Release 2.19.2

* Update `cargo-deny@latest` to 0.14.3

* Update `cargo-dinghy@latest` to 0.6.8

* Update `parse-changelog@latest` to 0.6.3

.github/.cspell/organization-dictionary.txt

@@ -160,6 +160,7 @@ esac
 euxo
 gsub
 libc
+markdownlint
 moreutils
 msys
 noninteractive

.github/.cspell/project-dictionary.txt

@@ -14,6 +14,7 @@ mdbook
 microdnf
 nextest
 protoc
+pubkey
 pwsh
 quickinstall
 shellcheck

.github/.cspell/rust-dependencies.txt

@@ -1,4 +1,6 @@
 // This file is @generated by tidy.sh.
 // It is not intended for manual editing.
 
+flate
+minisign
 ureq

.github/workflows/ci.yml

@@ -118,13 +118,13 @@ jobs:
     steps:
       - name: Install requirements (ubuntu/debian)
         run: |
-          set -euxo pipefail
+          set -eEuxo pipefail
           apt-get -o Acquire::Retries=10 -qq update
           apt-get -o Acquire::Retries=10 -o Dpkg::Use-Pty=0 install -y --no-install-recommends cargo
         if: startsWith(matrix.container, 'ubuntu') || startsWith(matrix.container, 'debian')
       - name: Install requirements (fedora/almalinux/centos)
         run: |
-          set -euxo pipefail
+          set -eEuxo pipefail
           if ! type -P dnf &>/dev/null && type -P microdnf &>/dev/null; then
             # tar and gzip are required for actions/checkout on *-minimal images
             microdnf install -y tar gzip
@@ -133,9 +133,7 @@ jobs:
           echo "$HOME/.cargo/bin" >>"${GITHUB_PATH}"
         if: startsWith(matrix.container, 'fedora') || startsWith(matrix.container, 'almalinux') ||  startsWith(matrix.container, 'centos')
       - name: Install requirements (alpine)
-        run: |
+        run: apk --no-cache add bash cargo
-          set -eux
-          apk --no-cache add bash cargo
         shell: sh
         if: startsWith(matrix.container, 'alpine')
       - uses: actions/checkout@v3 # TODO: actions/checkout@v4 requires glibc 2.28+
@@ -183,12 +181,28 @@ jobs:
       - id: diff
         run: tools/ci/manifest.sh
         if: github.repository_owner == 'taiki-e' && (github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main')
-      - uses: peter-evans/create-pull-request@v5
+      - name: Create PR
+        id: create-pull-request
+        uses: peter-evans/create-pull-request@v5
         with:
           title: Update manifest
           body: |
-            Auto-generated by [create-pull-request](https://github.com/peter-evans/create-pull-request)
+            Auto-generated by [create-pull-request](https://github.com/peter-evans/create-pull-request).
+
+            This will be auto-merged when CI has passed because this is an auto-generated PR in a defined format and is usually considered no additional review is required.
           branch: update-manifest
           token: ${{ secrets.CREATE_PR_TOKEN }}
         if: github.repository_owner == 'taiki-e' && (github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main') && steps.diff.outputs.success == 'false'
+      - name: Enable auto-merge for auto-generated PR
+        run: gh pr merge --rebase --auto "${PR_NUMBER:?}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.CREATE_PR_TOKEN }}
+          PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
+        if: github.repository_owner == 'taiki-e' && (github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main') && steps.diff.outputs.success == 'false' && steps.create-pull-request.outputs.pull-request-operation == 'created'
+      - name: Auto approve for auto-generated PR
+        run: gh pr review --approve "${PR_NUMBER:?}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
+        if: github.repository_owner == 'taiki-e' && (github.event_name == 'schedule' || github.event_name == 'push' && github.ref == 'refs/heads/main') && steps.diff.outputs.success == 'false' && steps.create-pull-request.outputs.pull-request-operation == 'created'
       - run: git add -N . && git diff --exit-code

.markdownlint.yml

@@ -0,0 +1,6 @@
+# https://github.com/DavidAnson/markdownlint#rules--aliases
+
+MD013: false # line-length
+MD024: false # no-duplicate-heading/no-duplicate-header
+MD033: false # no-inline-html
+MD036: false # no-emphasis-as-heading/no-emphasis-as-header

.rustfmt.toml

@@ -1 +1,32 @@
-edition = "2021"
+# Rustfmt configuration
+# https://github.com/rust-lang/rustfmt/blob/HEAD/Configurations.md
+
+# Rustfmt cannot format long lines inside macros, but this option detects this.
+# This is unstable (tracking issue: https://github.com/rust-lang/rustfmt/issues/3391)
+error_on_line_overflow = true
+
+# Override the default formatting style.
+# See https://internals.rust-lang.org/t/running-rustfmt-on-rust-lang-rust-and-other-rust-lang-repositories/8732/81.
+use_small_heuristics = "Max"
+# See https://github.com/rust-dev-tools/fmt-rfcs/issues/149.
+# This is unstable (tracking issue: https://github.com/rust-lang/rustfmt/issues/3370)
+overflow_delimited_expr = true
+# This is unstable (tracking issue: none).
+imports_granularity = "Crate"
+# This is unstable (tracking issue: none).
+group_imports = "StdExternalCrate"
+
+# Apply rustfmt to more places.
+# This is unstable (tracking issue: https://github.com/rust-lang/rustfmt/issues/3348).
+format_code_in_doc_comments = true
+
+# Automatically fix deprecated style.
+use_field_init_shorthand = true
+use_try_shorthand = true
+
+# Set the default settings again to always apply the proper formatting without
+# being affected by the editor settings.
+edition = "2018"
+hard_tabs = false
+newline_style = "Unix"
+tab_spaces = 4

CHANGELOG.md

@@ -10,6 +10,58 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com
 
 ## [Unreleased]
 
+## [2.19.2] - 2023-09-30
+
+- Update `mdbook@latest` to 0.4.35.
+
+- Update `parse-changelog@latest` to 0.6.3.
+
+- Update `cargo-dinghy@latest` to 0.6.8.
+
+- Update `cargo-deny@latest` to 0.14.3.
+
+## [2.19.1] - 2023-09-28
+
+- Update `cargo-binstall@latest` to 1.4.2.
+
+## [2.19.0] - 2023-09-28
+
+- Support signature verification. ([#237](https://github.com/taiki-e/install-action/pull/237))
+
+- Update `cargo-binstall@latest` to 1.4.1. This includes support for signature verification.
+
+- Update `syft@latest` to 0.92.0.
+
+- Update `cargo-make@latest` to 0.37.2.
+
+## [2.18.17] - 2023-09-26
+
+- Update `cargo-llvm-cov@latest` to 0.5.33.
+
+## [2.18.16] - 2023-09-23
+
+- Update `cargo-machete@latest` to 0.6.0.
+
+- Update `cargo-llvm-cov@latest` to 0.5.32.
+
+## [2.18.15] - 2023-09-22
+
+- Update `cargo-careful@latest` to 0.4.0.
+
+## [2.18.14] - 2023-09-21
+
+- Update `syft@latest` to 0.91.0.
+
+- Update `wasmtime@latest` to 13.0.0.
+
+## [2.18.13] - 2023-09-17
+
+- Update `cargo-tarpaulin@latest` to 0.27.0.
+
+- Update `cargo-make@latest` to 0.37.1.
+
+- Update `cargo-binstall@latest` to 1.3.1.
+
 ## [2.18.12] - 2023-09-16
 
 - Fix some bugs on Windows.
@@ -1225,7 +1277,15 @@ Note: This release is considered a breaking change because installing on version
 
 Initial release
 
-[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.18.12...HEAD
+[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.19.2...HEAD
+[2.19.2]: https://github.com/taiki-e/install-action/compare/v2.19.1...v2.19.2
+[2.19.1]: https://github.com/taiki-e/install-action/compare/v2.19.0...v2.19.1
+[2.19.0]: https://github.com/taiki-e/install-action/compare/v2.18.17...v2.19.0
+[2.18.17]: https://github.com/taiki-e/install-action/compare/v2.18.16...v2.18.17
+[2.18.16]: https://github.com/taiki-e/install-action/compare/v2.18.15...v2.18.16
+[2.18.15]: https://github.com/taiki-e/install-action/compare/v2.18.14...v2.18.15
+[2.18.14]: https://github.com/taiki-e/install-action/compare/v2.18.13...v2.18.14
+[2.18.13]: https://github.com/taiki-e/install-action/compare/v2.18.12...v2.18.13
 [2.18.12]: https://github.com/taiki-e/install-action/compare/v2.18.11...v2.18.12
 [2.18.11]: https://github.com/taiki-e/install-action/compare/v2.18.10...v2.18.11
 [2.18.10]: https://github.com/taiki-e/install-action/compare/v2.18.9...v2.18.10

README.md

@@ -88,7 +88,7 @@ https://spdx.org/licenses
 | [**cargo-hack**](https://github.com/taiki-e/cargo-hack) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/taiki-e/cargo-hack/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/taiki-e/cargo-hack/blob/HEAD/LICENSE-APACHE) OR [MIT](https://github.com/taiki-e/cargo-hack/blob/HEAD/LICENSE-MIT) |
 | [**cargo-llvm-cov**](https://github.com/taiki-e/cargo-llvm-cov) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/taiki-e/cargo-llvm-cov/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/taiki-e/cargo-llvm-cov/blob/HEAD/LICENSE-APACHE) OR [MIT](https://github.com/taiki-e/cargo-llvm-cov/blob/HEAD/LICENSE-MIT) |
 | [**cargo-machete**](https://github.com/bnjbvr/cargo-machete) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/bnjbvr/cargo-machete/releases) | Linux, macOS, Windows | [MIT](https://github.com/bnjbvr/cargo-machete/blob/HEAD/LICENSE.md) |
-| [**cargo-make**](https://github.com/sagiegurari/cargo-make) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/sagiegurari/cargo-make/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/sagiegurari/cargo-make/blob/master/LICENSE) |
+| [**cargo-make**](https://github.com/sagiegurari/cargo-make) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/sagiegurari/cargo-make/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/sagiegurari/cargo-make/blob/HEAD/LICENSE) |
 | [**cargo-minimal-versions**](https://github.com/taiki-e/cargo-minimal-versions) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/taiki-e/cargo-minimal-versions/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/taiki-e/cargo-minimal-versions/blob/HEAD/LICENSE-APACHE) OR [MIT](https://github.com/taiki-e/cargo-minimal-versions/blob/HEAD/LICENSE-MIT) |
 | [**cargo-no-dev-deps**](https://github.com/taiki-e/cargo-no-dev-deps) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/taiki-e/cargo-no-dev-deps/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/taiki-e/cargo-no-dev-deps/blob/HEAD/LICENSE-APACHE) OR [MIT](https://github.com/taiki-e/cargo-no-dev-deps/blob/HEAD/LICENSE-MIT) |
 | [**cargo-tarpaulin**](https://github.com/xd009642/tarpaulin) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/xd009642/tarpaulin/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/xd009642/tarpaulin/blob/develop/LICENSE-APACHE) OR [MIT](https://github.com/xd009642/tarpaulin/blob/develop/LICENSE-MIT) |
@@ -128,6 +128,8 @@ When installing the tool from GitHub Releases, this action will download the too
 
 Additionally, this action will also verify SHA256 checksums for downloaded files in all tools installed from GitHub Releases. This is enabled by default and can be disabled by setting the `checksum` input option to `false`.
 
+Additionally, we also verify signature if the tool distributes signed archives. Signature verification is done at the stage of getting the checksum, so disabling the checksum will also disable signature verification.
+
 See the linked documentation for information on security when installed using [snap](https://snapcraft.io/docs) or [cargo-binstall](https://github.com/cargo-bins/cargo-binstall#faq).
 
 ## Compatibility

main.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 # SPDX-License-Identifier: Apache-2.0 OR MIT
-set -euo pipefail
+set -eEuo pipefail
 IFS=$'\n\t'
 
 rx() {

manifests/cargo-binstall.json

@@ -21,26 +21,26 @@
     }
   },
   "latest": {
-    "version": "1.3.0"
+    "version": "1.4.2"
   },
-  "1.3.0": {
+  "1.4.2": {
     "x86_64_linux_musl": {
-      "checksum": "c6b61f091191e0444f1a503ac8fa8ce53ae7cf77c9472d9e725e9bae099f36d6"
+      "checksum": "d791f2000d934951003c483c2b147f32f09cd7def0e02a06fec51ffda9b9d8f6"
     },
     "x86_64_macos": {
-      "checksum": "fb4feeb108fb1133efa402677d202dffcd9dff7956ebae645a442fce0dfd923a"
+      "checksum": "59f9d03d9028ea3c46a2fef5d72e6f2a1fa337669f7e0f5a4b4aec90043f2355"
     },
     "x86_64_windows": {
-      "checksum": "14fac83eb6f03159c4b495a0dc8bb338d88b0b3139d45a2fe1be1b0cc5259186"
+      "checksum": "81af3737320412d87a40b7ffa5e2087af3f5f47eae76572370d36e985e14c1eb"
     },
     "aarch64_linux_musl": {
-      "checksum": "59183aae6e296cbaef4bae4e74ef0ddbced3cb52cadff236b8b729d1492cde05"
+      "checksum": "e8bdd620ae8a2d97c516354d7df7ffc9eca893f4f840ef309ded90b633df29f3"
     },
     "aarch64_macos": {
-      "checksum": "fbfeab286b70b4874563dbaa3630379ee5f4020562d00f67b116baee0ebc83eb"
+      "checksum": "71cbdee21425a2b77769f6a4ec4af6a00b0a62102c8d2931ed7d9dff43b1c900"
     },
     "aarch64_windows": {
-      "checksum": "30e325fa2da8e47d350237c5bc231f6eb916a3c7202f4b6fc22eeba848a331f1"
+      "checksum": "6d8cdc54dd9a37348418a389f3357f30c605c37abe4d36caa6cd6c1ba433a6d7"
     }
   }
 }

manifests/cargo-careful.json

@@ -12,7 +12,21 @@
     }
   },
   "latest": {
-    "version": "0.3.4"
+    "version": "0.4.0"
+  },
+  "0.4": {
+    "version": "0.4.0"
+  },
+  "0.4.0": {
+    "x86_64_linux_musl": {
+      "checksum": "54cd7e1972e9faf085e3d0798c02054d064bc72de051a2636ece6f5b0ce0176d"
+    },
+    "x86_64_macos": {
+      "checksum": "70d92ad8adf84192caa2066ba981780df926c8aa6cbd398fe489f87af336fe61"
+    },
+    "x86_64_windows": {
+      "checksum": "01ebcae79d9ba0cbb56e5c6bb5757d9cd074a3635704d15b0ef62a000c5d03a8"
+    }
   },
   "0.3": {
     "version": "0.3.4"

manifests/cargo-deny.json

@@ -19,10 +19,24 @@
     }
   },
   "latest": {
-    "version": "0.14.2"
+    "version": "0.14.3"
   },
   "0.14": {
-    "version": "0.14.2"
+    "version": "0.14.3"
+  },
+  "0.14.3": {
+    "x86_64_linux_musl": {
+      "checksum": "7a8b4ccaa6cadda7feea6c125a08f4b63f644fc4e42b09f0e4cdffc42f33f1c3"
+    },
+    "x86_64_macos": {
+      "checksum": "68543cdbb1b33cc42ca744e7914d33bde7eb117a26645e09ef3959992396a4c1"
+    },
+    "x86_64_windows": {
+      "checksum": "92c27d586f1929598e3adc09f8737011b0072817bc18e64c6d612627805aa93a"
+    },
+    "aarch64_macos": {
+      "checksum": "1890410b05c898233cc0025109d383dad412efe2d80ab05f7476e0db5fe721de"
+    }
   },
   "0.14.2": {
     "x86_64_linux_musl": {

manifests/cargo-dinghy.json

@@ -11,10 +11,18 @@
     }
   },
   "latest": {
-    "version": "0.6.7"
+    "version": "0.6.8"
   },
   "0.6": {
-    "version": "0.6.7"
+    "version": "0.6.8"
+  },
+  "0.6.8": {
+    "x86_64_linux_musl": {
+      "checksum": "732752302dbd31dda85c93fd639d72122d138e913e3e7163b57b739c32832dc5"
+    },
+    "x86_64_macos": {
+      "checksum": "245d9ec0e0fe95f07c112375146edb6f559f7846f0b347f6632d49775e7b1fc3"
+    }
   },
   "0.6.7": {
     "x86_64_linux_musl": {

manifests/cargo-llvm-cov.json

@@ -18,10 +18,44 @@
     }
   },
   "latest": {
-    "version": "0.5.31"
+    "version": "0.5.33"
   },
   "0.5": {
-    "version": "0.5.31"
+    "version": "0.5.33"
+  },
+  "0.5.33": {
+    "x86_64_linux_musl": {
+      "checksum": "3274fb95c5d7ab7dd37db6b75e77b666c6fc06b0bd0172e7923af95fe77711da"
+    },
+    "x86_64_macos": {
+      "checksum": "e890a29534e8a10439bd8c8fccd39867d2cb016f82d7b51e615c60caf67491b7"
+    },
+    "x86_64_windows": {
+      "checksum": "332004d47ad0259fbc077c3dde2fe7f7b51dadcea859ccc33759bc149a38b777"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "dd6deacc791de61dc31e45537bf2e7c9c8c652f51e06357d4a700ec7e81188c9"
+    },
+    "aarch64_macos": {
+      "checksum": "8bc5722370884500381eae586910b633f2a215cd5b5feed31d67682e90bd8412"
+    }
+  },
+  "0.5.32": {
+    "x86_64_linux_musl": {
+      "checksum": "2709f1c132eac8c3e1e98f658e2f8fd79f71f0a72b373491aad9e92df3b6684c"
+    },
+    "x86_64_macos": {
+      "checksum": "d56c7b8d5ea02196b8682d242440a400566583f724dee9c9832a99ed9734fa0e"
+    },
+    "x86_64_windows": {
+      "checksum": "194ec6f3657edab3c5f9a4d7a5bb2ab614084d7484f69274d02798fcd2dbea0c"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "2274d691284e4de55fa0a0fd4e7b5003db21f7c62d72986586a81a169cafd7ee"
+    },
+    "aarch64_macos": {
+      "checksum": "7893b26db568ce0c606c0b07cad52659abf2ee488d385581e166fa20924168e5"
+    }
   },
   "0.5.31": {
     "x86_64_linux_musl": {

manifests/cargo-machete.json

@@ -2,7 +2,32 @@
   "rust_crate": "cargo-machete",
   "template": null,
   "latest": {
-    "version": "0.5.0"
+    "version": "0.6.0"
+  },
+  "0.6": {
+    "version": "0.6.0"
+  },
+  "0.6.0": {
+    "x86_64_linux_musl": {
+      "url": "https://github.com/bnjbvr/cargo-machete/releases/download/v0.6.0/cargo-machete-v0.6.0-x86_64-unknown-linux-musl.tar.gz",
+      "checksum": "8f7f67f87c80d8ee331857e61c03762b71f9e68266a9193f4934cef1c8ccb449",
+      "bin": "cargo-machete-v0.6.0-x86_64-unknown-linux-musl/cargo-machete"
+    },
+    "x86_64_macos": {
+      "url": "https://github.com/bnjbvr/cargo-machete/releases/download/v0.6.0/cargo-machete-v0.6.0-x86_64-apple-darwin.tar.gz",
+      "checksum": "dab6a9127166b8889a1933864014664288e16a211a2e3de65585d69b18b84bbf",
+      "bin": "cargo-machete-v0.6.0-x86_64-apple-darwin/cargo-machete"
+    },
+    "x86_64_windows": {
+      "url": "https://github.com/bnjbvr/cargo-machete/releases/download/v0.6.0/cargo-machete-v0.6.0-x86_64-pc-windows-msvc.tar.gz",
+      "checksum": "4e3369fea5e87bdab2d4219dd07b69fa562a7b0081433464ead82dced36f3af1",
+      "bin": "cargo-machete-v0.6.0-x86_64-pc-windows-msvc/cargo-machete.exe"
+    },
+    "aarch64_macos": {
+      "url": "https://github.com/bnjbvr/cargo-machete/releases/download/v0.6.0/cargo-machete-v0.6.0-aarch64-apple-darwin.tar.gz",
+      "checksum": "c4957bade3109f147ebe1598fa8f0b555713bbe83310cd99c927fa25398ae847",
+      "bin": "cargo-machete-v0.6.0-aarch64-apple-darwin/cargo-machete"
+    }
   },
   "0.5": {
     "version": "0.5.0"

manifests/cargo-make.json

@@ -19,10 +19,38 @@
     }
   },
   "latest": {
-    "version": "0.37.0"
+    "version": "0.37.2"
   },
   "0.37": {
-    "version": "0.37.0"
+    "version": "0.37.2"
+  },
+  "0.37.2": {
+    "x86_64_linux_musl": {
+      "checksum": "6413e92bbeab0e43aa933a2843cb7abfc087dee7a076f3b367d2b7a0054f1c88"
+    },
+    "x86_64_macos": {
+      "checksum": "265125172bf82d985bb71974b576a763c7da34ed7f6889ea324ca4910f728b54"
+    },
+    "x86_64_windows": {
+      "checksum": "5f20ef9b30620113d2b8c4c0663f4ba219afd8e01868774702889abe4ac75843"
+    },
+    "aarch64_macos": {
+      "checksum": "0cb0ad856383162cf2e3634e6264f096b420694bf78c224afc999d8033186eb1"
+    }
+  },
+  "0.37.1": {
+    "x86_64_linux_musl": {
+      "checksum": "6a4fbad3d519e6189772dd0b0d16aa137c8208e7492576ff11497645588459c0"
+    },
+    "x86_64_macos": {
+      "checksum": "a8dea1a7f8bc1e7e35bc14dc1cde15a2e122db1ee2ed8dbb787b5d4e33a19f12"
+    },
+    "x86_64_windows": {
+      "checksum": "531677bf6322139e694da4f37c5df722566675b32a020b7e0f37d4ec5d456052"
+    },
+    "aarch64_macos": {
+      "checksum": "b074fedfb6282b846e047a6336920d2d1bb65c6aa25ce03aa4465615e83a407d"
+    }
   },
   "0.37.0": {
     "x86_64_linux_musl": {

manifests/cargo-tarpaulin.json

@@ -18,7 +18,27 @@
     }
   },
   "latest": {
-    "version": "0.26.1"
+    "version": "0.27.0"
+  },
+  "0.27": {
+    "version": "0.27.0"
+  },
+  "0.27.0": {
+    "x86_64_linux_musl": {
+      "checksum": "b0cfcb086131773fb8a6a2cf8090c9416a8f233c2ae4bb887500f4e17d39fe7b"
+    },
+    "x86_64_macos": {
+      "checksum": "84c77137ca762c0cda3d4e8330ef3312efe72220da6470e8d657e5e545a11d2b"
+    },
+    "x86_64_windows": {
+      "checksum": "0114eef8cdb3c8466861dd64d7e16fd430cc0380406f230e16aa9e9c32af45e4"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "6e4f5bc5adafd1730c82ec816b89279d5cdb8255180488fc560e646bef624687"
+    },
+    "aarch64_macos": {
+      "checksum": "375e7969d10faf76ec2ec29d11cbfa266e268357514cd05ed2a24554df7a8183"
+    }
   },
   "0.26": {
     "version": "0.26.1"

manifests/mdbook.json

@@ -18,10 +18,24 @@
     }
   },
   "latest": {
-    "version": "0.4.34"
+    "version": "0.4.35"
   },
   "0.4": {
-    "version": "0.4.34"
+    "version": "0.4.35"
+  },
+  "0.4.35": {
+    "x86_64_linux_musl": {
+      "checksum": "574c2a4e03ee656999da506c4288084a690f234c589812e29825a7687af5942c"
+    },
+    "x86_64_macos": {
+      "checksum": "ca3281c2b5437a1ccd9079ed8121b3dd97c49be74dae32ea803b540a38c334bb"
+    },
+    "x86_64_windows": {
+      "checksum": "d306a09e552616c1d27f10cebe85848b96970881674ad28d9414cd259a949c39"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "359af01b77fbd6bf6243a3f2b2491a37b5480bbb2674eb2d94f91354253b34f4"
+    }
   },
   "0.4.34": {
     "x86_64_linux_musl": {

manifests/parse-changelog.json

@@ -24,10 +24,30 @@
     }
   },
   "latest": {
-    "version": "0.6.2"
+    "version": "0.6.3"
   },
   "0.6": {
-    "version": "0.6.2"
+    "version": "0.6.3"
+  },
+  "0.6.3": {
+    "x86_64_linux_musl": {
+      "checksum": "b01992d759aad7e861363e1d4bbb808b28d530844da1efbc9f8f0f54bad2f813"
+    },
+    "x86_64_macos": {
+      "checksum": "5d0fa26aa6e742b96d1ef8c7aeccdf63469512a706961921242bde2de7640d89"
+    },
+    "x86_64_windows": {
+      "checksum": "71f9367dd33b6ea754a71bdc59524470c955e78d9cf02ad2c09ec98a3ef44b81"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "6aa06d96c2a7c89786f9925e6c54472c77fda0c813c335566f870ecb4ca34d8e"
+    },
+    "aarch64_macos": {
+      "checksum": "963e1b4614cd42a28090365522efc9d7a4f1220ffe9d7bc0b1da8ae29fa6fba9"
+    },
+    "aarch64_windows": {
+      "checksum": "67fb1af8515d0b531bcea8686570d600fbe80c95994cb0c4cf7216b21a48aac4"
+    }
   },
   "0.6.2": {
     "x86_64_linux_musl": {

manifests/syft.json

@@ -23,7 +23,47 @@
     }
   },
   "latest": {
-    "version": "0.90.0"
+    "version": "0.92.0"
+  },
+  "0.92": {
+    "version": "0.92.0"
+  },
+  "0.92.0": {
+    "x86_64_linux_musl": {
+      "checksum": "42159b11660fba22a12f8acad87022987337c0725b99d9cf645b690163d5bfce"
+    },
+    "x86_64_macos": {
+      "checksum": "ac6097010cbba3e0300672868d54670ff514458c6784683172680c47ba1696de"
+    },
+    "x86_64_windows": {
+      "checksum": "071135f3ddff00edd7c21663a08d8c8e1a9d199f55bb0f3cd36aaeb1e186875d"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "33f6636e54eb1731b137c43257d8de8025282ca3570f307f3249ba7d5757ce10"
+    },
+    "aarch64_macos": {
+      "checksum": "8518d8682b5fe287caaabf3584331074220ab3f588ed3d47badf8428af87c320"
+    }
+  },
+  "0.91": {
+    "version": "0.91.0"
+  },
+  "0.91.0": {
+    "x86_64_linux_musl": {
+      "checksum": "51188401eb2a2425db1155ba18cb64db8275491a1e1049690fe6e8a371ff222a"
+    },
+    "x86_64_macos": {
+      "checksum": "724e6864a356834d8f3a40a3db2216884fc2c4cf69b67baa03cd08466e80fca9"
+    },
+    "x86_64_windows": {
+      "checksum": "9189e2246b5b649f8f09eb6d7500ee5f698253e94ebb34fab06ea6910489bcdc"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "e9d3eb8120438325b79a8bf2a994692a111e5a47c63bbdf7762f7e9fb5a12f4a"
+    },
+    "aarch64_macos": {
+      "checksum": "d53362e44322e81015c9fa17f2254f2fa3d55dc04f18c1e0bc8891705aaf4696"
+    }
   },
   "0.90": {
     "version": "0.90.0"

manifests/wasmtime.json

@@ -2,7 +2,40 @@
   "rust_crate": "wasmtime-cli",
   "template": null,
   "latest": {
-    "version": "12.0.2"
+    "version": "13.0.0"
+  },
+  "13": {
+    "version": "13.0.0"
+  },
+  "13.0": {
+    "version": "13.0.0"
+  },
+  "13.0.0": {
+    "x86_64_linux_gnu": {
+      "url": "https://github.com/bytecodealliance/wasmtime/releases/download/v13.0.0/wasmtime-v13.0.0-x86_64-linux.tar.xz",
+      "checksum": "af14e310a27d28e07675bb5d5254adee1cfddfeab0d9541e68b074f6263f4c2d",
+      "bin": "wasmtime-v13.0.0-x86_64-linux/wasmtime"
+    },
+    "x86_64_macos": {
+      "url": "https://github.com/bytecodealliance/wasmtime/releases/download/v13.0.0/wasmtime-v13.0.0-x86_64-macos.tar.xz",
+      "checksum": "a68023cd806de4432a102f24b07b204c8f83f8ce626c5ac4f248faa0807d0f49",
+      "bin": "wasmtime-v13.0.0-x86_64-macos/wasmtime"
+    },
+    "x86_64_windows": {
+      "url": "https://github.com/bytecodealliance/wasmtime/releases/download/v13.0.0/wasmtime-v13.0.0-x86_64-windows.zip",
+      "checksum": "ad1dea7c069eeda2432d4344221b05c46d146aaa7f5b16cbd468932e9fdaac76",
+      "bin": "wasmtime-v13.0.0-x86_64-windows/wasmtime.exe"
+    },
+    "aarch64_linux_gnu": {
+      "url": "https://github.com/bytecodealliance/wasmtime/releases/download/v13.0.0/wasmtime-v13.0.0-aarch64-linux.tar.xz",
+      "checksum": "2422b7c6c0d60bcfbab7d098ead0e120e24971525521a7758ea1a1db5ce57395",
+      "bin": "wasmtime-v13.0.0-aarch64-linux/wasmtime"
+    },
+    "aarch64_macos": {
+      "url": "https://github.com/bytecodealliance/wasmtime/releases/download/v13.0.0/wasmtime-v13.0.0-aarch64-macos.tar.xz",
+      "checksum": "12b32b91e07f53ea363505530b6fb3312a7ac1e71ae38957bb545011f10dbaab",
+      "bin": "wasmtime-v13.0.0-aarch64-macos/wasmtime"
+    }
   },
   "12": {
     "version": "12.0.2"

tools/ci/manifest.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 # SPDX-License-Identifier: Apache-2.0 OR MIT
-set -euo pipefail
+set -eEuo pipefail
 IFS=$'\n\t'
 cd "$(dirname "$0")"/../..
 

tools/ci/tool-list.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 # SPDX-License-Identifier: Apache-2.0 OR MIT
-set -euo pipefail
+set -eEuo pipefail
 IFS=$'\n\t'
 cd "$(dirname "$0")"/../..
 

tools/codegen/Cargo.toml

@@ -6,9 +6,13 @@ publish = false
 
 [dependencies]
 anyhow = "1"
+flate2 = "1"
 fs-err = "2"
+minisign-verify = "0.2"
 semver = { version = "1", features = ["serde"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 sha2 = "0.10"
+tar = "0.4"
+toml = "0.8"
 ureq = { version = "2", features = ["json"] }

tools/codegen/base/cargo-binstall.json

@@ -4,6 +4,9 @@
   "rust_crate": "${package}",
   "asset_name": "${package}-${rust_target}.tgz",
   "version_range": "latest",
+  "signing": {
+    "kind": "minisign-binstall"
+  },
   "platform": {
     "x86_64_linux_musl": {},
     "x86_64_macos": {

tools/codegen/src/main.rs

@@ -1,13 +1,13 @@
 // SPDX-License-Identifier: Apache-2.0 OR MIT
 
-use anyhow::{bail, Context as _, Result};
+#![allow(clippy::single_match)]
-use fs_err as fs;
+
-use serde::{Deserialize, Serialize};
-use sha2::{Digest, Sha256};
 use std::{
     cmp::Reverse,
     collections::{BTreeMap, BTreeSet},
-    env, fmt,
+    env,
+    ffi::OsStr,
+    fmt,
     io::Read,
     path::{Path, PathBuf},
     slice,
@@ -15,6 +15,11 @@ use std::{
     time::Duration,
 };
 
+use anyhow::{bail, Context as _, Result};
+use fs_err as fs;
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256};
+
 fn main() -> Result<()> {
     let args: Vec<_> = env::args().skip(1).collect();
     if args.is_empty() || args.iter().any(|arg| arg.starts_with('-')) {
@@ -26,17 +31,13 @@ fn main() -> Result<()> {
     let package = &args[0];
 
     let workspace_root = &workspace_root();
-    let manifest_path = &workspace_root
+    let manifest_path = &workspace_root.join("manifests").join(format!("{package}.json"));
-        .join("manifests")
-        .join(format!("{package}.json"));
     let download_cache_dir = &workspace_root.join("tools/codegen/tmp/cache").join(package);
     fs::create_dir_all(manifest_path.parent().unwrap())?;
     fs::create_dir_all(download_cache_dir)?;
 
     let mut base_info: BaseManifest = serde_json::from_slice(&fs::read(
-        workspace_root
+        workspace_root.join("tools/codegen/base").join(format!("{package}.json")),
-            .join("tools/codegen/base")
-            .join(format!("{package}.json")),
     )?)?;
     let repo = base_info
         .repository
@@ -77,11 +78,8 @@ fn main() -> Result<()> {
         .collect();
 
     let mut crates_io_info = None;
-    base_info.rust_crate = base_info
+    base_info.rust_crate =
-        .rust_crate
+        base_info.rust_crate.as_ref().map(|s| replace_vars(s, package, None, None)).transpose()?;
-        .as_ref()
-        .map(|s| replace_vars(s, package, None, None))
-        .transpose()?;
     if let Some(crate_name) = &base_info.rust_crate {
         eprintln!("downloading crate info from https://crates.io/api/v1/crates/{crate_name}");
         crates_io_info = Some(
@@ -113,10 +111,7 @@ fn main() -> Result<()> {
                         for (platform, d) in &mut manifest.download_info {
                             let template = &template.download_info[platform];
                             d.url = Some(template.url.replace("${version}", version));
-                            d.bin = template
+                            d.bin = template.bin.as_ref().map(|s| s.replace("${version}", version));
-                                .bin
-                                .as_ref()
-                                .map(|s| s.replace("${version}", version));
                         }
                     }
                 }
@@ -127,19 +122,6 @@ fn main() -> Result<()> {
     }
     let version_req: Option<semver::VersionReq> = match args.get(1) {
         _ if latest_only => {
-            if args.get(1).map(String::as_str) == Some("latest") {
-                if let Some(m) = manifests.map.first_key_value() {
-                    let version = match m.1 {
-                        ManifestRef::Ref { version } => version,
-                        ManifestRef::Real(_) => &m.0 .0,
-                    };
-                    if !manifests.map.is_empty()
-                        && *version >= releases.first_key_value().unwrap().0 .0.clone().into()
-                    {
-                        return Ok(());
-                    }
-                }
-            }
             let req = format!("={}", releases.first_key_value().unwrap().0 .0).parse()?;
             eprintln!("update manifest for versions '{req}'");
             Some(req)
@@ -163,7 +145,7 @@ fn main() -> Result<()> {
                 if manifests.map.is_empty() {
                     format!("={}", releases.first_key_value().unwrap().0 .0).parse()?
                 } else {
-                    format!(">{}", semver_versions.last().unwrap()).parse()?
+                    format!(">={}", semver_versions.last().unwrap()).parse()?
                 }
             } else {
                 version_req.parse()?
@@ -174,6 +156,7 @@ fn main() -> Result<()> {
     };
 
     let mut buf = vec![];
+    let mut buf2 = vec![];
     for (Reverse(semver_version), (version, release)) in &releases {
         if let Some(version_req) = &version_req {
             if !version_req.matches(semver_version) {
@@ -187,6 +170,7 @@ fn main() -> Result<()> {
         }
 
         let mut download_info = BTreeMap::new();
+        let mut pubkey = None;
         for (&platform, base_download_info) in &base_info.platform {
             let asset_names = base_download_info
                 .asset_name
@@ -213,8 +197,8 @@ fn main() -> Result<()> {
                 }
             };
 
-            eprintln!("downloading {url} for checksum...");
+            eprint!("downloading {url} for checksum ... ");
-            let download_cache = download_cache_dir.join(format!(
+            let download_cache = &download_cache_dir.join(format!(
                 "{version}-{platform:?}-{}",
                 Path::new(&url).file_name().unwrap().to_str().unwrap()
             ));
@@ -230,10 +214,86 @@ fn main() -> Result<()> {
             let hash = Sha256::digest(&buf);
             let hash = format!("{hash:x}");
             eprintln!("{hash} *{asset_name}");
+            let bin_url = &url;
 
-            download_info.insert(
+            match base_info.signing {
-                platform,
+                Some(Signing { kind: SigningKind::MinisignBinstall }) => {
-                ManifestDownloadInfo {
+                    let url = url.clone() + ".sig";
+                    let sig_download_cache = &download_cache.with_extension(format!(
+                        "{}.sig",
+                        download_cache.extension().unwrap_or_default().to_str().unwrap()
+                    ));
+                    eprint!("downloading {url} for signature validation ... ");
+                    let sig = if sig_download_cache.is_file() {
+                        eprintln!("already downloaded");
+                        minisign_verify::Signature::from_file(sig_download_cache)?
+                    } else {
+                        let buf = download(&url)?.into_string()?;
+                        eprintln!("download complete");
+                        fs::write(sig_download_cache, &buf)?;
+                        minisign_verify::Signature::decode(&buf)?
+                    };
+
+                    let Some(crates_io_info) = &crates_io_info else {
+                        bail!("signing kind minisign-binstall is supported only for rust crate");
+                    };
+                    let v =
+                        crates_io_info.versions.iter().find(|v| v.num == *semver_version).unwrap();
+                    let url = format!("https://crates.io{}", v.dl_path);
+                    let crate_download_cache =
+                        &download_cache_dir.join(format!("{version}-Cargo.toml"));
+                    eprint!("downloading {url} for signature verification ... ");
+                    if crate_download_cache.is_file() {
+                        eprintln!("already downloaded");
+                    } else {
+                        download(&url)?.into_reader().read_to_end(&mut buf2)?;
+                        let hash = Sha256::digest(&buf2);
+                        if format!("{hash:x}") != v.checksum {
+                            bail!("checksum mismatch for {url}");
+                        }
+                        let decoder = flate2::read::GzDecoder::new(&*buf2);
+                        let mut archive = tar::Archive::new(decoder);
+                        for entry in archive.entries()? {
+                            let mut entry = entry?;
+                            let path = entry.path()?;
+                            if path.file_name() == Some(OsStr::new("Cargo.toml")) {
+                                entry.unpack(crate_download_cache)?;
+                                break;
+                            }
+                        }
+                        buf2.clear();
+                        eprintln!("download complete");
+                    }
+                    if pubkey.is_none() {
+                        let cargo_manifest = toml::from_str::<cargo_manifest::Manifest>(
+                            &fs::read_to_string(crate_download_cache)?,
+                        )?;
+                        eprintln!(
+                            "algorithm: {}",
+                            cargo_manifest.package.metadata.binstall.signing.algorithm
+                        );
+                        eprintln!(
+                            "pubkey: {}",
+                            cargo_manifest.package.metadata.binstall.signing.pubkey
+                        );
+                        assert_eq!(
+                            cargo_manifest.package.metadata.binstall.signing.algorithm,
+                            "minisign"
+                        );
+                        pubkey = Some(minisign_verify::PublicKey::from_base64(
+                            &cargo_manifest.package.metadata.binstall.signing.pubkey,
+                        )?);
+                    }
+                    let pubkey = pubkey.as_ref().unwrap();
+                    eprint!("verifying signature for {bin_url} ... ");
+                    let allow_legacy = false;
+                    pubkey.verify(&buf, &sig, allow_legacy)?;
+                    eprintln!("done");
+                }
+                None => {}
+            }
+
+            download_info.insert(platform, ManifestDownloadInfo {
                 url: Some(url),
                 checksum: hash,
                 bin: base_download_info
@@ -242,8 +302,7 @@ fn main() -> Result<()> {
                     .or(base_info.bin.as_ref())
                     .map(|s| replace_vars(s, package, Some(version), Some(platform)))
                     .transpose()?,
-                },
+            });
-            );
             buf.clear();
         }
         if download_info.is_empty() {
@@ -295,39 +354,30 @@ fn main() -> Result<()> {
             if !(version.major == 0 && version.minor == 0) {
                 manifests.map.insert(
                     Reverse(Version::omitted(version.major, Some(version.minor))),
-                    ManifestRef::Ref {
+                    ManifestRef::Ref { version: version.clone().into() },
-                        version: version.clone().into(),
-                    },
                 );
             }
             if version.major != 0 {
-                manifests.map.insert(
+                manifests
-                    Reverse(Version::omitted(version.major, None)),
+                    .map
-                    ManifestRef::Ref {
+                    .insert(Reverse(Version::omitted(version.major, None)), ManifestRef::Ref {
                         version: version.clone().into(),
-                    },
+                    });
-                );
             }
             prev_version = version;
         }
-        manifests.map.insert(
+        manifests.map.insert(Reverse(Version::latest()), ManifestRef::Ref {
-            Reverse(Version::latest()),
-            ManifestRef::Ref {
             version: prev_version.clone().into(),
-            },
+        });
-        );
     }
 
-    let ManifestRef::Ref {
+    let ManifestRef::Ref { version: latest_version } =
-        version: latest_version,
+        manifests.map.first_key_value().unwrap().1.clone()
-    } = manifests.map.first_key_value().unwrap().1.clone()
     else {
         unreachable!()
     };
     if latest_only {
-        manifests
+        manifests.map.retain(|k, _| k.0 == Version::latest() || k.0 == latest_version);
-            .map
-            .retain(|k, _| k.0 == Version::latest() || k.0 == latest_version);
     }
     let ManifestRef::Real(latest_manifest) = &manifests.map[&Reverse(latest_version.clone())]
     else {
@@ -338,16 +388,12 @@ fn main() -> Result<()> {
             continue;
         }
         if p == HostPlatform::x86_64_linux_gnu
-            && latest_manifest
+            && latest_manifest.download_info.contains_key(&HostPlatform::x86_64_linux_musl)
-                .download_info
-                .contains_key(&HostPlatform::x86_64_linux_musl)
         {
             continue;
         }
         if p == HostPlatform::aarch64_linux_gnu
-            && latest_manifest
+            && latest_manifest.download_info.contains_key(&HostPlatform::aarch64_linux_musl)
-                .download_info
-                .contains_key(&HostPlatform::aarch64_linux_musl)
         {
             continue;
         }
@@ -358,9 +404,7 @@ fn main() -> Result<()> {
     }
 
     let original_manifests = manifests.clone();
-    let mut template = Some(ManifestTemplate {
+    let mut template = Some(ManifestTemplate { download_info: BTreeMap::new() });
-        download_info: BTreeMap::new(),
-    });
     'outer: for (version, manifest) in &mut manifests.map {
         let ManifestRef::Real(manifest) = manifest else {
             continue;
@@ -376,13 +420,10 @@ fn main() -> Result<()> {
                     break 'outer;
                 }
             } else {
-                t.download_info.insert(
+                t.download_info.insert(*platform, ManifestTemplateDownloadInfo {
-                    *platform,
-                    ManifestTemplateDownloadInfo {
                     url: template_url,
                     bin: template_bin,
-                    },
+                });
-                );
             }
         }
     }
@@ -587,9 +628,7 @@ impl<'de> Deserialize<'de> for Version {
         D: serde::Deserializer<'de>,
     {
         use serde::de::Error as _;
-        String::deserialize(deserializer)?
+        String::deserialize(deserializer)?.parse().map_err(D::Error::custom)
-            .parse()
-            .map_err(D::Error::custom)
     }
 }
 
@@ -652,10 +691,27 @@ struct BaseManifest {
     asset_name: Option<StringOrArray>,
     /// Path to binary in archive. Default to `${tool}${exe}`.
     bin: Option<String>,
+    signing: Option<Signing>,
     platform: BTreeMap<HostPlatform, BaseManifestPlatformInfo>,
     version_range: Option<String>,
 }
 
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+struct Signing {
+    kind: SigningKind,
+}
+
+#[derive(Debug, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "kebab-case")]
+#[serde(deny_unknown_fields)]
+enum SigningKind {
+    /// algorithm: minisign
+    /// public key: package.metadata.binstall.signing.pubkey at Cargo.toml
+    /// <https://github.com/cargo-bins/cargo-binstall/blob/HEAD/SIGNING.md>
+    MinisignBinstall,
+}
+
 #[derive(Debug, Deserialize)]
 #[serde(deny_unknown_fields)]
 struct BaseManifestPlatformInfo {
@@ -775,7 +831,39 @@ mod crates_io {
 
     #[derive(Debug, Deserialize)]
     pub struct Version {
+        pub checksum: String,
+        pub dl_path: String,
         pub num: semver::Version,
         pub yanked: bool,
     }
 }
+
+mod cargo_manifest {
+    use serde::Deserialize;
+
+    #[derive(Debug, Deserialize)]
+    pub struct Manifest {
+        pub package: Package,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct Package {
+        pub metadata: Metadata,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct Metadata {
+        pub binstall: Binstall,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct Binstall {
+        pub signing: BinstallSigning,
+    }
+
+    #[derive(Debug, Deserialize)]
+    pub struct BinstallSigning {
+        pub algorithm: String,
+        pub pubkey: String,
+    }
+}

tools/manifest.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 # SPDX-License-Identifier: Apache-2.0 OR MIT
-set -euo pipefail
+set -eEuo pipefail
 IFS=$'\n\t'
 cd "$(dirname "$0")"/..
 

tools/publish.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 # SPDX-License-Identifier: Apache-2.0 OR MIT
-set -euo pipefail
+set -eEuo pipefail
 IFS=$'\n\t'
 cd "$(dirname "$0")"/..
 

tools/tidy.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # SPDX-License-Identifier: Apache-2.0 OR MIT
 # shellcheck disable=SC2046
-set -euo pipefail
+set -eEuo pipefail
 IFS=$'\n\t'
 cd "$(dirname "$0")"/..
 
@@ -81,7 +81,7 @@ if [[ -n "$(git ls-files '*.rs')" ]]; then
         fi
         check_diff $(git ls-files '*.rs')
     else
-        warn "'rustup' is not installed"
+        warn "'rustup' is not installed; skipped Rust code style check"
     fi
     cast_without_turbofish=$(grep -n -E '\.cast\(\)' $(git ls-files '*.rs') || true)
     if [[ -n "${cast_without_turbofish}" ]]; then
@@ -168,7 +168,7 @@ if [[ -n "$(git ls-files '*.c')$(git ls-files '*.cpp')" ]]; then
         clang-format -i $(git ls-files '*.c') $(git ls-files '*.cpp')
         check_diff $(git ls-files '*.c') $(git ls-files '*.cpp')
     else
-        warn "'clang-format' is not installed"
+        warn "'clang-format' is not installed; skipped C/C++ code style check"
     fi
 fi
 
@@ -176,11 +176,11 @@ fi
 if [[ -n "$(git ls-files '*.yml')$(git ls-files '*.js')$(git ls-files '*.json')" ]]; then
     info "checking YAML/JavaScript/JSON code style"
     if type -P npm &>/dev/null; then
-        echo "+ npx prettier -l -w \$(git ls-files '*.yml') \$(git ls-files '*.js') \$(git ls-files '*.json')"
+        echo "+ npx -y prettier -l -w \$(git ls-files '*.yml') \$(git ls-files '*.js') \$(git ls-files '*.json')"
-        npx prettier -l -w $(git ls-files '*.yml') $(git ls-files '*.js') $(git ls-files '*.json')
+        npx -y prettier -l -w $(git ls-files '*.yml') $(git ls-files '*.js') $(git ls-files '*.json')
         check_diff $(git ls-files '*.yml') $(git ls-files '*.js') $(git ls-files '*.json')
     else
-        warn "'npm' is not installed"
+        warn "'npm' is not installed; skipped YAML/JavaScript/JSON code style check"
     fi
     # Check GitHub workflows.
     if [[ -d .github/workflows ]]; then
@@ -190,7 +190,7 @@ if [[ -n "$(git ls-files '*.yml')$(git ls-files '*.js')$(git ls-files '*.json')"
                 # The top-level permissions must be weak as they are referenced by all jobs.
                 permissions=$(yq '.permissions' "${workflow}" | jq -c)
                 case "${permissions}" in
-                    '{"contents":"read"}' | '{"contents":"none"}' | '{}') ;;
+                    '{"contents":"read"}' | '{"contents":"none"}') ;;
                     null) error "${workflow}: top level permissions not found; it must be 'contents: read' or weaker permissions" ;;
                     *) error "${workflow}: only 'contents: read' and weaker permissions are allowed at top level; if you want to use stronger permissions, please set job-level permissions" ;;
                 esac
@@ -210,7 +210,7 @@ if [[ -n "$(git ls-files '*.yml')$(git ls-files '*.js')$(git ls-files '*.json')"
                 fi
             done
         else
-            warn "'jq' or 'yq' is not installed"
+            warn "'jq' or 'yq' is not installed; skipped GitHub workflow check"
         fi
     fi
 fi
@@ -219,6 +219,21 @@ if [[ -n "$(git ls-files '*.yaml')" ]]; then
     git ls-files '*.yaml'
 fi
 
+# Markdown (if exists)
+if [[ -n "$(git ls-files '*.md')" ]]; then
+    info "checking Markdown style"
+    if type -P npm &>/dev/null; then
+        echo "+ npx -y markdownlint-cli2 \$(git ls-files '*.md')"
+        npx -y markdownlint-cli2 $(git ls-files '*.md')
+    else
+        warn "'npm' is not installed; skipped Markdown style check"
+    fi
+fi
+if [[ -n "$(git ls-files '*.markdown')" ]]; then
+    error "please use '.md' instead of '.markdown' for consistency"
+    git ls-files '*.markdown'
+fi
+
 # Shell scripts
 info "checking Shell scripts"
 if type -P shfmt &>/dev/null; then
@@ -226,7 +241,7 @@ if type -P shfmt &>/dev/null; then
     shfmt -l -w $(git ls-files '*.sh')
     check_diff $(git ls-files '*.sh')
 else
-    warn "'shfmt' is not installed"
+    warn "'shfmt' is not installed; skipped Shell scripts style check"
 fi
 if type -P shellcheck &>/dev/null; then
     echo "+ shellcheck \$(git ls-files '*.sh')"
@@ -241,7 +256,7 @@ if type -P shellcheck &>/dev/null; then
         fi
     fi
 else
-    warn "'shellcheck' is not installed"
+    warn "'shellcheck' is not installed; skipped Shell scripts style check"
 fi
 
 # License check
@@ -268,9 +283,10 @@ if [[ -f tools/.tidy-check-license-headers ]]; then
         fi
         header_found=''
         for pre in "${prefix[@]}"; do
+            # TODO: check that the license is valid as SPDX and is allowed in this project.
             if [[ "$(grep -E -n "${pre}SPDX-License-Identifier: " "${p}")" == "${line}:${pre}SPDX-License-Identifier: "* ]]; then
                 header_found='1'
-                continue
+                break
             fi
         done
         if [[ -z "${header_found}" ]]; then
@@ -308,13 +324,14 @@ if [[ -f .cspell.json ]]; then
         fi
         config_old=$(<.cspell.json)
         config_new=$(grep <<<"${config_old}" -v ' *//' | jq 'del(.dictionaries[] | select(index("organization-dictionary") | not))' | jq 'del(.dictionaryDefinitions[] | select(.name == "organization-dictionary" | not))')
+        trap -- 'echo "${config_old}" >.cspell.json; echo >&2 "$0: trapped SIGINT"; exit 1' SIGINT
         echo "${config_new}" >.cspell.json
         if [[ -n "${has_rust}" ]]; then
-            dependencies_words=$(npx <<<"${dependencies}" cspell stdin --no-progress --no-summary --words-only --unique || true)
+            dependencies_words=$(npx <<<"${dependencies}" -y cspell stdin --no-progress --no-summary --words-only --unique || true)
         fi
-        all_words=$(npx cspell --no-progress --no-summary --words-only --unique $(git ls-files | (grep -v "${project_dictionary//\./\\.}" || true)) || true)
+        all_words=$(npx -y cspell --no-progress --no-summary --words-only --unique $(git ls-files | (grep -v "${project_dictionary//\./\\.}" || true)) || true)
-        # TODO: handle SIGINT
         echo "${config_old}" >.cspell.json
+        trap - SIGINT
         cat >.github/.cspell/rust-dependencies.txt <<EOF
 // This file is @generated by $(basename "$0").
 // It is not intended for manual editing.
@@ -327,8 +344,8 @@ EOF
             echo "warning: you may want to mark .github/.cspell/rust-dependencies.txt linguist-generated"
         fi
 
-        echo "+ npx cspell --no-progress --no-summary \$(git ls-files)"
+        echo "+ npx -y cspell --no-progress --no-summary \$(git ls-files)"
-        if ! npx cspell --no-progress --no-summary $(git ls-files); then
+        if ! npx -y cspell --no-progress --no-summary $(git ls-files); then
             error "spellcheck failed: please fix uses of above words or add to ${project_dictionary} if correct"
         fi
 
@@ -360,7 +377,7 @@ EOF
             echo "======================================="
         fi
     else
-        warn "'npm' is not installed"
+        warn "'npm' is not installed; skipped spell check"
     fi
 fi