rust: add binary to validate tarballs

I've been wanting to add stronger validation of the produced archives. We
started to do this in Python a few commits ago. However, we want to do some
low-level validation and doing this in Python will be brittle. So this
commit introduces a Rust binary. The first thing this binary does is validate
zstd compressed tarballs and examine mach-o files for allowed library
dependencies. It's a start.

As part of this, we update CI to build the binary and run it to perform
validation of the built tarball distribution.

Author: indygreg

.github/workflows/linux.yml

@@ -87,14 +87,22 @@ jobs:
         with:
           python-version: '3.8'
 
+      - name: Install Rust
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+          default: true
+          profile: minimal
+
       - name: Download sccache
         uses: actions/download-artifact@v2
         with:
           name: sccache
 
-      - name: Configure sccache
+      - name: Start sccache
         run: |
           chmod +x sccache
+          ./sccache --start-server
 
       - name: Build
         run: |
@@ -108,6 +116,11 @@ jobs:
 
           ./build-linux.py --target-triple ${{ matrix.triple }} --python ${{ matrix.py }} --optimizations ${{ matrix.optimizations }} ${EXTRA_ARGS}
 
+      - name: Validate Distribution
+        run: |
+          export RUSTC_WRAPPER=$(pwd)/sccache
+          cargo run -- validate-distribution dist/*.tar.zst
+
       - name: Upload Distribution
         uses: actions/upload-artifact@v2
         with:

.github/workflows/macos.yml

@@ -68,6 +68,13 @@ jobs:
         with:
           python-version: '3.8'
 
+      - name: Install Rust
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+          default: true
+          profile: minimal
+
       - name: Download sccache
         uses: actions/download-artifact@v2
         with:
@@ -83,6 +90,11 @@ jobs:
           export PYBUILD_RELEASE_TAG=$(git log -n 1 --date=format:%Y%m%dT%H%M%S --pretty=format:%ad)
           ./build-macos.py --python ${{ matrix.py }} --optimizations ${{ matrix.optimizations }}
 
+      - name: Validate Distribution
+        run: |
+          export RUSTC_WRAPPER=$(pwd)/sccache
+          cargo run -- validate-distribution dist/*.tar.zst
+
       - name: Stop sccache
         continue-on-error: true
         run: |

.gitignore

@@ -2,5 +2,6 @@
 build/
 docs/_build/
 dist/
+target/
 venv/
 __pycache__/