7848: ci: fix ambiguity issue during tokio releases

[martin-augment]

7848: To review by AI

[coderabbitai]

Walkthrough

This pull request implements a structured approach to managing local development dependencies in a multi-crate workspace. Changes include: adding a [patch.crates-io] section in the root Cargo.toml to override tokio with a local path; converting path-based dependencies to registry-versioned dependencies across multiple crate manifests (tokio-macros, tokio-stream, tokio-test, tokio-util, and tokio); updating CI workflows to remove in-repo patches and re-run tests excluding local dependencies; and adding documentation guidelines for specifying crate dependency versions. New dev-dependencies async-stream and futures-concurrency are also added to tokio/Cargo.toml.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pr-7848-2026-02-08-11-48-34

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @martin-augment, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the dependency management within the tokio project to resolve potential ambiguities during releases and enhance the local development workflow. By centralizing the local tokio dependency override in the root Cargo.toml and removing direct path dependencies from individual crates, the project ensures that crates can be released independently while still benefiting from local development against the main tokio repository. The changes are supported by new documentation that clarifies these dependency rules, providing a more robust and understandable system for contributors.

Highlights

• Dependency Management Refinement: Centralized the local tokio dependency resolution for workspace builds by introducing a [patch.crates-io] entry in the root Cargo.toml. This change allows individual crates to remove their direct path dependencies on other tokio crates, streamlining the release process and ensuring correct dependency resolution from crates.io when built independently.
• New Contributing Documentation: Added a new contributing guide, how-to-specify-crates-dependencies-versions.md, which outlines clear rules for specifying crate dependency versions. This includes guidance on when to use path dependencies for unreleased features and the process for removing them before a release.
• CI Test Command Update: Modified the .cirrus.yml configuration to use cargo test --workspace instead of cargo test --all. This ensures that CI tests are explicitly run across all packages within the defined workspace, aligning with the refined dependency management strategy.

Changelog

• .cirrus.yml
  • Updated cargo test commands to use --workspace instead of --all for more explicit workspace testing.
• Cargo.toml
  • Added a [patch.crates-io] section to redirect the tokio dependency to the local tokio path for workspace builds.
• docs/contributing/README.md
  • Added a link to the new contributing guide on specifying crate dependency versions.
• docs/contributing/how-to-specify-crates-dependencies-versions.md
  • New file outlining rules for specifying crate dependency versions, including guidance on path dependencies and version bumping.
• tokio-macros/Cargo.toml
  • Removed path dependency for tokio in dev-dependencies.
  • Updated release comment regarding path dependencies.
• tokio-stream/Cargo.toml
  • Removed path dependencies for tokio, tokio-util, and tokio-test in both dependencies and dev-dependencies.
  • Updated release comment regarding path dependencies.
• tokio-test/Cargo.toml
  • Removed path dependencies for tokio and tokio-stream in both dependencies and dev-dependencies.
  • Updated release comment regarding path dependencies.
• tokio-util/Cargo.toml
  • Removed path dependencies for tokio, tokio-test, and tokio-stream in both dependencies and dev-dependencies.
  • Updated release comment regarding path dependencies.
• tokio/Cargo.toml
  • Removed path dependencies for tokio-test, tokio-stream, and tokio-util in dev-dependencies.
  • Updated release comment regarding path dependencies.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/ci.yml

Activity

• The pull request description indicates that it is ready for AI review, suggesting no human review activity has occurred yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[claude]

Code Review

Overview

This PR addresses an important CI/release issue by adding a workspace patch for the tokio crate and updating CI workflows to test both with and without path dependencies. The changes ensure that dependent crates (tokio-stream, tokio-util, etc.) can be tested against published versions of tokio on crates.io, preventing ambiguity during releases.

Strengths

✅ Clear Problem Solving: The workspace patch and dual-testing approach directly addresses the release ambiguity issue
✅ Comprehensive Documentation: The new how-to-specify-crates-dependencies-versions.md document is well-written and provides clear guidance
✅ Consistent Changes: All Cargo.toml files are updated consistently with path dependencies removed from dev-dependencies
✅ CI Coverage: Both test and clippy jobs now validate against published crates.io versions

Code Quality & Best Practices

✅ Good Practices

1. Workspace Patch Strategy: Using [patch.crates-io] in the root Cargo.toml is the correct approach for monorepo development
2. Documentation Updates: Comments like "(if any)" in release checklists are helpful
3. Backward Compatibility: Changes maintain existing functionality while improving the release process

⚠️ Areas for Improvement

1. CI Script Robustness (.github/workflows/ci.yml)

The sed commands could be more robust:

sed -i.bak '/^\[patch\.crates-io\]$/d; /^tokio = { path = "tokio"}$/d' Cargo.toml && rm -f Cargo.toml.bak

Issues:

• Uses different sed syntax between lines 117 (with .bak) and 229 (without .bak)
• The macOS version creates a backup file then removes it, while the Linux version doesn't
• Pattern matching is fragile and depends on exact whitespace

Suggestion: Create a helper script or use a more robust approach:

# More robust alternative
sed -i.bak '/^\[patch\.crates-io\]/,/^tokio = {/d' Cargo.toml && rm -f Cargo.toml.bak
# Or even better, use a simple Rust/Python script for cross-platform compatibility

2. Inconsistent --all vs --workspace Usage

The PR changes .cirrus.yml from --all to --workspace, which is good (more explicit), but .github/workflows/ci.yml already mixed usage. Consider:

• --workspace is the modern, preferred flag
• Ensure consistency across all CI files

3. cargo-hack Installation

Line 735 uses taiki-e/install-action@cargo-hack while line 816 uses taiki-e/install-action@v2 with tool: cargo-hack.

Suggestion: Use the versioned action consistently:

- name: Install cargo-hack
  uses: taiki-e/install-action@v2
  with:
    tool: cargo-hack

4. Documentation Clarity

In how-to-specify-crates-dependencies-versions.md, line 27-28:

"Once a new version of tokio is released, the path dependency will be removed from tokio-stream."

This might confuse readers since the example shows path = "../tokio" which is now removed. Consider updating the example to match the new reality (no path dependency, only workspace patch).

Potential Bugs

⚠️ Line 117-119 CI Test Logic

sed -i.bak '/^\[patch\.crates-io\]$/d; /^tokio = { path = "tokio"}$/d' Cargo.toml && rm -f Cargo.toml.bak
cargo nextest run \
  --workspace \
  --exclude tokio \

Issue: The sed pattern matches the exact string tokio = { path = "tokio"} (with double space before closing brace), but the actual Cargo.toml has:

tokio = { path = "tokio"}

(single space)

This sed command may fail to remove the line. The pattern should be more flexible:

sed -i.bak -e '/^\[patch\.crates-io\]$/d' -e '/^tokio = { path = "tokio"}/d' Cargo.toml

Performance Considerations

✅ No performance concerns. The changes add test coverage without impacting runtime performance.

Security Concerns

✅ No security issues identified. The changes are infrastructure/build-related.

Test Coverage

✅ Good Coverage

• Tests now run both with workspace patch (development) and without (release simulation)
• Clippy checks validate both scenarios
• WASI tests updated to use explicit manifest path

⚠️ Missing Test Coverage

Consider adding:

1. A CI job that validates the workspace patch can be cleanly removed
2. A script in the repo that performs the sed operation for easier local testing
3. Documentation tests to ensure the new how-to-specify-crates-dependencies-versions.md stays accurate

Additional Observations

Line 1094: Changed from -p tokio-stream to --manifest-path=tokio-stream/Cargo.toml

• ✅ Good change for explicitness, but ensure this works correctly when patches are removed

Cargo.toml spacing: Line 19 has inconsistent spacing:

tokio = { path = "tokio"}

Should be:

tokio = { path = "tokio" }

Recommendations

1. HIGH PRIORITY: Fix the sed pattern matching issue (potential bug)
2. MEDIUM: Standardize cargo-hack installation method
3. MEDIUM: Consider a helper script for patch removal instead of inline sed
4. LOW: Fix spacing in Cargo.toml line 19
5. LOW: Update documentation example to reflect current state

Summary

This is a solid PR that addresses a real issue in the release process. The main concerns are around CI script robustness and consistency. With the sed pattern fix, this should be ready to merge.

Overall Assessment: ✅ Approve with minor fixes recommended

---

Review generated via Claude Code

[gemini-code-assist]

Code Review

This pull request aims to fix dependency ambiguity issues by centralizing local path overrides into a [patch.crates-io] section in the root Cargo.toml. This is a good approach, but the implementation is incomplete. The patch section only includes tokio, while it should include all workspace crates to prevent pulling outdated versions from crates.io during local development. I've left a critical comment with a suggestion to fix this.

Additionally, the new contributing guide about dependency versions is not aligned with the changes in this PR and should be updated to reflect the new [patch]-based workflow. I've added a comment with suggestions for the documentation.

[gemini-code-assist]

The [patch.crates-io] section is incomplete. To resolve dependency ambiguity within the workspace for local development, it should include all workspace member crates that are dependencies of other members. Without this, builds will pull crates like tokio-util, tokio-stream, etc., from crates.io, which can lead to version conflicts and build failures when there are local changes.

You should patch all of tokio, tokio-macros, tokio-stream, tokio-test, and tokio-util.

Also, please ensure all path dependencies to other workspace crates are removed from the individual Cargo.toml files to rely solely on this patch mechanism. For example, the path dependency on tokio-macros in tokio/Cargo.toml was not removed.

Suggested change

	[patch.crates-io]
	tokio = { path = "tokio"}
	[patch.crates-io]
	tokio = { path = "tokio" }
	tokio-macros = { path = "tokio-macros" }
	tokio-stream = { path = "tokio-stream" }
	tokio-test = { path = "tokio-test" }
	tokio-util = { path = "tokio-util" }

[gemini-code-assist]

This documentation is a great addition, but it's inconsistent with the changes made in this same pull request. This PR removes path dependencies in favor of a centralized [patch.crates-io] section in the root Cargo.toml. The documentation should be updated to reflect this as the new best practice for the repository.

Specifically:

• Rule 3 should explain the [patch.crates-io] mechanism for local development instead of path dependencies.
• The example should not use a path dependency.
• The explanation of the example should refer to the workspace patch, not a path dependency.

Updating this will avoid confusion for future contributors and correctly document the new workflow.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@docs/contributing/how-to-specify-crates-dependencies-versions.md`:
- Around line 17-31: The example shows a crate-level path dependency
(tokio-stream using path = "../tokio") which is inconsistent with this PR's use
of a workspace-level [patch.crates-io] in the root Cargo.toml; update the docs
to reflect the actual pattern by replacing the inline path example with an
example that demonstrates using [patch.crates-io] in the workspace root (and
mention that individual crate manifests like tokio-util/Cargo.toml will not
contain path = entries), or alternatively add a short note showing both
approaches and stating that the workspace [patch.crates-io] is the preferred
method in this repository.

🧹 Nitpick comments (3)

docs/contributing/README.md (1)

40-40: Minor grammar nit in link text.

"crates dependencies versions" reads awkwardly — consider "crate dependency versions" for natural English phrasing.

-- [How to specify crates dependencies versions](how-to-specify-crates-dependencies-versions.md)
+- [How to specify crate dependency versions](how-to-specify-crate-dependency-versions.md)

(This would also require renaming the target .md file accordingly.)

Cargo.toml (1)

18-19: The sed removal patterns in CI are tightly coupled to this exact formatting.

The CI workflow uses literal regex ^tokio = { path = "tokio"}$ to strip these lines. Note the missing space before } — this is intentional because the sed patterns must match exactly. However, this is fragile: any formatting change (e.g., cargo fmt on TOML, or adding a trailing space) will silently break the patch-removal step.

Consider adding a CI comment near the sed calls referencing this line, or alternatively using a more resilient approach (e.g., cargo-hack --remove-dev-deps style tooling, or a toml-aware edit).

tokio-stream/Cargo.toml (1)

45-48: Dev-dep tokio version is lower than the main dependency version.

Line 45 specifies tokio = "1.2.0" while line 41 already requires tokio = "1.38.0". Cargo will unify to >=1.38.0, so this isn't a bug, but the dev-dep minimum is misleading. Consider aligning it to "1.38.0" for clarity and to catch accidental downgrades of the main dependency.

Proposed fix

 [dev-dependencies]
-tokio = { version = "1.2.0", features = ["full", "test-util"] }
+tokio = { version = "1.38.0", features = ["full", "test-util"] }

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

The example doesn't match the actual pattern used in this PR.

The example on line 23 shows an inline path = "../tokio" in tokio-stream's [dependencies], but this PR actually uses a workspace-level [patch.crates-io] in the root Cargo.toml to achieve the same effect. The individual crate manifests (e.g., tokio-util/Cargo.toml) no longer carry path = entries.

This could confuse contributors who look at the actual Cargo.toml files and see no path dependencies, contrary to what this doc describes. Consider either:

1. Updating the example to show the [patch.crates-io] approach actually used, or
2. Mentioning both approaches and clarifying which is preferred.

🤖 Prompt for AI Agents

In `@docs/contributing/how-to-specify-crates-dependencies-versions.md` around
lines 17 - 31, The example shows a crate-level path dependency (tokio-stream
using path = "../tokio") which is inconsistent with this PR's use of a
workspace-level [patch.crates-io] in the root Cargo.toml; update the docs to
reflect the actual pattern by replacing the inline path example with an example
that demonstrates using [patch.crates-io] in the workspace root (and mention
that individual crate manifests like tokio-util/Cargo.toml will not contain path
= entries), or alternatively add a short note showing both approaches and
stating that the workspace [patch.crates-io] is the preferred method in this
repository.

[martin-augment]

value:good-to-have; category:bug; feedback: The CodeRabbit AI reviewer is correct! The patch in the workspace Cargo.toml seems not really needed. The new .md file suggests to use path = "../tokio" when needed. So the global patch seems also unnecessary.

[augmentcode]

🤖 Augment PR Summary

Summary: Updates CI and workspace dependency configuration to avoid Cargo package-selection ambiguity during Tokio releases.

Changes:

• Replace deprecated/ambiguous Cargo flags (e.g., --all) with --workspace in Cirrus CI.
• Add a root [patch.crates-io] for tokio and remove intra-repo path dependencies from member crates’ manifests.
• Enhance GitHub Actions CI to run checks/tests both with and without the workspace patch (to validate release-like dependency resolution).
• Install and use cargo-hack for broader feature coverage in CI.
• Disambiguate WASI testing of tokio-stream by using --manifest-path.
• Add contributing documentation describing dependency versioning and when path dependencies are appropriate.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

The sed deletion here matches the [patch.crates-io] block very literally; small formatting changes (e.g., whitespace) or adding more entries under [patch.crates-io] could make the patch-removal silently fail or leave invalid TOML, which would undermine the “no path dependencies” checks.

Severity: medium

Other Locations

• .github/workflows/ci.yml:229
• .github/workflows/ci.yml:827

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[martin-augment]

value:valid-but-wont-fix; category:bug; feedback: The Augment AI reviewer is not correct! The syntax [patch.crates-io] is the usually used one, without any whitespace characters. There is no need to add usage of \s* around the square brackets just in case someone decides to change it to non-idiomatic syntax.

[augmentcode]

This still relies on -p tokio-stream/-p tokio-util package selection; after switching away from path deps (and given the earlier WASI step had to move to --manifest-path), this job may still run into Cargo “ambiguous package” selection when registry + workspace copies exist.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[martin-augment]

value:incorrect-but-reasonable; category:bug; feedback: The Augment AI reviewer is not correct! The cargo-hack check -p ... command behaves like cargo check --manifest-path ... and the passing CI check proves that it works as expected.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Doctest now runs without workspace patch unintentionally

Medium Severity

The sed command removing [patch.crates-io] was inserted above the pre-existing cargo test --doc --workspace line, changing its execution context. Previously, doctests ran with the workspace patch (against local tokio). Now they only run after the patch is removed, meaning non-tokio crate doctests resolve tokio from crates.io instead of using local code. There's no doctest run with the patch at all, since cargo nextest (line 114) doesn't support doctests. This creates a gap where doctests using unreleased tokio features would fail, and doctests are never validated against the local tokio source.

 

[martin-augment]

value:annoying; category:bug; feedback: The Bugbot AI reviewer is not correct! All "tokio-**" crates depend on already released version of "tokio". If they need to use the currently in development version of "tokio" then they need to use path = "../tokio" until the next release, so they will be able to compile.

[martin-augment]

45-48: Dev-dep tokio version is lower than the main dependency version.

Line 45 specifies tokio = "1.2.0" while line 41 already requires tokio = "1.38.0". Cargo will unify to >=1.38.0, so this isn't a bug, but the dev-dep minimum is misleading. Consider aligning it to "1.38.0" for clarity and to catch accidental downgrades of the main dependency.

Proposed fix

 [dev-dependencies]
-tokio = { version = "1.2.0", features = ["full", "test-util"] }
+tokio = { version = "1.38.0", features = ["full", "test-util"] }

value:useful; category:bug; feedback: The CodeRabbit AI reviewer is correct! Cargo resolves to the bigger version when the same dependency is used in both dependencies and dev-dependencies, so there is no reason to keep the versions unsynchronized.

[martin-augment]

3. cargo-hack Installation

Line 735 uses taiki-e/install-action@cargo-hack while line 816 uses taiki-e/install-action@v2 with tool: cargo-hack.

Suggestion: Use the versioned action consistently:

- name: Install cargo-hack
  uses: taiki-e/install-action@v2
  with:
    tool: cargo-hack

value:useful; category:bug; feedback: The Claude AI reviewer is correct! The Github actions should be installed in a consistent way. uses: taiki-e/install-action@v2 is preferred because this way there is a better control on the versions of the action itself and the installed tool.