[PM-38767] Adopt cargo-run-bin for binary tool version pinning in desktop_native

[coroiu]

🎟️ Tracking

• PM-38767 — Adopt cargo-run-bin for binary tool version pinning in Clients / desktop-native
• Ports the SDK work from PM-38720 ([PM-38720] Re-adopt cargo-run-bin for binary tool version pinning sdk-internal#1179) and the PM-24643 lint-runner improvement ([PM-24643] Add an easy to use formatting linting command to the sdk sdk-internal#1140) to the desktop_native workspace.

📔 Objective

The desktop_native Rust workspace pinned its binary cargo tools in three inconsistent places: cargo-tool-versions (cargo-deny/sort/udeps), an ad-hoc cargo install in test.yml (cargo-llvm-cov), and another in build.js (cargo-xwin). Local-dev and CI versions could drift, and there was no single command to reproduce CI's lint checks locally.

This change:

• Pins every binary tool in one place — [workspace.metadata.bin] in apps/desktop/desktop_native/Cargo.toml — and runs them via cargo-run-bin (cargo bin <tool>), bootstrapped once with cargo install cargo-run-bin --locked --version 1.7.4. Renovate-managed.
• Enforces source-only installs (VULN-613) via a check-no-binstall guard: fails CI if cargo-binstall would be used; warns locally.
• Adds a unified lint runner (PM-24643 improvement): npm run lint:rust (--fix / --only <check>) over fmt/clippy/sort/udeps/deny, mirroring CI so a local pass means CI passes.
• Restructures the lint.yml rust job into a per-check × OS matrix with per-check .bin caching, plus a stable Rust lint aggregator job.
• Converts the dev/CI scripts to portable Node (.mjs), replacing the duplicated bash + PowerShell prepare-env pair with a single scripts/prepare-env-rust.mjs, so Windows devs no longer need Git Bash.

Notable

• cargo-xwin runs as cargo bin cargo-xwin build … (not … cargo-xwin xwin build): when cargo-run-bin invokes the binary directly, clap does not strip the xwin cargo-subcommand token.
• ⚠️ Branch protection: the matrix renames the lint jobs. Point the protected-branch required status checks at the new Rust lint aggregator job (and drop the old Run Rust lint on <os> names) so merges aren't blocked.

Verified locally

All five checks pass via npm run lint:rust; cargo bin cargo-llvm-cov resolves; pre-commit hooks (lint-staged) run the new cargo bin commands successfully; renovate config validates; both workflows parse.

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR consolidates binary cargo tool version pinning for desktop_native into a single [workspace.metadata.bin] block driven by cargo-run-bin, adds a CI guard against cargo-binstall (per VULN-613), introduces a unified npm run lint:rust runner that mirrors CI, and replaces the duplicated bash/PowerShell prepare-env scripts with a single portable Node script. The lint workflow is restructured into a per-check × OS matrix with a Rust lint aggregator job, and the renovate config is extended with regexes that keep the bootstrap cargo-run-bin version and the [workspace.metadata.bin] entries in sync. No security, correctness, or breaking-code concerns surfaced during review.

Code Review Details

No findings.

Notes for reviewers / merge:

• The PR description correctly flags that the matrix rename requires updating branch protection required-status-checks to the new Rust lint aggregator (replacing the old Run Rust lint on <os> entries). Confirm this is coordinated with the merge.
• cargo install --version X.Y.Z uses caret semantics, so the bootstrap could pick up a fresh patch in the gap between Renovate runs. This matches the existing convention used throughout [workspace.metadata.bin] and the other bootstrap call sites, so it's consistent; flagging only as a heads-up if exact pinning is desired later (--version "=X.Y.Z").
• scripts/run-cargo-tool.mjs (used by lint-staged pre-commit hooks) does not invoke checkNoBinstall() before cargo bin …; scripts/lint-rust.mjs and CI do. Local hook runs would silently use binstall if a dev has it on PATH. Low-impact (the check is a warn-only locally anyway), but worth knowing.

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
5 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@dfd6a8f). Learn more about missing BASE report.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #21169   +/-   ##
=======================================
  Coverage        ?   49.05%           
=======================================
  Files           ?     4048           
  Lines           ?   126555           
  Branches        ?    19292           
=======================================
  Hits            ?    62081           
  Misses          ?    59933           
  Partials        ?     4541           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.