[Solved] Run crater/cargobomb on GitHub projects not published on crates.io?


I saw a quote on another thread:

Note: even if you could prove that this didn’t break any crates on crates.io through a crater run, it could still break code not on crates.io.

And it made me think of a possible idea to widen the net of crater/cargobomb. What if something indexed the Rust projects on GitHub (and GitLab/Bitbucket?) that weren’t published on crates.io? Seems you could do something like look for the precence of Cargo.toml in the root and/or a .travis.yml containing language: rust. You’d want to prune out the duplicates that are published on crates.io, perhaps filtering out those that match any “Repository” listing in crates.io.

The advantage of this is you might have more coverage of “applications” rather than only libraries. I have a toy 2D game application on GitHub that would be such an example.

I’m not sure how you would do versioning of GitHub Rust projects unless they are doing tagging. You could use commits as pseudo releases.

It’s likely, however, that the complexity of this is not worth the cost, but just thought I’d throw out the idea.


cargobomb knows how to discover rust projects from GitHub and it tests them!

Here’s the discovery code fwiw. It’s quite heinous.

#[no_mangle] vs modules and pub

If you open a cargobomb report, click ‘test-pass’, then scroll to the bottom, you’ll see a bunch of GitHub results.