Release 2.62.62

Updates the requirements on [spdx](https://github.com/EmbarkStudios/spdx) to permit the latest version.
- [Release notes](https://github.com/EmbarkStudios/spdx/releases)
- [Changelog](https://github.com/EmbarkStudios/spdx/blob/main/CHANGELOG.md)
- [Commits](https://github.com/EmbarkStudios/spdx/compare/0.12.0...0.13.0)

---
updated-dependencies:
- dependency-name: spdx
  dependency-version: 0.13.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/.cspell/rust-dependencies.txt

@@ -1,5 +1,5 @@
-// This file is @generated by tidy.sh.
-// It is not intended for manual editing.
+# This file is @generated by tidy.sh.
+# It is not intended for manual editing.
 
 flate
 minisign

.github/workflows/release.yml

@@ -32,7 +32,8 @@ jobs:
 
   create-release-manifest-schema:
     if: github.repository_owner == 'taiki-e' && startsWith(github.ref_name, 'install-action-manifest-schema-')
-    uses: taiki-e/github-actions/.github/workflows/create-release.yml@main
+    # TODO: use new rust-release workflow
+    uses: taiki-e/github-actions/.github/workflows/create-release.yml@853cebf868aa2dce1470668df24176803e05adc8
     with:
       crates: tools/manifest-schema
       changelog: tools/manifest-schema/CHANGELOG.md

.github/zizmor.yml

@@ -2,7 +2,7 @@
 # https://docs.zizmor.sh/configuration/
 
 rules:
-  dependabot-cooldown: { disable: true } # Useless unless unpinned-uses is enabled.
+  dependabot-cooldown: { disable: true } # Useless unless hash-pin is forced by unpinned-uses.
   ref-confusion: { disable: true } # TODO: Old GHA didn't work without this pattern in some cases, but does it seem to be fixed?
   secrets-inherit: { disable: true }
   unpinned-uses:
@@ -12,5 +12,5 @@ rules:
         '*': ref-pin
   obfuscation:
     ignore:
-      # We use `shell: cmd` to test compatibility
+      # We use `shell: cmd` to test compatibility.
       - ci.yml

CHANGELOG.md

@@ -10,6 +10,18 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com
 
 ## [Unreleased]
 
+## [2.62.62] - 2025-12-03
+
+- Update `cargo-deny@latest` to 0.18.8.
+
+- Update `cargo-shear@latest` to 1.7.1.
+
+- Update `trivy@latest` to 0.68.1.
+
+- Update `uv@latest` to 0.9.15.
+
+- Update `knope@latest` to 0.21.6.
+
 ## [2.62.61] - 2025-12-02
 
 - Update `cargo-deny@latest` to 0.18.7.
@@ -5039,7 +5051,8 @@ Note: This release is considered a breaking change because installing on version
 
 Initial release
 
-[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.62.61...HEAD
+[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.62.62...HEAD
+[2.62.62]: https://github.com/taiki-e/install-action/compare/v2.62.61...v2.62.62
 [2.62.61]: https://github.com/taiki-e/install-action/compare/v2.62.60...v2.62.61
 [2.62.60]: https://github.com/taiki-e/install-action/compare/v2.62.59...v2.62.60
 [2.62.59]: https://github.com/taiki-e/install-action/compare/v2.62.58...v2.62.59

README.md

@@ -20,10 +20,10 @@ GitHub Action for installing development tools (mainly from GitHub Releases).
 
 ### Inputs
 
-| Name     | Required | Description                             | Type    | Default |
-| -------- |:--------:| --------------------------------------- | ------- | ------- |
-| tool     | **✓**    | Tools to install (comma-separated list) | String  |         |
-| checksum |          | Whether to enable checksums             | Boolean | `true`  |
+| Name | Required | Description | Type | Default |
+| ---- | :------: | ----------- | ---- | ------- |
+| tool | **✓** | Tools to install (comma-separated list) | String | |
+| checksum | | Whether to enable checksums | Boolean | `true` |
 
 ### Example workflow
 

manifests/cargo-deny.json

@@ -24,10 +24,32 @@
   },
   "license_markdown": "[MIT](https://github.com/EmbarkStudios/cargo-deny/blob/main/LICENSE-MIT) OR [Apache-2.0](https://github.com/EmbarkStudios/cargo-deny/blob/main/LICENSE-APACHE)",
   "latest": {
-    "version": "0.18.7"
+    "version": "0.18.8"
   },
   "0.18": {
-    "version": "0.18.7"
+    "version": "0.18.8"
+  },
+  "0.18.8": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE3283C5559F67",
+      "checksum": "663f655b23c58e7d8eaf1c6b6bd8e197742757b5314bd292fd8dcbc0a16581c6"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE3283B49FB8D0",
+      "checksum": "7091e8bdd0fa8febb904c403fe1390352afe54436964a5ecd698a5e16d6a1822"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE328430395712",
+      "checksum": "7ac004b6205e1478ad8b05d743758e69bceb77f38e9dbb0ec56ea832e5bbdd96"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE3283E191578F",
+      "checksum": "2f6ee38e5ca2e4c42ad5d730cf90ba443cd09f7744da38a2806df24a8b63f61f"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE3283D77ADD23",
+      "checksum": "83a1b8adde73f2e40ed26dfbbe360f94459ecf39f4994396d8d73f88b9d82ad8"
+    }
   },
   "0.18.7": {
     "x86_64_linux_musl": {

manifests/cargo-shear.json

@@ -28,13 +28,39 @@
   },
   "license_markdown": "[MIT](https://github.com/Boshen/cargo-shear/blob/main/LICENSE)",
   "latest": {
-    "version": "1.7.0"
+    "version": "1.7.1"
   },
   "1": {
-    "version": "1.7.0"
+    "version": "1.7.1"
   },
   "1.7": {
-    "version": "1.7.0"
+    "version": "1.7.1"
+  },
+  "1.7.1": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE327BCBE75955",
+      "checksum": "48dbeb3aa587e217e5f91505991b353d6f9c6e8eb663241f339de643b21f847e"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE327BDF400922",
+      "checksum": "4f8d4c2d6e8f51ed5a8ff6d1a065028bd6440091e62bb06e8f86fbe804218744"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE327C18793EB8",
+      "checksum": "79acec595ffd79824d1ad706c5da21b9e96c5de13afe865282dc90d456c91cf9"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE327BD0614462",
+      "checksum": "46944afc093256d68b1a3eba6355ef637113129aa0d7ae59d4459edbaf53335a"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE327BD75F9FAE",
+      "checksum": "171b70e2550f9742aabe9550fde6e9147b594ae82133e280a08a8c26e38d27d3"
+    },
+    "aarch64_windows": {
+      "etag": "0x8DE327BF755A705",
+      "checksum": "d487f98d466be25c9e94030a3740a52774494d1ec081412877e8f21af9306442"
+    }
   },
   "1.7.0": {
     "x86_64_linux_musl": {

manifests/knope.json

@@ -3,10 +3,10 @@
   "template": null,
   "license_markdown": "[MIT](https://github.com/knope-dev/knope/blob/main/LICENSE)",
   "latest": {
-    "version": "0.21.5"
+    "version": "0.21.6"
   },
   "0.21": {
-    "version": "0.21.5"
+    "version": "0.21.6"
   },
   "0.21.6": {
     "x86_64_linux_musl": {

manifests/trivy.json

@@ -32,7 +32,40 @@
   },
   "license_markdown": "[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)",
   "latest": {
-    "version": "0.67.2"
+    "version": "0.68.1"
+  },
+  "0.68": {
+    "version": "0.68.1"
+  },
+  "0.68.1": {
+    "x86_64_linux_gnu": {
+      "etag": "0x8DE3251848BE364",
+      "checksum": "63e37242088e418651931f891963c19554faa19f0591fe6b40b606152051df2f"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE3251830BD5BF",
+      "checksum": "d5b5bd3b3c3626d223c3981cc40f4709f00a6327a681b588d2fc64a3aa9d02c5"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE325185F54E47",
+      "checksum": "600fc65bdb486e160efeedf8fff8ef6be8e9d2e82f2ea4db82ad23263ed5f902"
+    },
+    "aarch64_linux_gnu": {
+      "etag": "0x8DE325182E5186B",
+      "checksum": "b29ea550f573afbcae3c86fb2b5e0ebba76b7cb0965e3787c4e8cb884d2c1d57"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE32518617A3C8",
+      "checksum": "4dd3d2e74e1b6f6f7fd5fbf55489727698f586d6a6a0cff3421031a05b80bcac"
+    },
+    "powerpc64le_linux_gnu": {
+      "etag": "0x8DE325182EA1BD7",
+      "checksum": "85fad2f54d695044ff4c7cfbf527a339bbba624e248ca78c81b24d3ff505ec36"
+    },
+    "s390x_linux_gnu": {
+      "etag": "0x8DE325184AA45AE",
+      "checksum": "5fd10a554ffc2a82bdc0212112352f0641d1ccf46b60f7c3be8b1f6c9e98a291"
+    }
   },
   "0.67": {
     "version": "0.67.2"

manifests/uv.json

@@ -40,10 +40,48 @@
   },
   "license_markdown": "[Apache-2.0](https://github.com/astral-sh/uv/blob/main/LICENSE-APACHE) OR [MIT](https://github.com/astral-sh/uv/blob/main/LICENSE-MIT)",
   "latest": {
-    "version": "0.9.14"
+    "version": "0.9.15"
   },
   "0.9": {
-    "version": "0.9.14"
+    "version": "0.9.15"
+  },
+  "0.9.15": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE320C0CDF1726",
+      "checksum": "7037889adb182ce50379b3a789154ad6be00397b892fec9e93e11c457945aec0"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE320C0C5D32FD",
+      "checksum": "a7d9ae35ce2d192cb0356f07439cfc6768d4dff8e95ae69f821e8fbe7bcb0e09"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE320C0C99A9C9",
+      "checksum": "a6887c93a54c46de7dcc0bc798f84a130d7f411124ad43252716f75d0c2c33e0"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE320C0A36F269",
+      "checksum": "41f6ef4f86e9f8015bc31e9ca4fd44a6e2c80fc0b75d6eb74063f64ca15177c7"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE320C0995E95E",
+      "checksum": "388029510fdf64771745e9fb85cd6ec042580678a9e61c90fe355301f1c42f1e"
+    },
+    "aarch64_windows": {
+      "etag": "0x8DE320C09D7FF2D",
+      "checksum": "19422893deba37feb4b4191b43be89525ac48bd378f9fdbf2d5bca44319f8c19"
+    },
+    "powerpc64le_linux_gnu": {
+      "etag": "0x8DE320C0BC93AB9",
+      "checksum": "880b977489a0a580df04cf9020968bf05553bccd8dd48375a0c7cb6dd8048f58"
+    },
+    "riscv64_linux_gnu": {
+      "etag": "0x8DE320C0C042C97",
+      "checksum": "cb993da480f90b226bca66a1f54c4a0419a245d07d3d0e30a3f8c9a5b1f8fd2a"
+    },
+    "s390x_linux_gnu": {
+      "etag": "0x8DE320C0C18612F",
+      "checksum": "e0cac629299a49336e92a13684671bbf50933749412f480e051a4071a619fcd8"
+    }
   },
   "0.9.14": {
     "x86_64_linux_musl": {

tools/codegen/Cargo.toml

@@ -14,7 +14,7 @@ serde = "1"
 serde_derive = "1"
 serde_json = "1"
 sha2 = "0.10"
-spdx = "0.12"
+spdx = "0.13"
 tar = "0.4"
 toml = { version = "0.9", default-features = false, features = ["parse", "serde"] }
 # TODO: call curl command instead of using ureq?

tools/publish.sh

@@ -191,7 +191,7 @@ cp -- ./manifests/* "${schema_workspace}"
   # Stage changes
   git add .
   # Detect changes, then commit and push if changes exist
-  if [[ "$(git status --porcelain=v1 | wc -l)" != "0" ]]; then
+  if [[ "$(git status --porcelain=v1 | LC_ALL=C wc -l)" != "0" ]]; then
     git commit -m 'Update manifest schema'
     retry git push origin HEAD
   fi

tools/tidy.sh

@@ -118,11 +118,11 @@ check_alt() {
 check_hidden() {
   local res
   for file in "$@"; do
-    check_alt ".${file}" "${file}" "$(comm -23 <(ls_files "*${file}") <(ls_files "*.${file}"))"
+    check_alt ".${file}" "${file}" "$(LC_ALL=C comm -23 <(ls_files "*${file}") <(ls_files "*.${file}"))"
   done
 }
 sed_rhs_escape() {
-  sed 's/\\/\\\\/g; s/\&/\\\&/g; s/\//\\\//g' <<<"$1"
+  sed -E 's/\\/\\\\/g; s/\&/\\\&/g; s/\//\\\//g' <<<"$1"
 }
 
 if [[ $# -gt 0 ]]; then
@@ -137,12 +137,8 @@ py_suffix=''
 if type -P python3 >/dev/null; then
   py_suffix=3
 fi
-yq() {
-  pipx run yq "$@"
-}
-tomlq() {
-  pipx run --spec yq tomlq "$@"
-}
+yq() { pipx run yq "$@"; }
+tomlq() { pipx run --spec yq tomlq "$@"; }
 case "$(uname -s)" in
   Linux)
     if [[ "$(uname -o)" == 'Android' ]]; then
@@ -167,10 +163,11 @@ case "$(uname -s)" in
       if [[ "${PATH}" != *'/usr/xpg4/bin'* ]]; then
         export PATH="/usr/xpg4/bin:${PATH}"
       fi
-      # GNU/BSD grep/sed is required to run some checks, but most checks are okay with other POSIX grep/sed.
+      # GNU/BSD sed is required.
+      # GNU/BSD grep is required by some checks, but most checks are okay with other POSIX grep.
       # Solaris /usr/xpg4/bin/grep has -q, -E, -F, but no -o (non-POSIX).
       # Solaris /usr/xpg4/bin/sed has no -E (POSIX.1-2024) yet.
-      for tool in sed grep; do
+      for tool in 'grep' 'sed'; do
         if type -P "g${tool}" >/dev/null; then
           eval "${tool}() { g${tool} \"\$@\"; }"
         fi
@@ -189,12 +186,8 @@ case "$(uname -s)" in
         else
           jq() { command jq "$@" | tr -d '\r'; }
         fi
-        yq() {
-          pipx run yq "$@" | tr -d '\r'
-        }
-        tomlq() {
-          pipx run --spec yq tomlq "$@" | tr -d '\r'
-        }
+        yq() { pipx run yq "$@" | tr -d '\r'; }
+        tomlq() { pipx run --spec yq tomlq "$@" | tr -d '\r'; }
       fi
     fi
     ;;
@@ -203,25 +196,34 @@ esac
 
 check_install git
 exclude_from_ls_files=()
-# - `find` lists symlinks. `! ( -name <dir> -prune )` (.i.e., ignore <dir>) are manually listed from .gitignore.
-# - `git submodule status` lists submodules. Use sed to remove the first character indicates status ( |+|-).
+# - `find` lists symlinks. `! ( -name <dir> -prune )` means recursively ignore <dir>. `cut` removes the leading `./`.
+#   This can be replaced with `fd -H -t l`.
+# - `git submodule status` lists submodules. The first `cut` removes the first character indicates status ( |+|-).
 # - `git ls-files --deleted` lists removed files.
-while IFS=$'\n' read -r line; do exclude_from_ls_files+=("${line}"); done < <({
-  find . \! \( -name .git -prune \) \! \( -name target -prune \) \! \( -name tmp -prune \) -type l | cut -c3-
-  git submodule status | sed 's/^.//' | cut -d' ' -f2
+find_prune=(\! \( -name .git -prune \))
+while IFS= read -r; do
+  find_prune+=(\! \( -name "${REPLY}" -prune \))
+done < <(sed -E 's/#.*//g; s/^[ \t]+//g; s/\/[ \t]+$//g; /^$/d' .gitignore)
+while IFS=$'\n' read -r; do
+  exclude_from_ls_files+=("${REPLY}")
+done < <({
+  find . "${find_prune[@]}" -type l | cut -c3-
+  git submodule status | cut -c2- | cut -d' ' -f2
   git ls-files --deleted
 } | LC_ALL=C sort -u)
 exclude_from_ls_files_no_symlink=()
-while IFS=$'\n' read -r line; do exclude_from_ls_files_no_symlink+=("${line}"); done < <({
-  git submodule status | sed 's/^.//' | cut -d' ' -f2
+while IFS=$'\n' read -r; do
+  exclude_from_ls_files_no_symlink+=("${REPLY}")
+done < <({
+  git submodule status | cut -c2- | cut -d' ' -f2
   git ls-files --deleted
 } | LC_ALL=C sort -u)
 ls_files() {
   if [[ "${1:-}" == '--include-symlink' ]]; then
     shift
-    comm -23 <(git ls-files "$@" | LC_ALL=C sort) <(printf '%s\n' ${exclude_from_ls_files_no_symlink[@]+"${exclude_from_ls_files_no_symlink[@]}"})
+    LC_ALL=C comm -23 <(git ls-files "$@" | LC_ALL=C sort) <(printf '%s\n' ${exclude_from_ls_files_no_symlink[@]+"${exclude_from_ls_files_no_symlink[@]}"})
   else
-    comm -23 <(git ls-files "$@" | LC_ALL=C sort) <(printf '%s\n' ${exclude_from_ls_files[@]+"${exclude_from_ls_files[@]}"})
+    LC_ALL=C comm -23 <(git ls-files "$@" | LC_ALL=C sort) <(printf '%s\n' ${exclude_from_ls_files[@]+"${exclude_from_ls_files[@]}"})
   fi
 }
 
@@ -445,7 +447,7 @@ if [[ -n "$(ls_files '*.rs')" ]]; then
       new+="${line}"$'\a'
     done < <(tr '\n' '\a' <"${markdown}" | grep -Eo '<!-- tidy:sync-markdown-to-rustdoc:start[^ ]* -->.*<!-- tidy:sync-markdown-to-rustdoc:end -->')
     new+='<!-- tidy:sync-markdown-to-rustdoc:end -->'
-    new=$(tr '\n' '\a' <"${lib}" | sed "s/<!-- tidy:sync-markdown-to-rustdoc:start[^ ]* -->.*<!-- tidy:sync-markdown-to-rustdoc:end -->/$(sed_rhs_escape "${new}")/" | tr '\a' '\n')
+    new=$(tr '\n' '\a' <"${lib}" | sed -E "s/<!-- tidy:sync-markdown-to-rustdoc:start[^ ]* -->.*<!-- tidy:sync-markdown-to-rustdoc:end -->/$(sed_rhs_escape "${new}")/" | tr '\a' '\n')
     printf '%s\n' "${new}" >|"${lib}"
     check_diff "${lib}"
   done
@@ -677,7 +679,7 @@ elif check_install shellcheck; then
         # Others: false negative
         trap -- 'rm -- ./tools/.tidy-tmp; printf >&2 "%s\n" "${0##*/}: trapped SIGINT"; exit 1' SIGINT
         printf '%s\n' "${text}" >|./tools/.tidy-tmp
-        if ! shellcheck --color="${color}" --exclude "${shellcheck_exclude}" ./tools/.tidy-tmp | sed "s/\.\/tools\/\.tidy-tmp/$(sed_rhs_escape "${display_path}")/g"; then
+        if ! shellcheck --color="${color}" --exclude "${shellcheck_exclude}" ./tools/.tidy-tmp | sed -E "s/\.\/tools\/\.tidy-tmp/$(sed_rhs_escape "${display_path}")/g"; then
           error "check failed; please resolve the above shellcheck error(s)"
         fi
         rm -- ./tools/.tidy-tmp
@@ -822,7 +824,7 @@ EOF
         # Others: false negative
         trap -- 'rm -- ./tools/.tidy-tmp; printf >&2 "%s\n" "${0##*/}: trapped SIGINT"; exit 1' SIGINT
         printf '%s\n' "${text}" >|./tools/.tidy-tmp
-        if ! shellcheck --color="${color}" --exclude "${shellcheck_exclude}" ./tools/.tidy-tmp | sed "s/\.\/tools\/\.tidy-tmp/$(sed_rhs_escape "${display_path}")/g"; then
+        if ! shellcheck --color="${color}" --exclude "${shellcheck_exclude}" ./tools/.tidy-tmp | sed -E "s/\.\/tools\/\.tidy-tmp/$(sed_rhs_escape "${display_path}")/g"; then
           error "check failed; please resolve the above shellcheck error(s)"
         fi
         rm -- ./tools/.tidy-tmp
@@ -833,7 +835,8 @@ EOF
         # The top-level permissions must be weak as they are referenced by all jobs.
         permissions=$(jq -c '.permissions' <<<"${workflow}")
         case "${permissions}" in
-          '{"contents":"read"}' | '{"contents":"none"}') ;;
+          # `permissions: {}` means "all none": https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#defining-access-for-the-github_token-scopes
+          '{"contents":"read"}' | '{}') ;;
           null) error "${workflow_path}: top level permissions not found; it must be 'contents: read' or weaker permissions" ;;
           *) error "${workflow_path}: only 'contents: read' and weaker permissions are allowed at top level, but found '${permissions}'; if you want to use stronger permissions, please set job-level permissions" ;;
         esac
@@ -911,11 +914,13 @@ if [[ -e .github/dependabot.yml ]]; then
   zizmor_targets+=(.github/dependabot.yml)
 fi
 if [[ ${#zizmor_targets[@]} -gt 0 ]]; then
-  if check_install zizmor; then
+  if [[ "${ostype}" =~ ^(netbsd|openbsd|dragonfly|illumos|solaris)$ ]] && [[ -n "${CI:-}" ]] && ! type -P zizmor >/dev/null; then
+    warn "this check is skipped on NetBSD/OpenBSD/Dragonfly/illumos/Solaris due to installing zizmor is hard on these platform"
+  elif check_install zizmor; then
     IFS=' '
-    info "running \`zizmor ${zizmor_targets[*]}\`"
+    info "running \`zizmor -q ${zizmor_targets[*]}\`"
     IFS=$'\n\t'
-    zizmor "${zizmor_targets[@]}"
+    zizmor -q "${zizmor_targets[@]}"
   fi
 fi
 printf '\n'
@@ -926,7 +931,7 @@ check_alt '.sh extension' '*.bash extension' "$(ls_files '*.bash')"
 if [[ -f tools/.tidy-check-license-headers ]]; then
   info "checking license headers (experimental)"
   failed_files=''
-  for p in $(comm -12 <(eval $(<tools/.tidy-check-license-headers) | LC_ALL=C sort) <(ls_files | LC_ALL=C sort)); do
+  for p in $(LC_ALL=C comm -12 <(eval $(<tools/.tidy-check-license-headers) | LC_ALL=C sort) <(ls_files | LC_ALL=C sort)); do
     case "${p##*/}" in
       *.stderr | *.expanded.rs) continue ;; # generated files
       *.json) continue ;;                   # no comment support
@@ -998,8 +1003,8 @@ if [[ -f .cspell.json ]]; then
     printf '%s\n' "${config_old}" >|.cspell.json
     trap -- 'printf >&2 "%s\n" "${0##*/}: trapped SIGINT"; exit 1' SIGINT
     cat >|.github/.cspell/rust-dependencies.txt <<EOF
-// This file is @generated by ${0##*/}.
-// It is not intended for manual editing.
+# This file is @generated by ${0##*/}.
+# It is not intended for manual editing.
 EOF
     if [[ -n "${dependencies_words}" ]]; then
       LC_ALL=C sort -f >>.github/.cspell/rust-dependencies.txt <<<"${dependencies_words}"$'\n'
@@ -1019,7 +1024,7 @@ EOF
     if ! ls_files | npx -y cspell stdin --no-progress --no-summary --show-context; then
       error "spellcheck failed: please fix uses of below words in file names or add to ${project_dictionary} if correct"
       printf '=======================================\n'
-      { ls_files | npx -y cspell stdin --no-progress --no-summary --words-only || true; } | sed "s/'s$//g" | LC_ALL=C sort -f -u
+      { ls_files | npx -y cspell stdin --no-progress --no-summary --words-only || true; } | sed -E "s/'s$//g" | LC_ALL=C sort -f -u
       printf '=======================================\n\n'
     fi
     # Check file contains.
@@ -1027,7 +1032,7 @@ EOF
     if ! ls_files | npx -y cspell --file-list stdin --no-progress --no-summary; then
       error "spellcheck failed: please fix uses of below words or add to ${project_dictionary} if correct"
       printf '=======================================\n'
-      { ls_files | npx -y cspell --file-list stdin --no-progress --no-summary --words-only || true; } | sed "s/'s$//g" | LC_ALL=C sort -f -u
+      { ls_files | npx -y cspell --file-list stdin --no-progress --no-summary --words-only || true; } | sed -E "s/'s$//g" | LC_ALL=C sort -f -u
       printf '=======================================\n\n'
     fi
 
@@ -1038,8 +1043,8 @@ EOF
       fi
       case "${ostype}" in
         # NetBSD uniq doesn't support -i flag.
-        netbsd) dup=$(sed '/^$/d; /^\/\//d' "${project_dictionary}" "${dictionary}" | LC_ALL=C sort -f | tr '[:upper:]' '[:lower:]' | LC_ALL=C uniq -d) ;;
-        *) dup=$(sed '/^$/d; /^\/\//d' "${project_dictionary}" "${dictionary}" | LC_ALL=C sort -f | LC_ALL=C uniq -d -i) ;;
+        netbsd) dup=$(sed -E 's/#.*//g; s/^[ \t]+//g; s/\/[ \t]+$//g; /^$/d' "${project_dictionary}" "${dictionary}" | LC_ALL=C sort -f | tr '[:upper:]' '[:lower:]' | LC_ALL=C uniq -d) ;;
+        *) dup=$(sed -E 's/#.*//g; s/^[ \t]+//g; s/\/[ \t]+$//g; /^$/d' "${project_dictionary}" "${dictionary}" | LC_ALL=C sort -f | LC_ALL=C uniq -d -i) ;;
       esac
       if [[ -n "${dup}" ]]; then
         error "duplicated words in dictionaries; please remove the following words from ${project_dictionary}"
@@ -1050,13 +1055,14 @@ EOF
     # Make sure the project-specific dictionary does not contain unused words.
     if [[ -n "${REMOVE_UNUSED_WORDS:-}" ]]; then
       grep_args=()
-      for word in $(grep -Ev '^//' "${project_dictionary}" || true); do
+      while IFS= read -r word; do
         if ! grep -Eqi "^${word}$" <<<"${all_words}"; then
-          grep_args+=(-e "^${word}$")
+          grep_args+=(-e "^[ \t]*${word}[ \t]*(#.*|$)")
         fi
-      done
+      done < <(sed -E 's/#.*//g; s/^[ \t]+//g; s/\/[ \t]+$//g; /^$/d' "${project_dictionary}")
       if [[ ${#grep_args[@]} -gt 0 ]]; then
         info "removing unused words from ${project_dictionary}"
+        info "please commit changes made by the removal above"
         res=$(grep -Ev "${grep_args[@]}" "${project_dictionary}" || true)
         if [[ -n "${res}" ]]; then
           printf '%s\n' "${res}" >|"${project_dictionary}"
@@ -1066,11 +1072,11 @@ EOF
       fi
     else
       unused=''
-      for word in $(grep -Ev '^//' "${project_dictionary}" || true); do
+      while IFS= read -r word; do
         if ! grep -Eqi "^${word}$" <<<"${all_words}"; then
           unused+="${word}"$'\n'
         fi
-      done
+      done < <(sed -E 's/#.*//g; s/^[ \t]+//g; s/\/[ \t]+$//g; /^$/d' "${project_dictionary}")
       if [[ -n "${unused}" ]]; then
         error "unused words in dictionaries; please remove the following words from ${project_dictionary} or run ${0##*/} locally"
         print_fenced "${unused}"