Skip to content

chore: upgrade sqlx to 0.9 and bump MSRV to 1.94#156

Merged
grunch merged 2 commits into
mainfrom
chore/sqlx-0.9
Jun 26, 2026
Merged

chore: upgrade sqlx to 0.9 and bump MSRV to 1.94#156
grunch merged 2 commits into
mainfrom
chore/sqlx-0.9

Conversation

@arkanoider

@arkanoider arkanoider commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Bump sqlx from 0.6.2 to 0.9.0 with split runtime/TLS features (runtime-tokio, tls-rustls-ring)
  • Raise MSRV to Rust 1.94.0 (required by sqlx 0.9) in rust-toolchain.toml, CI, and README
  • Adapt QueryBuilder::Separated signatures in db/order.rs and db/dispute.rs for sqlx 0.9 API (single lifetime)
  • Bump crate version to 0.13.3 for release after merge

Test plan

  • cargo fmt --all
  • cargo clippy --all-targets --all-features -- -D warnings
  • cargo test --all-features (87 tests passed)

Follow-up

After merge and publish of mostro-core 0.13.3, upgrade mostro to sqlx 0.9 in a separate PR.

Summary by CodeRabbit

  • New Features
    • Updated the project to Rust 1.94.0, including the documented minimum Rust requirement.
    • Bumped the crate version to 0.13.3 and refreshed a core database dependency.
  • Bug Fixes
    • Improved compatibility with the latest Rust toolchain and related build checks.
  • Documentation
    • Updated the README badges and requirements to match the new Rust version.

Co-authored-by: Cursor <cursoragent@cursor.com>
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@arkanoider, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 53 minutes and 17 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ff2c3f02-bda6-48a0-8cf4-be752ffd5113

📥 Commits

Reviewing files that changed from the base of the PR and between 3dc646e and 8543e39.

📒 Files selected for processing (1)
  • Cargo.toml

Walkthrough

The PR updates the repository to Rust 1.94.0 across CI, the pinned toolchain, and README requirements, bumps the crate version, upgrades sqlx to 0.9.0, and adjusts dispute and order SQL helper signatures.

Changes

Rust 1.94 toolchain and release metadata

Layer / File(s) Summary
Toolchain and release metadata
.github/workflows/ci.yml, Cargo.toml, README.md, rust-toolchain.toml
The MSRV job, crate version, README requirements, and pinned Rust toolchain all move to 1.94.0.
sqlx dependency bump
Cargo.toml
sqlx is updated to 0.9.0 with runtime-tokio and tls-rustls-ring features.
Database helper signatures
src/db/dispute.rs, src/db/order.rs
Dispute and order bind helper signatures switch to borrowed forms while preserving bind and update ordering.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

  • grunch

Poem

🐇 I hopped to Rust one-ninety-four,
And sqlx jingled at the burrow door.
My carrot-builds stayed neat and bright,
With lifetimes trimmed just right tonight.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main changes: the sqlx upgrade and Rust MSRV bump.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/sqlx-0.9

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@arkanoider arkanoider requested a review from grunch June 26, 2026 08:43

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
rust-toolchain.toml (1)

2-2: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Toolchain bump is justified; note the divergence from the documented 1.86.0 target.

1.94.0 is required by sqlx 0.9.0, so the pin is correct. The project's coding guideline still states the target is Rust 1.86.0 (2021 edition); consider updating that guideline so the documented target and the pinned toolchain stay in sync.

As per coding guidelines: "Target Rust 1.86.0 (2021 edition)".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rust-toolchain.toml` at line 2, The toolchain pin in rust-toolchain.toml is
correct for sqlx 0.9.0, but it diverges from the documented Rust 1.86.0 target.
Update the project’s coding guideline/docs that state the Rust target so they
match the pinned 1.94.0 toolchain, and keep the wording in sync with the
existing Rust target guidance.

Source: Coding guidelines

.github/workflows/ci.yml (1)

58-61: 🔒 Security & Privacy | 🔵 Trivial | ⚖️ Poor tradeoff

Optional: pin actions and disable credential persistence.

Static analysis flags the action refs as unpinned (actions/checkout@v6, dtolnay/rust-toolchain@stable) and notes the checkout step persists credentials by default. If you follow a pin-to-hash policy, consider pinning to commit SHAs and setting persist-credentials: false on checkout.

🔧 Example hardening
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 58 - 61, The CI workflow checkout and
Rust toolchain steps are using floating action refs and the checkout step still
persists credentials by default. Update the workflow in the GitHub Actions job
to pin the actions references for actions/checkout and dtolnay/rust-toolchain to
fixed commit SHAs, and set persist-credentials to false on the checkout step to
harden the pipeline.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 58-61: The CI workflow checkout and Rust toolchain steps are using
floating action refs and the checkout step still persists credentials by
default. Update the workflow in the GitHub Actions job to pin the actions
references for actions/checkout and dtolnay/rust-toolchain to fixed commit SHAs,
and set persist-credentials to false on the checkout step to harden the
pipeline.

In `@rust-toolchain.toml`:
- Line 2: The toolchain pin in rust-toolchain.toml is correct for sqlx 0.9.0,
but it diverges from the documented Rust 1.86.0 target. Update the project’s
coding guideline/docs that state the Rust target so they match the pinned 1.94.0
toolchain, and keep the wording in sync with the existing Rust target guidance.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 28263b4c-5f73-45e6-b930-9dec5736560d

📥 Commits

Reviewing files that changed from the base of the PR and between 4862099 and 3dc646e.

📒 Files selected for processing (6)
  • .github/workflows/ci.yml
  • Cargo.toml
  • README.md
  • rust-toolchain.toml
  • src/db/dispute.rs
  • src/db/order.rs

@mostronatorcoder

Copy link
Copy Markdown

I did a strict pass on this PR and I do not currently see a blocker.

What I specifically checked:

  • the sqlx bump from 0.6.2 to 0.9.0
  • the runtime/TLS feature split (runtime-tokio, tls-rustls-ring)
  • the MSRV bump to 1.94.0 across rust-toolchain.toml, CI, and README
  • the QueryBuilder::Separated signature updates in src/db/order.rs and src/db/dispute.rs

From what I can see, this is a clean mechanical upgrade.

The sensitive part here was making sure the sqlx 0.9 API adaptation did not accidentally change the persistence semantics introduced in the previous PRs. I do not see that happening: the db/order.rs and db/dispute.rs changes are just the expected lifetime/signature adjustments for Separated, without changing bind order, SQL shape, or CRUD behavior.

I also ran cargo test --all-features locally on this branch, and it passed (87 tests, plus the extra test target run with 4 passed and 1 ignored).

So from my side, this looks like a solid upgrade PR and I did not find a correctness blocker in the sqlx/MSRV transition.

@ermeme ermeme Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the current head (8543e39).

No blocking issues found; the sqlx 0.9 migration and MSRV bump are consistent, and the current branch passes cargo test locally.

@grunch grunch left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strict review — APPROVE ✅

I reviewed this PR strictly: read the full diff, inspected the changed call sites, verified the upstream sqlx API change, and ran the full local check suite on the branch.

Correctness — verified

  • Separated signature change is exactly right. sqlx 0.9 collapsed the two-lifetime Separated<'qb, 'args: 'qb, DB, Sep> (0.6) into a single-lifetime Separated<'qb, DB, Sep>. The diff correctly drops the explicit <'a> function parameter and the &'a on the args in both db/order.rs and db/dispute.rs. No behavioral change — purely an API adaptation, and the &'static str separator type is preserved.
  • MSRV 1.94.0 is justified, not arbitrary. sqlx-core 0.9.0 declares rust-version = "1.94.0", so the bump is the minimum required. The toolchain version is consistently updated across rust-toolchain.toml, Cargo.toml features, the README badge/requirements, and the CI MSRV job. No stray 1.90 references remain anywhere in the repo.
  • Feature flags split correctly. runtime-tokio-rustlsruntime-tokio + tls-rustls-ring matches the 0.9 feature reorganization.
  • No wasm regression. sqlx is an optional dependency gated behind the sqlx feature (#[cfg(feature = "sqlx")] pub mod db;); the default feature is wasm, so wasm targets never pull sqlx/SQLite.

Local verification (branch chore/sqlx-0.9)

  • cargo build --all-features → OK (sqlx 0.9.0 compiles)
  • cargo clippy --all-targets --all-features -- -D warnings → clean
  • cargo test --all-features → 87 passed, 0 failed; doc-tests 4 passed, 1 ignored

Minor (non-blocking)

  1. The PR description still lists "Bump crate version to 0.13.3 for release after merge", but commit 8543e39 reverted that — the version stays 0.13.2 and will be set by cargo-release. The description is now slightly stale; worth editing for accuracy but no code impact.
  2. rust-toolchain.toml has no trailing newline (pre-existing, not introduced here).

Verdict

Clean, minimal, and well-scoped dependency upgrade. All correctness concerns check out and the full quality gate is green. Approving. The noted follow-up (upgrading mostro to sqlx 0.9 in a separate PR) is the right sequencing.

@grunch grunch merged commit c041891 into main Jun 26, 2026
11 checks passed
@grunch grunch deleted the chore/sqlx-0.9 branch June 26, 2026 15:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants