Release 2.34.2

.cspell.json

@@ -44,7 +44,7 @@
   "languageSettings": [
     {
       "languageId": ["*"],
-      "dictionaries": ["rust"]
+      "dictionaries": ["bash", "rust"]
     }
   ],
   "ignorePaths": []

.github/.cspell/project-dictionary.txt

@@ -22,7 +22,6 @@ pwsh
 quickinstall
 rdme
 sccache
-shfmt
 syft
 udeps
 wasmtime

.github/workflows/ci.yml

@@ -66,10 +66,10 @@ jobs:
           tool: ${{ steps.tool-list.outputs.tool }}
       # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell
       - name: Test bash
-        run: just --version; shfmt --version; protoc --version
+        run: just --version && shfmt --version && protoc --version
         shell: bash
       - name: Test sh
-        run: just --version; shfmt --version; protoc --version
+        run: just --version && shfmt --version && protoc --version
         shell: sh
         if: startsWith(matrix.os, 'ubuntu') || startsWith(matrix.os, 'macos')
       - name: Test pwsh
@@ -118,29 +118,8 @@ jobs:
     timeout-minutes: 60
     container: ${{ matrix.container }}
     steps:
-      - name: Install requirements (ubuntu/debian)
-        run: |
-          set -eEuxo pipefail
-          apt-get -o Acquire::Retries=10 -qq update
-          apt-get -o Acquire::Retries=10 -o Dpkg::Use-Pty=0 install -y --no-install-recommends cargo
-        if: startsWith(matrix.container, 'ubuntu') || startsWith(matrix.container, 'debian')
-      - name: Install requirements (fedora/almalinux/centos)
-        run: |
-          set -eEuxo pipefail
-          curl --proto '=https' --tlsv1.2 -fsSL --retry 10 https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain stable --no-modify-path
-          echo "$HOME/.cargo/bin" >>"${GITHUB_PATH}"
-        if: startsWith(matrix.container, 'fedora') || startsWith(matrix.container, 'almalinux') ||  startsWith(matrix.container, 'centos')
-      - name: Install requirements (opensuse)
-        run: |
-          set -eEuxo pipefail
-          zypper install -y rustup
-          rustup toolchain add stable --profile minimal
-        if: startsWith(matrix.container, 'opensuse')
-      - name: Install requirements (archlinux)
-        run: pacman -Sy --noconfirm rust
-        if: startsWith(matrix.container, 'archlinux')
       - name: Install requirements (alpine)
-        run: apk --no-cache add bash cargo
+        run: apk --no-cache add bash
         shell: sh
         if: startsWith(matrix.container, 'alpine')
       - uses: taiki-e/checkout-action@v1
@@ -153,19 +132,6 @@ jobs:
         with:
           tool: ${{ steps.tool-list.outputs.tool }}
 
-  test-no-cargo:
-    runs-on: ubuntu-latest
-    timeout-minutes: 60
-    container: ubuntu
-    steps:
-      - uses: taiki-e/checkout-action@v1
-      - name: Generate tool list
-        id: tool-list
-        run: tools/ci/tool-list.sh >>"${GITHUB_OUTPUT}"
-      - uses: ./
-        with:
-          tool: ${{ steps.tool-list.outputs.tool }}
-
   manifest:
     runs-on: ubuntu-latest
     timeout-minutes: 60

CHANGELOG.md

@@ -10,6 +10,30 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com
 
 ## [Unreleased]
 
+## [2.34.2] - 2024-06-03
+
+- Update `typos@latest` to 1.22.0.
+
+## [2.34.1] - 2024-06-03
+
+- Update `git-cliff@latest` to 2.3.0.
+
+## [2.34.0] - 2024-06-01
+
+- Support cargo-binstall fallback without cargo.
+
+## [2.33.36] - 2024-06-01
+
+- Update `cargo-llvm-cov@latest` to 0.6.10.
+
+## [2.33.35] - 2024-05-28
+
+- Update `syft@latest` to 1.5.0.
+
+## [2.33.34] - 2024-05-26
+
+- Update `dprint@latest` to 0.46.1.
+
 ## [2.33.33] - 2024-05-25
 
 - Update `dprint@latest` to 0.46.0.
@@ -2215,7 +2239,13 @@ Note: This release is considered a breaking change because installing on version
 
 Initial release
 
-[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.33.33...HEAD
+[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.34.2...HEAD
+[2.34.2]: https://github.com/taiki-e/install-action/compare/v2.34.1...v2.34.2
+[2.34.1]: https://github.com/taiki-e/install-action/compare/v2.34.0...v2.34.1
+[2.34.0]: https://github.com/taiki-e/install-action/compare/v2.33.36...v2.34.0
+[2.33.36]: https://github.com/taiki-e/install-action/compare/v2.33.35...v2.33.36
+[2.33.35]: https://github.com/taiki-e/install-action/compare/v2.33.34...v2.33.35
+[2.33.34]: https://github.com/taiki-e/install-action/compare/v2.33.33...v2.33.34
 [2.33.33]: https://github.com/taiki-e/install-action/compare/v2.33.32...v2.33.33
 [2.33.32]: https://github.com/taiki-e/install-action/compare/v2.33.31...v2.33.32
 [2.33.31]: https://github.com/taiki-e/install-action/compare/v2.33.30...v2.33.31

Cargo.toml

@@ -10,6 +10,8 @@ improper_ctypes_definitions = "warn"
 non_ascii_idents = "warn"
 rust_2018_idioms = "warn"
 single_use_lifetimes = "warn"
+unexpected_cfgs = { level = "warn", check-cfg = [
+] }
 unreachable_pub = "warn"
 unsafe_op_in_unsafe_fn = "warn"
 [workspace.lints.clippy]
@@ -27,12 +29,13 @@ borrow_as_ptr = { level = "allow", priority = 1 } # https://github.com/rust-lang
 declare_interior_mutable_const = { level = "allow", priority = 1 } # https://github.com/rust-lang/rust-clippy/issues/7665
 doc_markdown = { level = "allow", priority = 1 }
 float_cmp = { level = "allow", priority = 1 } # https://github.com/rust-lang/rust-clippy/issues/7725
-lint_groups_priority = { level = "allow", priority = 1 } # clippy bug: https://github.com/rust-lang/rust-clippy/issues/12270
+incompatible_msrv = { level = "allow", priority = 1 } # buggy: doesn't consider cfg, https://github.com/rust-lang/rust-clippy/issues/12280, https://github.com/rust-lang/rust-clippy/issues/12257#issuecomment-2093667187
+lint_groups_priority = { level = "allow", priority = 1 } # https://github.com/rust-lang/rust-clippy/issues/12270
 manual_assert = { level = "allow", priority = 1 }
 manual_range_contains = { level = "allow", priority = 1 } # https://github.com/rust-lang/rust-clippy/issues/6455#issuecomment-1225966395
 missing_errors_doc = { level = "allow", priority = 1 }
 module_name_repetitions = { level = "allow", priority = 1 }
-nonminimal_bool = { level = "allow", priority = 1 } # buggy https://github.com/rust-lang/rust-clippy/issues?q=is%3Aissue+is%3Aopen+nonminimal_bool
+nonminimal_bool = { level = "allow", priority = 1 } # buggy: https://github.com/rust-lang/rust-clippy/issues?q=is%3Aissue+is%3Aopen+nonminimal_bool
 similar_names = { level = "allow", priority = 1 }
 single_match = { level = "allow", priority = 1 }
 single_match_else = { level = "allow", priority = 1 }

README.md

@@ -152,7 +152,6 @@ This action has been tested for GitHub-hosted runners (Ubuntu, macOS, Windows) a
 To use this action in self-hosted runners or in containers, at least the following tools are required:
 
 - bash
-- cargo (if you use cargo-binstall fallback)
 
 ## Related Projects
 

main.sh

@@ -748,5 +748,11 @@ if [[ ${#unsupported_tools[@]} -gt 0 ]]; then
     # By default, cargo-binstall enforce downloads over secure transports only.
     # As a result, http will be disabled, and it will also set
     # min tls version to be 1.2
-    cargo binstall --force --no-confirm --locked "${unsupported_tools[@]}"
+    cargo-binstall binstall --force --no-confirm --locked "${unsupported_tools[@]}"
+    if ! type -P cargo >/dev/null; then
+        _bin_dir=$(canonicalize_windows_path "${HOME}/.cargo/bin")
+        # TODO: avoid this when already added
+        info "adding '${_bin_dir}' to PATH"
+        echo "${_bin_dir}" >>"${GITHUB_PATH}"
+    fi
 fi

manifests/cargo-llvm-cov.json

@@ -18,10 +18,27 @@
     }
   },
   "latest": {
-    "version": "0.6.9"
+    "version": "0.6.10"
   },
   "0.6": {
-    "version": "0.6.9"
+    "version": "0.6.10"
+  },
+  "0.6.10": {
+    "x86_64_linux_musl": {
+      "checksum": "2350d7d6586c8b1ac828ad5578225fafb6a43fa9c35fe835c28a5ed63499df60"
+    },
+    "x86_64_macos": {
+      "checksum": "6355b4536798ba0cea459729cc531f7bbf252d51c86b02683c0b4a4033d8cb96"
+    },
+    "x86_64_windows": {
+      "checksum": "3090e71ba2c0e16e593d338f4ed696f3829544f53dea63bdd966398f4379259c"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "7921682e7bd925b69bbecaf9bf42f99a6404ef60049b1a9f87fe97dc697265f4"
+    },
+    "aarch64_macos": {
+      "checksum": "46fe1d529755ca1a39dc7995374eef4482a20f0f632dd113430641c06fc4b466"
+    }
   },
   "0.6.9": {
     "x86_64_linux_musl": {

manifests/dprint.json

@@ -24,10 +24,27 @@
     }
   },
   "latest": {
-    "version": "0.46.0"
+    "version": "0.46.1"
   },
   "0.46": {
-    "version": "0.46.0"
+    "version": "0.46.1"
+  },
+  "0.46.1": {
+    "x86_64_linux_musl": {
+      "checksum": "4a7d6fa6b920ab150f580965556086cdd7992e07078e627ab9a9d1c3bd30ba85"
+    },
+    "x86_64_macos": {
+      "checksum": "cdea84bce1d84c26e8eced2265d246b79a849ec2e7d1377d98dd7bdb21c7ce83"
+    },
+    "x86_64_windows": {
+      "checksum": "74e5ab38c744d5903862c2b5174d0fef9759b5506da775e1fb93b6a68c63101d"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "e2b6d87167d21f1f01571790e79526ef9caff3b8b75f5cac348c4f06f60a8c16"
+    },
+    "aarch64_macos": {
+      "checksum": "f3ff4faef83d14c3b4ae262e79a40d4e0fc3fa1903d0b6e9b82f0b25b00e9499"
+    }
   },
   "0.46.0": {
     "x86_64_linux_musl": {

manifests/git-cliff.json

@@ -27,10 +27,33 @@
     }
   },
   "latest": {
-    "version": "2.2.2"
+    "version": "2.3.0"
   },
   "2": {
-    "version": "2.2.2"
+    "version": "2.3.0"
+  },
+  "2.3": {
+    "version": "2.3.0"
+  },
+  "2.3.0": {
+    "x86_64_linux_musl": {
+      "checksum": "0371c0c2fd948a711d05198f719a2ec8ccb2a43ae5e4760394916d5cf6b45c6c"
+    },
+    "x86_64_macos": {
+      "checksum": "73ce46c671a593fe1acef725e7816c793968e3c315fd72107280e830eaa55820"
+    },
+    "x86_64_windows": {
+      "checksum": "90bc9c60b5db44a62fae51fb09e9565e2d460e107df3404ac5384a2f0bdd96d1"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "aed0a6fba4d5b309be98ef71db75928c84c57495d46843791e95870582f0d1a6"
+    },
+    "aarch64_macos": {
+      "checksum": "1fd8e277212db52c791a20b6ecdb993ce47884a1aca3ee3d31066fd29acea6bb"
+    },
+    "aarch64_windows": {
+      "checksum": "059a29642ffe16ad720cb383290564df35bddd329fa34f6d1d1a4f633d6dad48"
+    }
   },
   "2.2": {
     "version": "2.2.2"

manifests/syft.json

@@ -23,10 +23,30 @@
     }
   },
   "latest": {
-    "version": "1.4.1"
+    "version": "1.5.0"
   },
   "1": {
-    "version": "1.4.1"
+    "version": "1.5.0"
+  },
+  "1.5": {
+    "version": "1.5.0"
+  },
+  "1.5.0": {
+    "x86_64_linux_musl": {
+      "checksum": "3d10023d46dfaf0fe75288df207b478b43597f7d2fff553f58430817166bd478"
+    },
+    "x86_64_macos": {
+      "checksum": "605322e3e7043a4f2f3d6e37f75a71389d38f6f290bff2e54bb2aaebbbf4829b"
+    },
+    "x86_64_windows": {
+      "checksum": "5079c6a88e130f8677d0701cb2689f9eae2088022ecf5fa2b9f341b96d9983d2"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "ee2b1289a1e4b0de9409c3a78867949ca42788a5f50072b8a6e6e04e6a269f9c"
+    },
+    "aarch64_macos": {
+      "checksum": "fe02d072e7ec9a8eb4ac866ba973396a8beae79829ee870acaadd4d862e5e65a"
+    }
   },
   "1.4": {
     "version": "1.4.1"

manifests/typos.json

@@ -15,10 +15,27 @@
     }
   },
   "latest": {
-    "version": "1.21.0"
+    "version": "1.22.0"
   },
   "1": {
-    "version": "1.21.0"
+    "version": "1.22.0"
+  },
+  "1.22": {
+    "version": "1.22.0"
+  },
+  "1.22.0": {
+    "x86_64_linux_musl": {
+      "checksum": "bfa037cb884797da229768751642191128a8096f34a77c2c2aab81f4ea4add5e"
+    },
+    "x86_64_macos": {
+      "checksum": "5cede24a0c7e7fa826372346ae8a1eb7264741412cf830acb7bd6ba9d261e610"
+    },
+    "x86_64_windows": {
+      "checksum": "cded62aca581b5610a8a8ac88d26c84bbbf02cd988fca64be50da6beb7d6ad85"
+    },
+    "aarch64_macos": {
+      "checksum": "e747252644b76cca8b7c4bf3a36835186773500a2d1964ffe7341bd33ffdfbe2"
+    }
   },
   "1.21": {
     "version": "1.21.0"

tools/ci/tool-list.sh

@@ -128,17 +128,14 @@ case "${host_os}" in
         fi
         ;;
 esac
-# cargo-binstall requires cargo
-if type -P cargo &>/dev/null; then
-    # cargo-watch/watchexec-cli is supported by cargo-binstall (through quickinstall)
-    case "${version}" in
-        latest) tools+=(cargo-watch watchexec-cli nextest) ;;
-        major.minor.patch) tools+=(cargo-watch@8.1.1 watchexec-cli@1.20.5 nextest@0.9.57) ;;
-        major.minor) tools+=(cargo-watch@8.1 watchexec-cli@1.20 nextest@0.9) ;;
-        major) tools+=(cargo-watch@8 watchexec-cli@1) ;;
-        *) exit 1 ;;
-    esac
-fi
+# cargo-watch/watchexec-cli is supported by cargo-binstall (through quickinstall)
+case "${version}" in
+    latest) tools+=(cargo-watch watchexec-cli nextest) ;;
+    major.minor.patch) tools+=(cargo-watch@8.1.1 watchexec-cli@1.20.5 nextest@0.9.57) ;;
+    major.minor) tools+=(cargo-watch@8.1 watchexec-cli@1.20 nextest@0.9) ;;
+    major) tools+=(cargo-watch@8 watchexec-cli@1) ;;
+    *) exit 1 ;;
+esac
 
 # sort and dedup
 IFS=$'\n'

tools/tidy.sh

@@ -16,7 +16,7 @@ trap 's=$?; echo >&2 "$0: error on line "${LINENO}": ${BASH_COMMAND}"; exit ${s}
 # - shellcheck
 # - npm
 # - jq
-# - python
+# - python 3
 # - rustup (if Rust code exists)
 # - clang-format (if C/C++ code exists)
 #
@@ -40,6 +40,19 @@ check_config() {
         error "could not found $1 in the repository root"
     fi
 }
+check_install() {
+    for tool in "$@"; do
+        if ! type -P "${tool}" &>/dev/null; then
+            if [[ "${tool}" == "python3" ]]; then
+                if type -P python &>/dev/null; then
+                    continue
+                fi
+            fi
+            error "'${tool}' is required to run this check"
+            return 1
+        fi
+    done
+}
 info() {
     echo >&2 "info: $*"
 }
@@ -56,6 +69,27 @@ venv() {
     shift
     "${venv_bin}/${bin}${exe}" "$@"
 }
+venv_install_yq() {
+    local py_suffix=''
+    if type -P python3 &>/dev/null; then
+        py_suffix='3'
+    fi
+    exe=''
+    venv_bin='.venv/bin'
+    case "$(uname -s)" in
+        MINGW* | MSYS* | CYGWIN* | Windows_NT)
+            exe='.exe'
+            venv_bin='.venv/Scripts'
+            ;;
+    esac
+    if [[ ! -d .venv ]]; then
+        "python${py_suffix}" -m venv .venv
+    fi
+    if [[ ! -e "${venv_bin}/yq${exe}" ]]; then
+        info "installing yq to ./.venv using pip"
+        venv "pip${py_suffix}" install yq
+    fi
+}
 
 if [[ $# -gt 0 ]]; then
     cat <<EOF
@@ -68,24 +102,23 @@ fi
 # Rust (if exists)
 if [[ -n "$(git ls-files '*.rs')" ]]; then
     info "checking Rust code style"
+    check_install cargo jq python3
     check_config .rustfmt.toml
-    if type -P rustup &>/dev/null; then
+    if check_install rustup; then
         # `cargo fmt` cannot recognize files not included in the current workspace and modules
         # defined inside macros, so run rustfmt directly.
         # We need to use nightly rustfmt because we use the unstable formatting options of rustfmt.
         rustc_version=$(rustc -vV | grep '^release:' | cut -d' ' -f2)
         if [[ "${rustc_version}" == *"nightly"* ]] || [[ "${rustc_version}" == *"dev"* ]]; then
             rustup component add rustfmt &>/dev/null
-            echo "+ rustfmt \$(git ls-files '*.rs')"
+            info "running \`rustfmt \$(git ls-files '*.rs')\`"
             rustfmt $(git ls-files '*.rs')
         else
             rustup component add rustfmt --toolchain nightly &>/dev/null
-            echo "+ rustfmt +nightly \$(git ls-files '*.rs')"
+            info "running \`rustfmt +nightly \$(git ls-files '*.rs')\`"
             rustfmt +nightly $(git ls-files '*.rs')
         fi
         check_diff $(git ls-files '*.rs')
-    else
-        error "'rustup' is not installed; skipped Rust code style check"
     fi
     cast_without_turbofish=$(grep -n -E '\.cast\(\)' $(git ls-files '*.rs') || true)
     if [[ -n "${cast_without_turbofish}" ]]; then
@@ -122,11 +155,12 @@ if [[ -n "$(git ls-files '*.rs')" ]]; then
     binaries=''
     metadata=$(cargo metadata --format-version=1 --no-deps)
     has_public_crate=''
+    venv_install_yq
     for id in $(jq <<<"${metadata}" '.workspace_members[]'); do
         pkg=$(jq <<<"${metadata}" ".packages[] | select(.id == ${id})")
         publish=$(jq <<<"${pkg}" -r '.publish')
         manifest_path=$(jq <<<"${pkg}" -r '.manifest_path')
-        if ! grep -q '^\[lints\]' "${manifest_path}" && ! grep -q '^\[lints\.rust\]' "${manifest_path}"; then
+        if [[ "$(venv tomlq -c '.lints' "${manifest_path}")" == "null" ]]; then
             error "no [lints] table in ${manifest_path} please add '[lints]' with 'workspace = true'"
         fi
         # Publishing is unrestricted if null, and forbidden if an empty array.
@@ -144,13 +178,14 @@ if [[ -n "$(git ls-files '*.rs')" ]]; then
                 publish=$(jq <<<"${root_pkg}" -r '.publish')
                 # Publishing is unrestricted if null, and forbidden if an empty array.
                 if [[ "${publish}" != "[]" ]]; then
-                    if ! grep -Eq '^exclude = \[.*"/\.\*".*\]' Cargo.toml; then
+                    exclude=$(venv tomlq -r '.package.exclude[]' Cargo.toml)
+                    if ! grep <<<"${exclude}" -Eq '^/\.\*$'; then
                         error "top-level Cargo.toml of non-virtual workspace should have 'exclude' field with \"/.*\""
                     fi
-                    if [[ -e tools ]] && ! grep -Eq '^exclude = \[.*"/tools".*\]' Cargo.toml; then
+                    if [[ -e tools ]] && ! grep <<<"${exclude}" -Eq '^/tools$'; then
                         error "top-level Cargo.toml of non-virtual workspace should have 'exclude' field with \"/tools\" if it exists"
                     fi
-                    if [[ -e target-specs ]] && ! grep -Eq '^exclude = \[.*"/target-specs".*\]' Cargo.toml; then
+                    if [[ -e target-specs ]] && ! grep <<<"${exclude}" -Eq '^/target-specs$'; then
                         error "top-level Cargo.toml of non-virtual workspace should have 'exclude' field with \"/target-specs\" if it exists"
                     fi
                 fi
@@ -196,12 +231,10 @@ fi
 if [[ -n "$(git ls-files '*.c' '*.h' '*.cpp' '*.hpp')" ]]; then
     info "checking C/C++ code style"
     check_config .clang-format
-    if type -P clang-format &>/dev/null; then
-        echo "+ clang-format -i \$(git ls-files '*.c' '*.h' '*.cpp' '*.hpp')"
+    if check_install clang-format; then
+        info "running \`clang-format -i \$(git ls-files '*.c' '*.h' '*.cpp' '*.hpp')\`"
         clang-format -i $(git ls-files '*.c' '*.h' '*.cpp' '*.hpp')
         check_diff $(git ls-files '*.c' '*.h' '*.cpp' '*.hpp')
-    else
-        error "'clang-format' is not installed; skipped C/C++ code style check"
     fi
 elif [[ -e .clang-format ]]; then
     error ".clang-format is unused"
@@ -211,64 +244,39 @@ fi
 if [[ -n "$(git ls-files '*.yml' '*.yaml' '*.js' '*.json')" ]]; then
     info "checking YAML/JavaScript/JSON code style"
     check_config .editorconfig
-    if type -P npm &>/dev/null; then
-        echo "+ npx -y prettier -l -w \$(git ls-files '*.yml' '*.yaml' '*.js' '*.json')"
+    if check_install npm; then
+        info "running \`npx -y prettier -l -w \$(git ls-files '*.yml' '*.yaml' '*.js' '*.json')\`"
         npx -y prettier -l -w $(git ls-files '*.yml' '*.yaml' '*.js' '*.json')
         check_diff $(git ls-files '*.yml' '*.yaml' '*.js' '*.json')
-    else
-        error "'npm' is not installed; skipped YAML/JavaScript/JSON code style check"
     fi
     # Check GitHub workflows.
     if [[ -d .github/workflows ]]; then
         info "checking GitHub workflows"
-        if type -P jq &>/dev/null; then
-            if type -P python3 &>/dev/null || type -P python &>/dev/null; then
-                py_suffix=''
-                if type -P python3 &>/dev/null; then
-                    py_suffix='3'
-                fi
-                exe=''
-                venv_bin='.venv/bin'
-                case "$(uname -s)" in
-                    MINGW* | MSYS* | CYGWIN* | Windows_NT)
-                        exe='.exe'
-                        venv_bin='.venv/Scripts'
-                        ;;
+        if check_install jq python3; then
+            venv_install_yq
+            for workflow in .github/workflows/*.yml; do
+                # The top-level permissions must be weak as they are referenced by all jobs.
+                permissions=$(venv yq -c '.permissions' "${workflow}")
+                case "${permissions}" in
+                    '{"contents":"read"}' | '{"contents":"none"}') ;;
+                    null) error "${workflow}: top level permissions not found; it must be 'contents: read' or weaker permissions" ;;
+                    *) error "${workflow}: only 'contents: read' and weaker permissions are allowed at top level; if you want to use stronger permissions, please set job-level permissions" ;;
                 esac
-                if [[ ! -d .venv ]]; then
-                    "python${py_suffix}" -m venv .venv
-                fi
-                if [[ ! -e "${venv_bin}/yq${exe}" ]]; then
-                    venv "pip${py_suffix}" install yq
-                fi
-                for workflow in .github/workflows/*.yml; do
-                    # The top-level permissions must be weak as they are referenced by all jobs.
-                    permissions=$(venv yq -c '.permissions' "${workflow}")
-                    case "${permissions}" in
-                        '{"contents":"read"}' | '{"contents":"none"}') ;;
-                        null) error "${workflow}: top level permissions not found; it must be 'contents: read' or weaker permissions" ;;
-                        *) error "${workflow}: only 'contents: read' and weaker permissions are allowed at top level; if you want to use stronger permissions, please set job-level permissions" ;;
-                    esac
-                    # Make sure the 'needs' section is not out of date.
-                    if grep -q '# tidy:needs' "${workflow}" && ! grep -Eq '# *needs: \[' "${workflow}"; then
-                        # shellcheck disable=SC2207
-                        jobs_actual=($(venv yq '.jobs' "${workflow}" | jq -r 'keys_unsorted[]'))
-                        unset 'jobs_actual[${#jobs_actual[@]}-1]'
-                        # shellcheck disable=SC2207
-                        jobs_expected=($(venv yq -r '.jobs."ci-success".needs[]' "${workflow}"))
-                        if [[ "${jobs_actual[*]}" != "${jobs_expected[*]+"${jobs_expected[*]}"}" ]]; then
-                            printf -v jobs '%s, ' "${jobs_actual[@]}"
-                            sed -i "s/needs: \[.*\] # tidy:needs/needs: [${jobs%, }] # tidy:needs/" "${workflow}"
-                            check_diff "${workflow}"
-                            error "${workflow}: please update 'needs' section in 'ci-success' job"
-                        fi
+                # Make sure the 'needs' section is not out of date.
+                if grep -q '# tidy:needs' "${workflow}" && ! grep -Eq '# *needs: \[' "${workflow}"; then
+                    # shellcheck disable=SC2207
+                    jobs_actual=($(venv yq '.jobs' "${workflow}" | jq -r 'keys_unsorted[]'))
+                    unset 'jobs_actual[${#jobs_actual[@]}-1]'
+                    # shellcheck disable=SC2207
+                    jobs_expected=($(venv yq -r '.jobs."ci-success".needs[]' "${workflow}"))
+                    if [[ "${jobs_actual[*]}" != "${jobs_expected[*]+"${jobs_expected[*]}"}" ]]; then
+                        printf -v jobs '%s, ' "${jobs_actual[@]}"
+                        sed -i "s/needs: \[.*\] # tidy:needs/needs: [${jobs%, }] # tidy:needs/" "${workflow}"
+                        check_diff "${workflow}"
+                        error "${workflow}: please update 'needs' section in 'ci-success' job"
                     fi
-                done
-            else
-                error "'python3' is not installed; skipped GitHub workflow check"
-            fi
-        else
-            error "'jq' is not installed; skipped GitHub workflow check"
+                fi
+            done
         fi
     fi
 fi
@@ -281,12 +289,10 @@ fi
 if [[ -n "$(git ls-files '*.toml' | (grep -v .taplo.toml || true))" ]]; then
     info "checking TOML style"
     check_config .taplo.toml
-    if type -P npm &>/dev/null; then
-        echo "+ npx -y @taplo/cli fmt \$(git ls-files '*.toml')"
+    if check_install npm; then
+        info "running \`npx -y @taplo/cli fmt \$(git ls-files '*.toml')\`"
         RUST_LOG=warn npx -y @taplo/cli fmt $(git ls-files '*.toml')
         check_diff $(git ls-files '*.toml')
-    else
-        error "'npm' is not installed; skipped TOML style check"
     fi
 elif [[ -e .taplo.toml ]]; then
     error ".taplo.toml is unused"
@@ -296,11 +302,9 @@ fi
 if [[ -n "$(git ls-files '*.md')" ]]; then
     info "checking Markdown style"
     check_config .markdownlint-cli2.yaml
-    if type -P npm &>/dev/null; then
-        echo "+ npx -y markdownlint-cli2 \$(git ls-files '*.md')"
+    if check_install npm; then
+        info "running \`npx -y markdownlint-cli2 \$(git ls-files '*.md')\`"
         npx -y markdownlint-cli2 $(git ls-files '*.md')
-    else
-        error "'npm' is not installed; skipped Markdown style check"
     fi
 elif [[ -e .markdownlint-cli2.yaml ]]; then
     error ".markdownlint-cli2.yaml is unused"
@@ -312,29 +316,25 @@ fi
 
 # Shell scripts
 info "checking Shell scripts"
-if type -P shfmt &>/dev/null; then
+if check_install shfmt; then
     check_config .editorconfig
-    echo "+ shfmt -l -w \$(git ls-files '*.sh')"
+    info "running \`shfmt -l -w \$(git ls-files '*.sh')\`"
     shfmt -l -w $(git ls-files '*.sh')
     check_diff $(git ls-files '*.sh')
-else
-    error "'shfmt' is not installed; skipped Shell scripts style check"
 fi
-if type -P shellcheck &>/dev/null; then
+if check_install shellcheck; then
     check_config .shellcheckrc
-    echo "+ shellcheck \$(git ls-files '*.sh')"
+    info "running \`shellcheck \$(git ls-files '*.sh')\`"
     if ! shellcheck $(git ls-files '*.sh'); then
         should_fail=1
     fi
     if [[ -n "$(git ls-files '*Dockerfile')" ]]; then
         # SC2154 doesn't seem to work on dockerfile.
-        echo "+ shellcheck -e SC2148,SC2154,SC2250 \$(git ls-files '*Dockerfile')"
+        info "running \`shellcheck -e SC2148,SC2154,SC2250 \$(git ls-files '*Dockerfile')\`"
         if ! shellcheck -e SC2148,SC2154,SC2250 $(git ls-files '*Dockerfile'); then
             should_fail=1
         fi
     fi
-else
-    error "'shellcheck' is not installed; skipped Shell scripts style check"
 fi
 
 # License check
@@ -383,13 +383,14 @@ fi
 if [[ -f .cspell.json ]]; then
     info "spell checking"
     project_dictionary=.github/.cspell/project-dictionary.txt
-    if type -P npm &>/dev/null; then
+    if check_install npm jq python3; then
         has_rust=''
         if [[ -n "$(git ls-files '*Cargo.toml')" ]]; then
+            venv_install_yq
             has_rust='1'
             dependencies=''
             for manifest_path in $(git ls-files '*Cargo.toml'); do
-                if [[ "${manifest_path}" != "Cargo.toml" ]] && ! grep -Eq '\[workspace\]' "${manifest_path}"; then
+                if [[ "${manifest_path}" != "Cargo.toml" ]] && [[ "$(venv tomlq -c '.workspace' "${manifest_path}")" == "null" ]]; then
                     continue
                 fi
                 metadata=$(cargo metadata --format-version=1 --no-deps --manifest-path "${manifest_path}")
@@ -422,7 +423,7 @@ EOF
             error "you may want to mark .github/.cspell/rust-dependencies.txt linguist-generated"
         fi
 
-        echo "+ npx -y cspell --no-progress --no-summary \$(git ls-files)"
+        info "running \`npx -y cspell --no-progress --no-summary \$(git ls-files)\`"
         if ! npx -y cspell --no-progress --no-summary $(git ls-files); then
             error "spellcheck failed: please fix uses of above words or add to ${project_dictionary} if correct"
         fi
@@ -454,8 +455,6 @@ EOF
             echo -n "${unused}"
             echo "======================================="
         fi
-    else
-        error "'npm' is not installed; skipped spell check"
     fi
 fi