Separating fetching from building for better security

bjorn3:

Why is the __CARGO_TEST_CHANNEL_OVERRIDE_DO_NOT_USE_THIS=nightly necessary? None of the arguments you passed are unstable.

I was surprised that rust-analzyer fetches dependencies of the stdlib (and not just of the project being analyzed). I naively assumed that rustup already installs everything that is needed for using the stdlib. It turns out that it installs everything that is needed for building with the stdlib, but not for rust-analyzing it. (Or at least this is my understanding.)

Since I was getting warnings about the wrapped rust-analyzer not being able to fetch what it needs, I added code that tries to emulate what rust-analyzer itself does. I took the above from rust-analyzer-master/crates/project-model/src/sysroot.rs:369

  let mut cargo_config = cargo_config.clone();
  // the sysroot uses `public-dependency`, so we make cargo think it's a nightly
  cargo_config.extra_env.insert(
      "__CARGO_TEST_CHANNEL_OVERRIDE_DO_NOT_USE_THIS".to_owned(),
      Some("nightly".to_owned()),
  );

I do not claim to have a deep understanding of the involved mechanisms, but it seems to work at least in my testing.

In any way, whether __CARGO_TEST_CHANNEL_OVERRIDE_DO_NOT_USE_THIS=nightly should be set or not is not my main point.