CI: Deduplicate additional tool fetching

While this moves the source of truth for CI tooling versions to
somewhere outside the workflow definitions, it also avoids duplication
and keeps debug (check.yaml) and production (publish.yaml) verifications
fully independent.

.forgejo/workflows/check.yaml

@@ -9,13 +9,6 @@ on:
       - .forgejo/**
       - Cargo.toml
       - Cargo.lock
-env:
-  JUST_VERSION: 1.45.0
-  JUST_SHA256SUM: dc3f958aaf8c6506dd90426e9b03f86dd15e74a6467ee0e54929f750af3d9e49
-  CARGO_LLVM_COV_VERSION: 0.6.21
-  CARGO_LLVM_COV_SHA256SUM: 57f491aedf7cdb261538ceb49cbb1ee9d27df7ca205a5e1a009caaf5cb911afb
-  CARGO_AUDIT_VERSION: 0.22.1
-  CARGO_AUDIT_SHA256SUM: 9899e591c3abee79bd54e88c3b03d27bcf8dd073fb1690af9cd3089be1267a67
 jobs:
   verify:
     runs-on: docker
@@ -24,8 +17,7 @@ jobs:
       image: rust:slim
     steps:
       - name: Install action dependencies
-        run: |
-          apt-get install --no-install-recommends --update -y nodejs curl
+        run: apt-get install --no-install-recommends --update -y nodejs curl
 
       - name: Checkout code
         uses: actions/checkout@v6
@@ -36,32 +28,7 @@ jobs:
           rustup component add --toolchain nightly rustfmt clippy
 
       - name: Setup additional tooling
-        run: |
-          fetch() {
-            repo="$1"; tag="$2"; filename="$3"; digest="$4"; binary="$5"
-
-            [ -d /tmp/tools ] || mkdir -p /tmp/tools
-
-            curl -sSLO --output-dir /tmp \
-                -w '%{stderr}HTTP %{response_code} %{url}\n' \
-                "https://github.com/$repo/releases/download/$tag/$filename"
-
-            printf '%s  %s\n' "$digest" "/tmp/$filename" > /tmp/digest
-            sha256sum --check /tmp/digest
-            tar xf "/tmp/$filename" -C /tmp/tools
-            find /tmp/tools -type f -executable -name "$binary" \
-              -exec mv '{}' /usr/local/bin ';'
-          }
-
-          fetch casey/just ${{ env.JUST_VERSION }} \
-            just-${{ env.JUST_VERSION }}-x86_64-unknown-linux-musl.tar.gz \
-            ${{ env.JUST_SHA256SUM }} just
-          fetch taiki-e/cargo-llvm-cov v${{ env.CARGO_LLVM_COV_VERSION }} \
-            cargo-llvm-cov-x86_64-unknown-linux-gnu.tar.gz \
-            ${{ env.CARGO_LLVM_COV_SHA256SUM }} cargo-llvm-cov
-          fetch rustsec/rustsec v${{ env.CARGO_AUDIT_VERSION }} \
-            cargo-audit-x86_64-unknown-linux-gnu-v0.22.1.tgz \
-            ${{ env.CARGO_AUDIT_SHA256SUM }} cargo-audit
+        run: .forgejo/workflows/setup-tools.sh
 
       - name: Build
         run: just build

.forgejo/workflows/publish.yaml

@@ -2,13 +2,6 @@ on:
   push:
     tags:
       - 'v*'
-env:
-  JUST_VERSION: 1.45.0
-  JUST_SHA256SUM: dc3f958aaf8c6506dd90426e9b03f86dd15e74a6467ee0e54929f750af3d9e49
-  CARGO_LLVM_COV_VERSION: 0.6.21
-  CARGO_LLVM_COV_SHA256SUM: 57f491aedf7cdb261538ceb49cbb1ee9d27df7ca205a5e1a009caaf5cb911afb
-  CARGO_AUDIT_VERSION: 0.22.1
-  CARGO_AUDIT_SHA256SUM: 9899e591c3abee79bd54e88c3b03d27bcf8dd073fb1690af9cd3089be1267a67
 jobs:
   publish:
     runs-on: docker
@@ -29,32 +22,7 @@ jobs:
           rustup component add --toolchain nightly rustfmt clippy
 
       - name: Setup additional tooling
-        run: |
-          fetch() {
-            repo="$1"; tag="$2"; filename="$3"; digest="$4"; binary="$5"
-
-            [ -d /tmp/tools ] || mkdir -p /tmp/tools
-
-            curl -sSLO --output-dir /tmp \
-                -w '%{stderr}HTTP %{response_code} %{url}\n' \
-                "https://github.com/$repo/releases/download/$tag/$filename"
-
-            printf '%s  %s\n' "$digest" "/tmp/$filename" > /tmp/digest
-            sha256sum --check /tmp/digest
-            tar xf "/tmp/$filename" -C /tmp/tools
-            find /tmp/tools -type f -executable -name "$binary" \
-              -exec mv '{}' /usr/local/bin ';'
-          }
-
-          fetch casey/just ${{ env.JUST_VERSION }} \
-            just-${{ env.JUST_VERSION }}-x86_64-unknown-linux-musl.tar.gz \
-            ${{ env.JUST_SHA256SUM }} just
-          fetch taiki-e/cargo-llvm-cov v${{ env.CARGO_LLVM_COV_VERSION }} \
-            cargo-llvm-cov-x86_64-unknown-linux-gnu.tar.gz \
-            ${{ env.CARGO_LLVM_COV_SHA256SUM }} cargo-llvm-cov
-          fetch rustsec/rustsec v${{ env.CARGO_AUDIT_VERSION }} \
-            cargo-audit-x86_64-unknown-linux-gnu-v0.22.1.tgz \
-            ${{ env.CARGO_AUDIT_SHA256SUM }} cargo-audit
+        run: .forgejo/workflows/setup-tools.sh
 
       - name: Build release binary
         run: just full-build

.forgejo/workflows/setup-tools.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env sh
+
+set -eu
+
+JUST_VERSION="1.45.0"
+JUST_SHA256SUM="dc3f958aaf8c6506dd90426e9b03f86dd15e74a6467ee0e54929f750af3d9e49"
+CARGO_LLVM_COV_VERSION="0.6.21"
+CARGO_LLVM_COV_SHA256SUM="57f491aedf7cdb261538ceb49cbb1ee9d27df7ca205a5e1a009caaf5cb911afb"
+CARGO_AUDIT_VERSION="0.22.1"
+CARGO_AUDIT_SHA256SUM="1890badd5f15831a9af4b074399fcd21e6f7c0fe42c84e9254cdffc9f813765c"
+
+TRIPLE="x86_64-unknown-linux-gnu"
+TRIPLE_MUSL="x86_64-unknown-linux-musl"
+
+fetch() {
+    repo="$1"; tag="$2"; filename="$3"; digest="$4"; binary="$5"
+
+    [ -d /tmp/tools ] || mkdir -p /tmp/tools
+
+    curl -sSLO --output-dir /tmp \
+        -w '%{stderr}HTTP %{response_code} %{url}\n' \
+        "https://github.com/$repo/releases/download/$tag/$filename"
+
+    printf '%s  %s\n' "$digest" "/tmp/$filename" > /tmp/digest
+    sha256sum --check /tmp/digest
+    tar xf "/tmp/$filename" -C /tmp/tools
+    find /tmp/tools -type f -executable -name "$binary" \
+        -exec mv '{}' /usr/local/bin ';'
+}
+
+fetch casey/just "$JUST_VERSION" \
+    "just-$JUST_VERSION-$TRIPLE_MUSL.tar.gz" \
+    "$JUST_SHA256SUM" just
+
+fetch taiki-e/cargo-llvm-cov "v$CARGO_LLVM_COV_VERSION" \
+    "cargo-llvm-cov-$TRIPLE.tar.gz" \
+    "$CARGO_LLVM_COV_SHA256SUM" cargo-llvm-cov
+
+fetch rustsec/rustsec "v$CARGO_AUDIT_VERSION" \
+    "cargo-audit-$TRIPLE-v$CARGO_AUDIT_VERSION.tgz" \
+    "$CARGO_AUDIT_SHA256SUM" cargo-audit
+