fix(ci): pin dtolnay/rust-toolchain to reachable v1 release so Dependabot resolves#4077
Merged
rysweet merged 1 commit intoJul 15, 2026
Conversation
…abot resolves (completes taiki-e fix from #2864) The default-branch `dependabot/dependabot-updates` (github_actions) run failed on TWO dependencies with the same root cause, not one: | taiki-e/install-action | unknown_error | | dtolnay/rust-toolchain | unknown_error | PR #2864 fixed only `taiki-e/install-action`. `dtolnay/rust-toolchain` was still pinned to the HEAD of dtolnay's per-channel *branches* (`# stable`, `# nightly`), whose commits are diverged from the action's default branch (`git compare master...<sha>` → `status=diverged`). Dependabot shallow-clones the default branch to look for newer versions, so it cannot resolve a diverged-branch commit ("no such commit ..."), which aborts the whole update run and keeps the default branch's Actions health red on the next scheduled Dependabot run. Fix (same pattern #2864 applied to taiki-e): pin the reachable `v1` release SHA (`e97e2d8c...`, an ancestor of the default branch → Dependabot-resolvable) and select the channel via the `with: toolchain:` input. Applied to all three pins: coverage.yml (nightly), release.yml (stable), and the rust-runner-prep composite action (stable). Functionally equivalent — same toolchains installed. Regression guards extended to cover dtolnay/rust-toolchain and to scan in-repo composite actions (not just workflows): - tests/dependabot_action_pins.rs: new `dtolnay_rust_toolchain_pins_are_dependabot_resolvable` - tests/gadugi/dependabot-action-pins-resolvable.{sh,yaml} Both fail if a diverged per-channel/per-tool pin is reintroduced (verified). Docs: dependency-trust-policy.md documents the dtolnay v1-release pin policy. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Owner
Author
|
Criterion 4 — CI 100% green (final evidence). All 15 checks passing, 0 failures; |
rysweet
deleted the
engineer/steward-ci-github-actions-health-across-all-gov-e06d9e64-1784091707-4dfecf
branch
July 15, 2026 05:48
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the failing default-branch
Dependabot Updates(github_actions) run onrysweet/Simard(run 29375996164, 2026-07-14). Every functional workflow (verify,release) is green onmain, but the Actions-health surface was red because the Dependabot updater aborted.Supersedes the now-stale, conflict-dirty #2917 (same fix, rebased clean onto current
maindcf909c5; conflict incoverage.ymlresolved to preservemain's reproducible dated nightlynightly-2026-07-01).Root cause (verified from the failing run log)
Dependabot's
github_actionsupdater shallow-clones each action and runs a branch-contains resolution against the default branch. The repo SHA-pinneddtolnay/rust-toolchainto the HEAD of dtolnay's per-channel branches (# stable,# nightly). Those commits are diverged from the action's default branch (dtolnay force-pushes the rolling channel branches), so they become unreachable/dangling — GitHub Actions can still check them out by direct SHA, but Dependabot'sgit branch --containsfails withno such commit, aborting the entire update run.Fix
Pin the reachable
v1release SHA (e97e2d8c…, an ancestor of the default branch, taggedv1) and select the channel via thewith: toolchain:input — same pattern #2864 applied totaiki-e/install-action. Applied to all three pins:.github/workflows/coverage.ymlnightly-2026-07-01(dated, preserved).github/workflows/release.ymlstable.github/actions/rust-runner-prep/action.yml(composite)stableFunctionally equivalent — identical toolchains installed; only the pin/selection mechanism changes to one Dependabot can resolve. Verified
dtolnay/rust-toolchain@v1'saction.ymlaccepts thetoolchaininput (passes it torustup toolchain install, so dated nightlies likenightly-2026-07-01work).Merge-ready evidence
1. qa-team scenario (gadugi)
Extended
tests/gadugi/dependabot-action-pins-resolvable.{sh,yaml}to also guarddtolnay/rust-toolchainand to scan in-repo compositeaction.ymlfiles (Dependabot reads those too).all 3 dtolnay/rust-toolchain pins are SHA+version-tag pinned,all 7 taiki-e/install-action pins…, dead diverged SHAs (754bf4db…,29eef336…,5b842231…) absent, embedded Rust guard passes. (gadugi-testbinary is not installed on this host and is not part of the repo's CI; the.shis the scenario's executed command and was run directly.)2. Docs updated
docs/reference/dependency-trust-policy.mddocuments thedtolnay/rust-toolchainv1-release pin + channel-input policy and why per-channel branch HEADs must not be pinned.3. quality-audit (SEEK→VALIDATE→FIX, ≥3 cycles, clean final)
5b842231. FIX: repin coverage nightly tov1. VALIDATE: regression test passes.# stablepins (release.yml, rust-runner-prep) also diverged? Yes (29eef336…diverged). FIX: repinned all 3 uses. VALIDATE:grepconfirms 0 dead SHAs; all 3 usev1.@v1accept dated nightly + components? Confirmed via upstreamaction.ymlinspection; YAML of all changed files parses. VALIDATE (final, clean): 0 findings —cargo test --test dependabot_action_pins= 2 passed / 0 failed; gadugi scenario PASS; pre-push gate (fmt + race-subset tests +clippy --all-targets --all-features --locked -D warnings) passed.4. CI green
Pushed; CI runs on this PR. Local pre-push gate (mirrors CI
verifysubset:cargo fmt --all --check, race-subsetcargo test --release, fullclippy --all-targets --all-features --locked -- -D warnings) passed. Will confirm 100% green before requesting merge. The actual Dependabot-updates fix is only verifiable on the next scheduled/dynamic run againstmainpost-merge.6. Focused diff
7 files, only the CI pins + their test/doc guards. No unrelated edits.
Closes #2864 follow-up; supersedes #2917.
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com