pin the toolchain version used by clippy

[danieleades]

see discussion in #618

• pin clippy version for consistent lints across all PRs
• modify MSRV action such that dependabot will bump version of clippy toolchain but not touch msrv

[Philippe-Cholet]

I was working on this but was kinda blocked (I mostly discover dependabot to be honest), so thanks.

What bug me about this kind of change is #758 that we did not want.

Are you saying that with: toolchain: 1.43.1 will make dependabot ignore it? That sounds so simple as I was looking in another direction to solve this (use "ignore" option).

[danieleades]

I was working on this but was kinda blocked (I mostly discover dependabot to be honest), so thanks.

What bug me about this kind of change is #758 that we did not want.

Are you saying that with: toolchain: 1.43.1 will make dependabot ignore it? That sounds so simple as I was looking in another direction to solve this (use "ignore" option).

You certainly can configure dependabot to ignore the whole action, but that would also prevent it from bumping the pinned clippy toolchain version.

Dependabot doesn't parse the toolchain config, only the action version, so this should work fine (though it's untested).

I can probably test it on a fork to confirm it works the way I expect

[Philippe-Cholet]

Ok that seems good. Another thing that bothered me in #758 was that it suggested to update the version to "1.80.0" while I thought it would have suggested "1.74.0" (or whatever appropriate version at the time it wrote it).

[danieleades]

Ok that seems good. Another thing that bothered me in #758 was that it suggested to update the version to "1.80.0" while I thought it would have suggested "1.74.0" (or whatever appropriate version at the time it wrote it).

I missed that, that could be a problem.
Dependabot here is not doing anything clever to check the latest stable version, it's just checking the versions of the GitHub action that have been published. Perhaps these higher numbers are aliases for nightly releases?

[Philippe-Cholet]

This is intentional but it's convenient ahead-of-time PR.
I'm having a hard time finding a Rust repo pinning clippy (and using Dependabot).

[mightyiam]

For my taste, this is too many things in one PR.

[danieleades]

I'm having a hard time finding a Rust repo pinning clippy (and using Dependabot).

pinning the version of linters is a general pattern, not limited to the Rust ecosystem

[danieleades]

For my taste, this is too many things in one PR.

      - uses: dtolnay/rust-toolchain@master
        with:
          toolchain: stable
          components: rustfmt

to

      - uses: dtolnay/rust-toolchain@stable
        with:
          components: rustfmt

is not strictly required, but trivial. All other changes are required.

[danieleades]

This is dtolnay/rust-toolchain#43 but it's convenient ahead-of-time PR.

i think this might be deal-breaker unfortunately

[Philippe-Cholet]

i think this might be deal-breaker unfortunately

I agree. I think we are gonna stick with stable clippy and handle rare breakage as soon as it appears.

PS: There is not that many things in that PR.

[Philippe-Cholet]

Thank you anyway.