 @@ pub async fn show_handler(
     body.digest = digest;
     body.etag = etag;
 
-    serde_yml::to_writer(buf, &body)?;
+    serde_norway::to_writer(buf, &body)?;
     Ok(())
 }
 
diff --git a/src/error.rs b/src/error.rs
index 14f6d70..90063ac 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -77,7 +77,7 @@ pub enum ApiError {
 
     /// The manifest response body could not be serialized to YAML for output.
     #[error(transparent)]
-    SerializerError(#[from] serde_yml::Error),
+    SerializerError(#[from] serde_norway::Error),
 
     /// The registry returned `405 Method Not Allowed`, typically because
     /// storage deletion has not been enabled on the registry.
@@ -100,7 +100,10 @@ mod tests {
     fn test_dredge_error_from_api_error_not_found() {
         let api_err = ApiError::NotFound;
         let dredge_err = DredgeError::from(api_err);
-        assert!(matches!(dredge_err, DredgeError::ApiError(ApiError::NotFound)));
+        assert!(matches!(
+            dredge_err,
+            DredgeError::ApiError(ApiError::NotFound)
+        ));
     }
 
     /// Test that `DredgeError::from(ApiError::AuthorizationFailed)` works.